What your business needs to know about CPRA
After achieving a narrower than expected mandate of 56% on November 3, the California Privacy Rights Act (CPRA) has now passed. This new act overhauls the preexisting California Consumer Privacy Act (CCPA) and is a landmark moment for consumer privacy.
In essence, the CPRA closes some potential loopholes in the CCPA – but the changes are not uniformly more stringent for businesses (as I’ll show in a moment). It also moves California’s data protection laws closer to the EU’s GDPR standard. When the CPRA becomes legally enforceable in 2023, California residents will have a right to know where, when, and why businesses use their personally identifiable data. With many of the world’s leading tech companies based in California, this act will have national and potentially global repercussions.
The increased privacy is undoubtedly good news to consumers. But the act’s passage is likely to create concern among businesses that depend on customer data. With stricter enforcement, harsher penalties, and more onerous obligations, many companies are likely to wonder whether this new law will make operating more difficult.
While many of the finer details of the CPRA are likely to change before it becomes enforceable, here’s what your business needs to know right now.
Will you be subject to the CPRA?
The preexisting CCPA law applied only to businesses that:
1) had more than $25 million in gross revenue
2) derived 50% or more of their annual revenue from selling consumers’ personal information, or
3) bought, sold, or shared for commercial purposes the personal information of 50,000 or more consumers, households, or devices.
The CPRA keeps most of these requirements intact but makes a few changes. First, the revenue requirement (point 1 above) is now clearer: A company must have made $25 million in gross revenue in the previous calendar year to become subject to the law.
Second, when it comes to personal information (point 2), sharing is now considered the same as selling. While the CCPA applied to businesses that made more than half their revenue from selling data, the CPRA now also applies to companies that make half their revenue from sharing personal information with third parties.
Finally, point 3 is now more lenient, with the threshold for personal information-based businesses raised from 50,000 consumers, households, or devices to 100,000.
For businesses wondering if they can avoid regulations for sister companies under the same brand, the CPRA has clarified what the term “common branding” means. The CPRA now defines “a shared name, service mark, or trademark, such that the average consumer would understand that two or more entities are commonly owned.”
It also specifies that a sister business will fall under the CPRA if it has “personal information shared with it by the CPRA-subject business.” In practical terms, this means that two related businesses (one of which is subject to the CPRA) that might share a trademark but be different legal identities, will be subject to the CPRA only if they share data. The same joint responsibility for consumer information also applies to partnerships where a shared interest of more than 40% exists, regardless of branding.
So with the CPRA, some businesses are now more likely to become subject to data protection legislation while others may no longer fall under the Californian legislation.
For organizations that operate multiple legal entities, it is still ideal to have a one-size-fits-all approach to consumer data privacy. By allowing non-subject businesses to self-certify that they are compliant, the CPRA also gives companies an opportunity to be transparent with their customers about data usage even if they do not necessarily need to be.
Consumers have a right to know why you’re collecting their ‘sensitive personal information’
The CPRA will give consumers additional rights to determine how businesses use their data. As well as receiving the right to correct their personal information and know for how long a company might store it, under the CPRA, consumers will be able to opt-out of geolocation-based ads and of allowing their sensitive personal information to be used.
The concept of “sensitive personal information” is itself a new legal definition created by the CPRA. Race/ethnic origin, health information, religious beliefs, sexual orientation, Social Security number, biometric/genetic information, and personal message contents all fall under this definition.
Businesses also need to be careful when it comes to dealing with data they have already collected. Suppose a company plans to reuse a customer’s data for a purpose that is “incompatible with the disclosed purposes for which the personal information was collected.” In that case, the customer needs to be informed of this change.
Similarly to the CCPA, employee data now falls under the CPRA. While this won’t be legally enforceable until 2023, one stipulation of the CPRA is that businesses will need to be transparent with their staff regarding data collection.
Businesses will soon need to give consumers more comprehensive opt-out abilities whenever they interact with them, but it may still take a while before unified standards around these procedures become commonplace. Undoubtedly there will be more than one way to communicate consumer requirements within the CPRA framework. Besides opt-out forms, businesses may increase their use of the Global Privacy Control standard, a browser add-on that simplifies opt-out processes. However, as geolocated targeting becomes more legally problematic, companies may need to reconsider reliance on some forms of targeted advertising.
There will be fines for data breaches
The CPRA stipulates that “businesses should also be held directly accountable to consumers for data security breaches.” As well as requiring businesses to “notify consumers when their sensitive information has been compromised,” the CPRA sets out financial penalties. Companies that allow customer data to be leaked will face fines of up to $2,500 or $7,500 (for data belonging to minors) per violation. The newly formed California Privacy Protection Agency will be authorized to enforce these fines.
While in the short term, a relatively limited budget is likely to mean the agency will undertake only a few large scale instances of legal action, every business will face increased financial risk related to data breaches. As the CPRA raises the stakes for businesses regarding data protection, threat actors are likely to be emboldened further. In the EU, the GDPR has been linked to increased ransomware incidences as hackers use the threat of fines as leverage to extract larger ransoms from their victims.
In this respect, compliance will mean adopting stronger organizational security postures through increased multi-factor authentication use and zero trust protocols. It is likely to drive up the costs of cybersecurity business insurance as well.
You have until 2023 but shouldn’t delay
While the CPRA will not become law until January 1, 2023, its regulations will apply to all information collected from January 1, 2022, onwards. So, as of now, you have over two years to prepare. However, as seen in polls from earlier this year, the vast majority of businesses have yet to comply with even currently-enforceable CCPA legislation.
The timeline for compliance with CPRA is relatively generous. As both regulators and businesses rush to catch up with their new obligations, it is unlikely that companies will face a torrent of legal action in the short term.
Nevertheless, in the longer term, the CPRA is likely to drive further legislation across the US. This law may be the beginning of a push towards federal-level data protection regulations, which will have similar rules, requirements, and penalties for businesses, regardless of where their customers are. Companies should start preparing for a future where customer data is legally protected now.
Rob Shavell is a cofounder and CEO of onine privacy company Abine / DeleteMe and has been a vocal proponent of privacy legislation reform, including as a public advocate of the California Privacy Rights Act (CPRA).
How startups are scaling communication:
The pandemic is making startups take a close look at ramping up their communication solutions. Learn how