Calfornia’s Proposition 24, also known as the Consumer Privacy Rights Act (“CPRA”), appears likely to pass and be implemented, with 56% of voters supporting the measure and close to 75% of all ballots counted as of Wednesday morning. CPRA strengthens California’s existing data privacy regime to restrict businesses selling or sharing consumer personal information. CPRA will also limit how websites track consumer data; the law will become enforceable in 2023. Prior to enactment, California regulators are expected to provide more details about how it will be enforced, however if history is a guide, those details are subject to change as the landscape evolves. So, the question for many businesses is: what do we do now?
How Does CPRA Change Things?
While it may seem like CPRA makes only slight modifications to the state’s existing California Consumer Privacy Act (“CCPA”), but there are a number of provisions that make the CPRA look more like the General Data Protection Regulation (“GDPR”), Europe’s more stringent data privacy law. First, CPRA creates the California Privacy Protection Agency (“CPPA”), which will become the regulator charged with implementing and enforcing both the CCPA and CPRA. Second, CPRA expands the definition of sensitive personal information and adds several new rights for consumers:
- to restrict the use of sensitive personal information;
- to correct inaccurate personal information;
- to prevent businesses from storing data longer than necessary;
- to limit businesses from collecting more data than necessary;
- to know what personal information is sold or shared and to whom, and to opt out of that sale or sharing of personal information;
- CPRA expands the non-discrimination provision to prevent retaliation against an employee, applicant for employment, or independent contractor for exercising their privacy rights.
Note the “or share” language in CPRA; CCPA’s broad and vague definition gets tightened with CPRA and many more businesses are likely to be found to be “sharing” data even if they’re not “selling” it.
As CPRA creates a new data protection agency with regulatory authority for enforcement of both CCPA and CPRA, it is likely that California will look to administer the laws more stringently; businesses found to be in noncompliance will face significant financial penalties.
Additionally, even if your business has gotten compliant with GDPR or CCPA or other laws, there are new CPRA-related matters to which businesses should be aware:
- the CPRA creates a Chief Auditor, who will have the authority to audit businesses data practices;
- the CPRA also requires high risk data processors to perform regular cybersecurity audits and regular risk assessments;
- the CPRA adds provisions regarding profiling and automated decision making;
- the CPRA adds restrictions on transfer of personal information;
- the CPRA requires businesses that sell or share personal information to provide notice to consumers and a separate link to the “Do Not Sell or Share My Personal Information” webpage and a separate link to the “Limit the Use of My Sensitive Personal Information” webpage or a single link to both choices;
- the CPRA triples the fines set forth in CCPA for collecting and selling children’s private information and requires opt-in consent to sell personal information of consumers under the age of 16;
- the CPRA expands the consumer’s private right of action to include a breach of a consumer’s email address and password/security question and answer.
The CPRA also changes the definition of “business” to more clearly define the annual period of time to determine annual gross revenues, which specifies that a business must comply with CPRA if, “as of January 1 of the calendar year,” the business had
1) Annual gross revenues in excess of $25 million “in the preceding calendar year,” or
2) Alone or in combination annually buys or sells or shares the personal information of 100,000 or more consumers or households, or
3) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.
The private right of action under CPRA, which allows private consumers to sue noncompliant companies for purposes of CCPA, will be broadened. Additionally, the CCPA 30-day cure period after notice of a breach is eliminated and administrative fines for violation of the CPRA increase to not more than $2,500 for each violation or $7,500 for each intentional violation or violations involving the personal information of consumers that the business has actual knowledge is under 16 years of age.
What Should I Do Now?
CPRA will not be enforced until 2023, so at the moment the regulation does not have an impact on current operations. However, companies should put the regulation on their radar; for some this will be yet another data privacy law to which they are subject, and for others this will be the first time data privacy affects their business. In either case, implementing appropriate compliance protocols generally takes longer than anticipated, and as other states in the US adopt or consider their own privacy laws, designing a flexible approach to data privacy will be of paramount concern.
How Can Clym Help?
Clym provides a cost-effective, scalable and flexible platform to comply with GDPR, CCPA and other laws as they come online (including CPRA). Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.