CPRA Set to Revamp Privacy Laws in California Yet Again
Voters in California passed new data privacy legislation, the California Privacy Rights Act - building off the California Consumer Privacy Act - last week.
In California last week, as many experts predicted, new data privacy legislation, the California Privacy Rights Act, was passed, effectively building on the California Consumer Privacy Act to become the latest attempt to bring California’s data protection laws closer to the EU’s General Data Protection Regulation (GDPR) standard.
While data protection officers and compliance officers have no doubt had their hands full this year with ensuring their organizations adhered to CCPA, let alone continuing to operate in a pandemic, they should have plenty of time to familiarize themselves with CPRA; the regulation won't go into effect until January 1, 2023.
Nicknamed CCPA 2.0 by some and Proposition 24 on the California ballot last week, the initiative was designed to enhance the consumer privacy protections currently provided by the California Consumer Privacy Act. Even though the CCPA just went into effect on January 2, 2020, the CPRA will replace that law in three years.
At 54 pages, it's a lengthy privacy bill, one that will likely see numerous revisions before 2023. As it stands, CPRA will implement a number of GDPR-esque measures on businesses, like a storage limitation - personal information shouldn't be retained longer than "reasonably necessary," and a data minimization principle that states that the collection, use, retention, and sharing of personal information should be limited to what's "reasonably necessary."
CPRA also removes the 30-day right to cure, adds data breach class action risk for personal and work email account credential breaches, and increases the penalties for violations of children’s privacy. Specifically, under CPRA, the government will be able to fine companies up to $7,500 for violating children's privacy laws - that's triple the fines set forth in CCPA for collecting and selling children's private information.
CPRA will also create a new subcategory, Sensitive Personal Information (SPI), that includes data like login credentials, race, ethnicity, biometric data (from health trackers), and precise geolocation.
The act also mandates the creation of a new agency to enforce privacy violations – a first for the nation. Currently enforcement falls on the state's Attorney General office.
CPRA was introduced by the same group that was behind CCPA, Californians for Consumer Privacy - a group spearheaded by millionaire real estate developer Alastair Mactaggart. Mactaggart famously put $3 million behind CCPA and while he was generally content with it, he wanted more, going on record that he was dissatisfied with some of the amendments that were passed since the CCPA was originally enacted. Mactaggart said early this year he was looking for "a new high-water mark that can’t be undone."
Unlike the CCPA, the CPRA also makes it more difficult to weaken the law through other amendments, a sticking point of Mactaggart's and one of the reasons he pushed it forward.
The group collected over 900,000 signatures to get the CPRA – before it became widely known as Prop. 24 - on November’s ballot. Given Mactaggart’s success with CCPA and the signatures he was able to get for the CPRA, many viewed its passing as a lock.
While Prop 24 passed fairly easily – it passed by a 55.94% to 44.06% vote – it wasn’t universally welcomed by privacy advocates. California's American Civil Liberties Union was against it, worried it would undermine protections already in place thanks to CCPA. It also suggested the act was replete with loopholes, including some that could allow companies to charge you if you tell them not to sell your personal information.
The Electronic Frontier Foundation also didn't support Prop 24, stressing it doesn't do enough to advance the data privacy of California consumers, calling it "a mixed bag of partial steps backwards and forwards."
For the rest of the nation, seeing California pass yet another privacy law could help dictate what the rest of the country does around data privacy. Countless acts similar to the CCPA have made their way through state legislatures in states like Washington, Missouri, and Nebraska since 2018.
There's a chance the passage of CPRA turns the tides towards a federal data privacy law, something to supersede the patchwork of state to state bills already on the books. Even if it doesn’t materialize, data privacy isn’t going away; in the wake of the pandemic, with the uptick of telehealth, contact tracing, and remote working, it can be argued it's never been more necessary.