Technology and social media giants like Facebook and Google are about to get a huge reality check in how they handle customer data. The California Privacy Rights Act (CPRA) is on the ballot for Californians and would introduce a new slew of standards and initiatives to improve data protection and privacy for all Californians.
But CPRA isn’t necessarily bad news for all businesses. As long as companies know the ins and outs of CPRA — and make the right preparations — data privacy and security should improve for all parties involved.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
- Quick Review: What is the California Privacy Rights Act?
- CCPA vs. CPRA
- How to Prepare for CPRA Compliance
- What Could the CPRA Change for Me?
- Latest Updates and CPRA News
Quick Review: What is the California Privacy Rights Act?
The CPRA will effectively function as version 2.0 of the California Consumer Privacy Act, strengthening data and privacy rights.
- The measure is sponsored by the private group California Consumers for Privacy, which collected over 900,000 signatures supporting the measure.
- Proposition 24 passed, and the CPRA will start phasing in on January 1st, 2021.
CPRA: A Step Towards a US Version of GDPR
Both the CCPA and CPRA are heavily influenced by the European Union’s General Data Protection Regulation (GDPR). The GDPR is one of the first comprehensive data privacy and protection regulations providing consumers greater control of their personal information. In many respects, the CPRA is a United States version of the GDPR.
Who Does the CPRA Affect?
The CPRA will affect large businesses and organizations the most. Any company that engages in the data collection, analysis, and storage of any person located in California is subject to CPRA they fit under the following criteria:
- For-profit companies that do business in California
- Over $25 million in annual revenue
- Companies that buy, sell or share personal information (PI) of over 100,000 consumers or households
- Derives at least 50 percent of annual revenue from selling or sharing of consumer PI
It’s important to note that even if a business isn’t physically or legally located in California, that company is still subject to CPRA as long as they have users or conduct business in the state.
How Could it Affect Businesses?
- Businesses will need to improve opt-in and consent processes on their websites, emails, and other digital channels to comply with CPRA
- Companies will be required to have more robust internal practices for responding to data privacy-related requests from consumers.
When Does the CPRA Go Into Effect?
The CPRA only becomes law if it passes with a majority of California voter support on the November 3rd election. If so, a preliminary version of CPRA would take effect mid-December, followed by a ramp-up year beginning on January 1st of 2022. The law will be fully implemented as of the start of 2023, with the caveat that all businesses taking efforts to be in compliance between now and then. July 1st of 2023 will be the official enforcement date when businesses will be subject to fines and penalties for non-compliance.
Latest Updates and CPRA News
Update: November 2nd, 2020
Some of the largest privacy rights groups and tech leaders announce support for the CPRA. This includes the Electronic Privacy Information Center (EPIC) and the Own Your Own Data Foundation.
Update: November 3rd, 2020
Proposition 24 and the CPRA officially passes. The California vote was 56% in favor of the measure. Various political and technology leaders — like presidential candidate Andrew Yang — react positively to the news.
CCPA vs CPRA: New Terminology
The CPRA is generally a more robust framework than CCPA, protecting more consumer data types and business activities. Here are the key distinctions and alterations in terminology businesses should be aware of.
- Sensitive Personal Information (SPI). While the CCPA protects PI, the CPRA introduces new terminology in the form of SPI. The list of SPI is long and includes things like SSNs, ethnic/religious background, and biometric data.
- Selling vs. Sharing. The CCPA only applies to businesses that generate over 50 percent of their revenue from selling data. The CPRA specifies “sharing” rather than selling, making it more broadly applicable.
- Higher User Threshold. Under CCPA, businesses must comply if they collect data from 50,000 households or more. The CPRA increases this number to 100,000, making it more friendly to small-to-medium sized businesses.
- Third-Party Opt-out Rights. CCPA gives consumers the “Right to Opt-out of Third Party Sales.” Under CPRA, users now have the “Right to Opt-out of Third Party Sales and Sharing.”
- Right to Delete. The CCPA provides consumers the right to have their data deleted upon request. If the CPRA takes effect, businesses will also have to notify third-parties to delete that same data upon request.
- Advertising Usage. Under CCPA, consumers can opt-out of their data being sold to advertisers for monetary compensation. The CPRA extends this right to “cross-context behavioral advertising” where data is shared without direct financial compensation.
- Right to Correction. The CPRA would introduce this right — not included in the CCPA — where consumers may request the correction of PI held by businesses.
- Right to Opt-Out of Decision Making Technology. Another provision unique to CPRA, letting consumers opt-out of automated decision-making technologies. This generally refers to “profiling” consumers with regards to factors like health status, location, work history, or other demographic indicators.
- Opt-in Rights for Minors. The CPRA strengthens opt-in requirements for minors. Businesses must now notify minors if they intend to sell or share user data for behavioral advertising purposes.
