If you have ever been to California or purchased a product that was sold or distributed in California, you have probably seen the warning: “This product contains chemicals known to the State of California to cause cancer, birth defects, or other reproductive harm.”
It seems like a fair warning until you find it plastered everywhere. I stepped into a hotel elevator once in San Francisco and was presented with a warning on the elevator wall. It was on a paintbrush I purchased at a home improvement store. It was also on the dashboard of a car I rented in San Diego. It led me to cynically think to myself, “Well, what doesn’t cause cancer?”
This warning was plastered everywhere after Proposition 65 became law in 1986, due to the ballot proposition being approved by voters. California is somewhat unique in that it allows voters to govern by ballot measures that do not require the support of the executive or legislative branches of the state government. Just as California stepped up to lead the nation and save us all from cancer-causing elevators and paintbrushes, they have once again done the same in leading the nation in data privacy.
The California Consumer Privacy Act (CCPA) was passed by the state legislature in 2018 and went into effect in 2020. This legislative bill was passed as a compromise to avoid a more stringent ballot initiative being proposed for ballot vote. However, data privacy advocates were upset that the final product was watered down. So, in 2020, they introduced Proposition 24, also known as the California Privacy Rights Act (CPRA), which was subsequently approved by voters in the November 2020 general election. The new measures will go into effect on January 1, 2023.
So, what is CPRA? CPRA does not replace CCPA. Rather, it creates additional consumer rights and modifies existing CCPA rights. CPRA also establishes a new privacy enforcement agency (the California Privacy Protection Agency) and establishes a new category of personal information. Because CPRA was passed through a ballot proposition, the measures within the act can only be amended to further strengthen the act. In other words, CPRA cannot be watered down through legislative action. Only a subsequent ballot measure, superseding federal measure, or a judicial ruling of unconstitutionality could reduce the provisions of CPRA.
One of CPRA’s notable changes is that it increases the scope of a covered business to not only those that sell personal information, but now also includes those businesses that share it – a seemingly minor detail that will actually have a significant impact on businesses. Further, the introduction of “sensitive personal information” expands the definition of personal information and adds new constraints on how that data may be used, how it must be disclosed, and how consumers can limit the use of it. This sensitive personal information includes government identifiers (e.g., SSN, driver’s license number), financial account and login information, geolocation data, race, ethnicity, sexual orientation, religious beliefs, philosophical beliefs, the content of non-public communications (e.g., email, text messages), genetic data, biometric data, and health information.
CPRA also includes certain GDPR (General Data Protection Regulation) principles, such as data minimization, purpose limitation, and storage limitation. In other words, the personal information that businesses collect must be minimized to only what is reasonably necessary; that personal information can only be used for the purpose that was disclosed to the consumer; and the retention period for each category of personal information must be disclosed.
While some of these regulations will result in new policies that will be drafted and communicated to consumers, others will put more onus on the business and its processes, procedures and risk mitigation efforts. While CCPA provided consumers with the right to request that their data be deleted, the right to opt-out, and the right to know how their data was being collected, CPRA now provides consumers with the right to correct inaccurate information, the right to access information about how automated decision-making technology is using their data (i.e. meaningful information about the logic involved in such decision-making processes), and the right to opt-out of automated decision-making technology that uses their data.
Covered businesses will soon be asking themselves, “When was the last time we completed a risk assessment and cybersecurity audit?” CPRA will require them to regularly conduct both, and then submit results to the new privacy enforcement agency. Given that CPRA has added login credentials to the list of data types that a private citizen can take legal action upon, if breached, cybersecurity is likely to gain a heightened focus. Previously, when such a breach occurred, legal action could only be initiated by the Office of the Attorney General. Now, any private citizen who is impacted and covered under CPRA could bring forth their legal action directly against the offending entity.
When CCPA became effective in 2020, many of Kenway’s clients were relieved to see that employee data and data specific to a business-to-business transactions were exempt. In effect, CCPA treated consumer personal information differently than employee and business-to-business personal information. While CPRA will extend those exemptions, it will also permanently sunset those exemptions on January 1, 2023.
It is widely expected that additional states will enact measures like CPRA. Many states have already drafted similar legislation, and that legislation is working its way through various legislative committees and forums for debate and amendments. Many of these lost some momentum during the COVID-19 pandemic, as attention instead turned to the national public health crisis and its impacts to state programs and budgets. However, states will likely return their attention to data privacy within their 2021 and 2022 legislative calendars. Of course, that is if superseding federal action does not take place first. Most businesses would prefer a federal data privacy plan (and are lobbying accordingly) rather than having to navigate the potential variations of 50 state laws. In that spirit, many companies that do business in Europe are employing the practices that have been established to address GDPR, since GDPR is still slightly more restrictive than CPRA.
While CPRA will not go into effect until January 1, 2023, now is the time to start preparing. For any organization that will be covered by CPRA, it will be critical for them to have a crystal-clear understanding of their data ecosystem. Without it, implementing any of the required reporting will be impossible. This includes the appropriate Data Governance and Data Management: policies, procedures, data flows, data lineage, data dictionary, and catalog. Organizations will also want to look at their cybersecurity plans and begin planning for regular assessments.
All that said, regulatory compliance cannot be treated like a conventional IT project. Our experts work with clients to create a strategic action plan. This includes leveraging our clients’ internal or external counsel’s interpretation of the law and its applicability to their organization in order to identify gaps and create a plan to resolve them. That plan includes the necessary resources, activities, and scope. We then work with our clients’ teams to connect the dots across all their systems storing personal information, weaving in business processes to pinpoint risks, and subsequently building a plan to avoid them. This is all part of the effort to ensure that our clients not only get compliant with the new regulations, but are positioned to stay compliant as new or amended measures are enacted.
Proposition 65 was brought to you to by the State of California to warn you of exposure that may impact your health. Kenway is here to warn you that Proposition 24 (CPRA) may impact your business. The clock is ticking – you’ve got slightly less than two years to be ready – and we’re ready to help you through that journey. Even if your business is not covered by CPRA, it is no longer a matter of “if” but, rather, “when.”
We’re here to help when you are ready to start.