CPRA is Not Bearish on Data Privacy

The California Privacy Rights and Enforcement Act of 2020 (“CPRA”) has qualified for the November ballot in California and is likely to pass. The comprehensive update to the California Consumer Privacy Act (“CCPA”) comes from Californians for Consumer Privacy, the group behind CCPA, feeling that the political process weakened CCPA. Thus, CPRA seeks to amend and strengthen data privacy protections for California residents.

What is the Big Deal?

The fundamental consumer rights bestowed by CCPA include the right to notice, know, portability, deletion, and opt-out of the use and sale of Personal Information. CPRA expands the definition of selling to include sharing, giving consumers the right to limit how companies share their data. Consumers will also have the right to correct inaccurate information. If Californians pass CPRA, the law will become effective January 1, 2023.

Who is in Charge Here?

Enforcement of CCPA currently lies with the California Attorney General. The CPRA will establish and shift regulatory power to the California Privacy Protection Agency, funded by the fines collected from breaches and violations of the law. Additionally, CCPA’s thirty-day grace period allowing companies to correct violations will change to give consumers thirty days to a private right of action. CPRA also Increases the reach threshold requiring business compliance from 50,000 to 100,000 consumers to target large companies without overburdening smaller ones.

Who Are You Calling Sensitive?

Sensitive Personal Information (“SPI”), not previously defined in CCPA, limits the use and sharing of sensitive data, including personal identification numbers and financial data combined with security access, geo-location, ethnicity, sexual orientation, the content of personal messages, and religion. Consumers will have the right to limit the use of their sensitive data. Publicly available SPI shall not be considered SPI or Personal Information under CPRA.

The Word of the Day is:

CPRA amends several vital definitions. First, Personal Information Security Breaches now include email addresses in combination with access credentials. The previous definition only included non-encrypted and non-redacted Personal Information subject to a breach. There are new requirements for Service Providers and a new meaning for “contractors,” which mirrors the description for Service Providers. Service providers and contractors must separate the data they collect from other data sources. CCPA only defines service providers.

Attention Data Hoarders Conducting Business Within California’s Borders: Time for Data Minimization

Consumers will have the right to limit the use and disclosure of Sensitive Personal Information. Consumers can now limit or opt-out from data sharing. Corporations would be wise to reduce data retention on users who have opted-out to prevent liability in the event of a data breach. Data retention practices, not previously required to be disclosed in CCPA, must now be disclosed at the time of data collection and how long it intends to retain PI and SPI. Companies should only collect what is necessary to do business and not keep such data longer than is reasonably required. Data minimization is vital not just to building trust with consumers but also to minimize risk and costs associated with data storage and, more importantly, data breaches. Any company collecting, selling, or buying Personal Information needs to be set up with the right tools to comply with data requests and deletion.

Notice Changes

The requirement to have a webpage link titled “Do Not Sell My Personal Information” now becomes “Do Not Sell or Share My Personal Information.” Also, a new link, “Limit the Use of My Sensitive Personal Information,” must allow consumers or persons authorized by the consumer to limit the use or disclosure of PSI. Companies can use a single link if it easily allows the consumer to complete either option.

Reading Below if Danger is Your Middle Name

Businesses processing high-risk data that poses a significant risk to consumer privacy and security must conduct yearly independent audits and regular risk assessments. Companies must have a chief auditor, which can be internal or external, to oversee the assess risk.

Profiling and Automated Decision Making

Consumers can prevent advertisers from using their geo-location or profiling for business purposes. The data may still be usable if it is not directly identifiable to a person. “Profiling” means any form of automated processing of Personal Information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Protecting Children

CPRA increases the fines for mishandling data on children. The fine increases to $7,500 per violation when the business knows that the consumer is under 16 years old. Minors under 16 years old must opt-in to selling or sharing of their personal data. Companies must provide ways for children or their parents to specify the person is under 13 or between 13 and 16 years old.

Employee Data Exceptions

CPRA extends the employee data and business-to-business exemption until January 1, 2023, as a place holder for a separate employee and business data law still to come. CPRA allows job applicants, employees, and independent contractors to have no retaliation if they use their right to opt-out or exercise other rights. However, data from such parties is exempt under CPRA rules to the extent that businesses are only using the information within a business context. Companies can use Personal Information in case of emergencies and administrative purposes.

Contracts with Third-Parties

Contracts required for all data sharing — the third party will have to provide the same level of compliance as the business. If consumers request a limit to the selling and sharing of their data, there is a restriction on companies transferring data to other parties. A company that sells or shares Personal Information with third-parties or discloses info to service providers or contractors must have a contract that includes the following:

  1. Specifies that the Personal Information is sold or disclosed by the business only for limited and specified purposes
  2. Obligates the third party, service provider, or contractor to comply with CPRA
  3. grants the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the Personal Information transferred complies with CPRA
  4. Requires the third party, service provider, or contractor to notify the business if it can no longer comply with CPRA
  5. Grants the company the right, upon notice, to stop and remediate unauthorized use of Personal Information

Conclusion

With an effective date of January 1, 2023, companies will have a while to adapt and prepare. This article only touches the surface of what CPRA means; thus, businesses should further research the context of their business concerning the proposed law.

The crucial first step of data, security compliance, is knowing what data you have, then identifying sensitive data and information assets that require protection under the law. Ardent Privacy’s solution provides data risk assessments and automates mapping, identification, and inventory data assets. Ardent Privacy specializes in data minimization and secure disposal, eliminating excess data to reduce liability. Visit www.ardentsec.com or email advisor at ardentsec.com for a consultation.

Ardent Privacy articles should not be considered as legal or technical advice on The California Privacy Rights and Enforcement Act of 2020, or any specific facts or circumstances. This article is written to express the opinion of the writer and nothing else.