- Right to Restrict Sensitive PI. Sensitive PI is protected under CCPA. But the CPRA extends this right to third-party use. Consumers can now restrict that sensitive PI from being shared with other entities.
While there are other changes in language and terminology, there are the main updates that businesses should be aware of. Businesses should focus on opt-in rights, third-party data sharing, and advertising usage as the primary differences between CCP and CPRA.
How to Prepare for CPRA Compliance
Whether or not CPRA passes — although odds are it will — businesses should still strive to stay ahead of the regulatory curve. Taking a proactive stance towards compliance standards will insulate you from penalties, reduce future compliance costs, and help maintain a trusting relationship between your brand and consumers.
Audit Third-Party Ecosystem
One of the most significant updates with CPRA is the added protection of third-party data. Businesses will want to audit their vendor and partner ecosystem and ensure that all data is being shared, handled, and stored in a secure manner. Have streamlined processes in place to handle requests for correction, deletion or transfer.
Inventory All Personal Data Types
Since CPRA extends rights from PI to SPI, you’ll want to make sure every single piece of data about a user is accounted for. Things like demographic, location and employment data are now subject to regulation. Having all that information organized and attached to the right user will be critical under CPRA.
Update Consent and Opt-in Forms
Since the CPRA raises the bar for consent and opt-in, companies will want to make sure that consumers are well-informed before allowing their data to be used, stored or shared. Companies that do business in Europe will be well-served by strengthening opt-in and consent to comply with GDPR.
Implement Data Request Processes
Passage of CPRA will undoubtedly result in more consumer data privacy requests. This could be for deletion, transmission or update. Businesses will need to have processes, personnel, and technologies in place to handle these requests in a streamlined fashion.
What Could the CPRA Change for Me?
CCPA will primarily change the way businesses share data with third-parties. Companies will also need to better protect broader categories of data per the new SPI category. Here are some of the key developments and what they might mean for you.
1. Point of Collection Notices
Businesses will need to beef up their notifications at the point of data collection. CPRA states that consumers be notified that their data might be sold or shared, in addition to how long that data will be kept.
2. Data Sharing in Advertising
Businesses will need to be more cognizant of how their user data is shared with third-party advertisers. Businesses should have the means in place to opt-out consumers of non-paid data sharing in advertising should they request.
3. Lesser Requirements for SMBs
The good news for small-medium sized businesses is that the CPRA only applies to businesses that use data from users or households over 100,000. The CCPA currently specifies 50,000 so SMBs can expect some relief.
4. New Service Provider Agreements
The CPRA mandates additional terms to be placed in agreements with digital service providers. Companies will have to go over the CPRA in detail and ensure the proper language is included in all service provider agreements.
5. Potential Risk Assessment Audits
Much like the GDPR, the CPRA mandates that businesses undergo regular audits and risk assessments to certify compliance. Businesses can also expect to submit assessments to regulator bodies on a yearly basis.
6. California Privacy Protection Agency
The CPRA also establishes the first U.S. regulatory agency dedicated specifically to privacy, the California Privacy Protection Agency (CPAA). Businesses can expect to potentially engage with the CPAA if the CPRA does pass.
7. Data Retention Notifications
Under CPRA, businesses need to disclose how long they keep data to consumers. Businesses will need to prepare to inform consumers about their data retention timeline. CPRA mandates that businesses only keep data as long as is “reasonably necessary.”
8. Exemptions for Clinical Trials
For pharmaceutical and biotech companies, the CPRA will retain exemptions for clinical trials set forth by the CCPA and Health Insurance Portability and Accountability Act (HIPAA). The CPRA should make compliance efforts easier by further codifying and explaining the scenarios where exemptions are appropriate.
CPRA Sets a New Privacy Standard
The goal of CPRA is to improve upon the CCPA, bringing it closer to GDPR’s current gold standard of data privacy rights regulations. California is at the forefront of this issue and consumers in the state are likely to pass the measure. Given that California is home to most major technology and social media companies, state residents are very aware of the risks that data collection and storage present.
Although it will take around two years to fully implement, the CPRA should generally be viewed as a positive development in the protection of consumer data. Businesses may incur some additional compliance costs, but the CPRA is aimed at larger enterprises that can well afford those costs instead of small-to-medium sized businesses.
The good news is that businesses have plenty of time to get their ducks in a row before CPRA non-compliance becomes a fineable offense in 2023. Starting today, businesses can begin enlisting the right data protection technology and compliance partners to help make their CPRA compliance journey as seamless as possible. Companies should have the infrastructure in place to comply with consumer data privacy requests, update their opt-in and notification processes, and conduct regular risk assessment audits starting in 2021.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.