Want to share this?

Blog Summary [4-minute read]

  • 5 substantial provisions from CPRA
  • Influence on other states
  • 6 ways for organizations to prepare

As with surfing, fashion, music, and food fads, trends in privacy law often spring up in California. The California Online Privacy Protection Act of 2003 was the first privacy law in the United States to require commercial websites and online services to post a privacy policy. The California Consumer Privacy Act (CCPA), which took effect January 1, 2020, has spawned more rigorous privacy laws in other states. And now the California Privacy Rights Act (CPRA) is expanding privacy with new definitions of personal information and individual right of action for privacy breaches. While CPRA’s expanded privacy rights are great for consumers, the law is likely to complicate the work of privacy teams, especially as other states adopt their own versions of these expansions.

Broad Strokes and Devilish Details

While the CPRA initially made headlines for sweeping changes such as expanding definitions of “sensitive personal information” and expanding individual right of action, there are also plenty of other substantial provisions and nitty gritty details guaranteed to create new work for privacy teams. Here are just a few:

  • Expanded rights for employees and contractors: The Act extends the privacy rights of consumers to job applicants, employees, and independent contractors. According to the National Law Review, more of the information routinely collected from applicants and employees will be regulated when the CPRA goes into effect.
  • Right to correct: The CPRA gives consumers the right to correct inaccurate personal information that businesses hold.
  • New notice requirements: CPRA businesses to notify consumers whether their sensitive information will be sold or shared; what kinds of personal information are being collected, and how long it will be retained.
  • A new enforcement body: The California Attorney General is responsible for enforcing the CCPA, but CPRA creates a new enforcement authority, the California Privacy Protection Agency (CPPA.) And while the AG is complaint-driven, the CPPA will actively monitor and audit businesses for compliance with California privacy laws.
  • Mandatory annual risk assessments and audits: Organizations whose processing of personal information presents “significant risk to consumers’ privacy or security” will be required to perform an annual cybersecurity audit and submit a risk assessment to the CPPA.

The CPRA will apply to any organization that does business in California and has annual gross revenue over $25 million in the previous calendar year; buys, sells or shares the personal information of at least 100,000 California consumers or households; or derives at least fifty percent of annual revenue from selling or sharing consumers’ personal information. Privacy teams in some businesses will need to monitor revenue levels and revenue sources to know if their businesses need to comply with CPRA.

Will Other States Follow CPRA?

Although the CPRA won’t take effect until the beginning of 2023, there is already speculation about how it will influence privacy laws in other states. A recent article in CSO presented both sides of the debate: will CPRA’s treatment of data privacy be too restrictive for American sensibilities, or will its improvements to the CCPA make it a logical model for states that already have CCPA-like laws in process?

Just as other states have modeled their privacy laws on the CCPA, we expect additional states to update their laws using the CPRA as a model. The appeal may be particularly strong in states with strong tech industry, the law’s similarity to GDPR may make California the first state to receive an adequacy decision from the European Commission since last year’s Schrems II decision invalidated the Privacy Shield protecting EU-U.S data transfer.

Amping Up for CPRA

While the CPRA takes effect January 1, 2023, a number of its provisions will apply to consumer information collected on or after January 1, 2022. So, organizations affected by the law have no time to waste. Preparations should include:

  • Mapping, classifying and managing all the “sensitive personal information” newly protected by CPRA.
  • Revising workforce disclosures and processes to comply with CPRA’s new workforce privacy protections.
  • Reviewing child privacy policies and practices, since the CPRA mandates steep fines for violation of children’s data privacy.
  • Reviewing data usage and retention policies and creating required new consumer notices, disclosures, and procedures enabling consumers to correct inaccurate personal information held by the organization.
  • Conduct risk assessments in preparation for CPRA’s mandatory audits.
  • Proactively building a contact list and building relationships with the new California Privacy Protection Agency.

Even if your organization doesn’t currently fall under CPRA requirements, data management, regular risk assessment, policy reviews, and building regulator relationships are all good practices.

Another important goal is to streamline and automate day-to-day processes such as risk assessment and privacy incident response processes, so that the team has bandwidth to adapt for CPRA and future CPRA-based laws. Because anyone who thinks CPRA preparation will be a one-time thing is “California dreamin”. As Laura Jehl, global head of McDermott’s Privacy and Cybersecurity Practice, told CSO, “[other state laws] won’t copy all aspects of CPRA and they’ll include some components that aren’t in CPRA, which means that U.S. privacy compliance is about to get even more complicated.”

Surf’s up, people! Get ready to ride this California wave!

Stay up to date on breach notification laws and trends with the following resources: