Just when you thought you understood the complexities of the relatively new California Consumer Privacy Act (CCPA), on Election Day 2020, voters in the Golden State decided to take CCPA even further. By a wide margin (56-44 percent), they approved the California Privacy Rights Act (CPRA). Think of this new package as CCPA 2.0. There is a lot to unpack in this new law and how it might influence communicators and their clients doing business in California.
Similar to other privacy laws, the first step you, as a communicator, need to consider is to determine CPRA’s scope. In other words, does CPRA cover what you do as a PR pro?
CPRA modifies those businesses covered under the law by changing CCPA. Under the new law, enforcement of which begins January 1, 2023, you are a covered business if you have more than $25 million in revenue the preceding calendar year, or if you buy, sell or share personal information of 100,000 or more consumers (it was 50,000 in CCPA).
Buy, Sell and Now Share are Regulated
It is important to note the addition of the word share to companies in scope of the law.
In short, CPRA expands privacy rights for California residents beyond CCPA. In addition to their rights under CCPA, Californians approved:
- • their ability to correct inaccurate data that businesses possess
- • increased protection under a new and expanded definition of sensitive personal information which they can restrict use of
- • the imposition of larger fines for those who misuse children’s data (defined as those younger than 16)
- • higher fines for data breaches
- • limitations on how long data can be retained and used
- • creation of a dedicated enforcement agency and
- • an expansion of CCPA’s Do Not Sell requirement to include sharing data with third parties
More insight about the expansion of Do Not Sell to Do Not Share is needed. CCPA gave consumers the right to opt out of the sale of their data. For example, companies that sold consumer data were required to install a Do Not Sellbutton on their web pages and clearly state how to opt out.
The expansion of those regulations to Do Not Share includes renting, releasing, disclosing and transferring data.
Perhaps most important, the expansion applies even if there is no monetary exchange for the data. In other words, read the new law carefully to know if your business moves data, in any way at all, to a third party, even if you are not getting paid for the data. Californians will soon have the right to tell you to stop.
Regarding sensitive personal information, CPRA includes categories that a lot of marketers like to collect about customers and potential customers, including precise geolocation, race, ethnicity, religion, the content of personal email communication, genetic and health data and information about sexual orientation. CPRA gives Californians the right to limit the use and disclosure of this type of information.
The takeaway for communicators: Know what information is in your company’s data and where it flows in the enterprise.
CPRA also creates the California Privacy Protection Agency. This new agency will assume enforcement, taking over from the state’s Attorney General.
The agency will be tasked with providing guidance to businesses, educating consumers about their rights and investigating and levying fines for noncompliance. There is no private right of action for privacy violations, but the new law expands consumers’ ability to sue over data breaches that expose email address and passwords, and a variety of unencrypted personal information.
National and EU Questions
Creation of the California Privacy Protection Agency raises a national question. In light of California’s new law and enforcement, as well as a developing patchwork of privacy laws in other states, will Congress approve a national privacy law?
The answer will have to wait until the new Congress begins work in January 2021. So far, the House and Senate are miles apart on a national data regime. Much could depend on the Georgia run-offs next month. Should one party gain control of both the House and Senate, a data agreement seems more likely.
There is speculation that passage and implementation of CPRA will allow California to seek an adequacy decision from the European Union (EU). An adequacy decision means the EU will consider California law equal to its General Data Protection Regulation (GDPR) when it comes to data protection for consumers. That will be a steep hill given the recent invalidation of Privacy Shield and other factors.
CPRA, as mentioned earlier, starts enforcement from January 1, 2023. That seems like a long time from now, but as many of you know, compliance with the CCPA, and especially the GDPR, took a long time. So, reviewing the potential impacts of CPRA on your operations should not be delayed.
This summary of CPRA and how it might impact your business or your clients is not a replacement for legal advice. Given the new law’s impact, creation of the first agency dedicated solely to privacy enforcement and the huge fines for violations, if you hold a lot of California data it is a good idea to seek legal counsel and fully understand compliance. n
Contact: [email protected]