Leverage CCPA requirements to prepare for CPRA faster
How does the California Privacy Rights Act update the California Consumer Privacy Act 2018 (CCPA) safeguards for California residents?
For Californians seeking to control the sale of their personal information (PI), the CPRA fills in the gaps missed when CCPA was passed and expands and clarifies the CCPA’s scope.
As a result, CCPA and CPRA work together to protect consumer and employee rights. Employee rights and B2B PI protection are new additions to California’s privacy law.
While CCPA enforcement has already begun, CPRA regulations go into effect on January 1, 2023. We expect enforcement of the new regulations to begin in July 2023.
The CCPA does have a 12-month look-back period. Meaning the CPRA applies to PI collected on or after January 2022.
Before preparing for CPRA, you need to know what’s changed. Keep in mind CPRA regulations are still being drafted.
This article does not constitute legal advice. It is for general purposes only.
The California Privacy Rights Act update to CCPA wasn’t minor
There have been significant updates since California Consumer Privacy Act went into effect. For a more thorough explanation of the legislation, read Your Guide to CCPA and CPRA Compliance.
Businesses already compliant with CCPA 2018 should leverage that work to prepare for the following changes.
CPRA changes CCPA business definition and eligibility thresholds
The official definition of business has changed to include joint ventures and partnerships. In addition, the eligibility thresholds have changed, meaning some businesses subject to CCPA may not be subject to CPRA.
It’s important to note that CCPA will be enforceable until July 01, 2023. At this time, updates reflected in the CPRA will become enforceable.
“Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date. Enforcement of provisions of law contained in the California Consumer Privacy Act of 2018 amended by this act shall remain in effect and shall be enforceable until the same provisions of this act become enforceable.”
– Proposition 24 Proposed Law Text
If you do business in California and meet one or more of the following thresholds, comply with all CCPA regulations until July 2023, even if you aren’t required to afterward under the newly amended guidelines.
Changes include clarifying global revenue, adding sharing to the derive section, and doubling the minimum number of consumers’ PI while removing devices from the criteria.
CCPA employee exemption not extended: What does CPRA mean for employees?
CCPA and CPRA’s definition of consumer is broad and means any person that is a California resident has rights regarding the use of their personal information.
The CCPA employee data moratorium exempted certain PI collected by a business from the consumer rights granted by CCPA.
Essentially, employee, contractor, subcontractor, and B2B PI collected for the sole purposes of the role, or business transaction or partnership wasn’t protected under CCPA, and businesses didn’t have to comply with consumer rights requests from these California residents.
However, this exemption will expire as the CPRA goes into effect on January 01, 2023.
Businesses should review existing employee privacy practices and have a plan in place for employee and B2B PI to be subject to full rights and obligations as other California consumers.
It’s possible that California will extend the exemptions or exclude employee and B2B data, as with the other omnibus U.S. State privacy laws (but it’s not likely).
Start by understanding how your business uses employee and B2B personal data, what systems have access to that data, and if it’s shared or transferred to any other parties.
Update the CCPA privacy notice provided to California employees to include how employees can submit requests under California consumer rights.
Rights ensured to consumers will also need to be applied to that type of data. CCPA consumer rights before CPRA are as follows.
- Right to know what personal information a business collects about the California resident and how it is used and shared/sold
- Right to delete personal information collected from the consumer
- Right to opt-out of the sale of their personal information
- Right to non-discrimination for exercising their CCPA rights
Additional California consumer rights
The CPRA added the right to correction, allowing consumers to request inaccurate PI be corrected.
Additionally, gaps in consumers’ right to delete PI were filled to ensure that service providers would cooperate with the deletion. This also allows businesses to keep a confidential record of deletion requests for future reference.
The CPRA also added a new category of PI and a right for individuals to limit the use of Sensitive Personal Information and opt out of its use.
Sensitive personal information is now defined as PI that includes
- a consumer’s SSN, driver’s license, state ID card, passport number,
- account log-in, financial account, debit/credit card numbers in combination with any required security or access code, password, or credentials allowing access to an account (financial account numbers or credentials or card numbers)
- a consumer’s precise geolocation,
- a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union members,
- the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication,
- and a consumer’s genetic and biometric data.
Now, the right to opt-out of the sale of personal information extends to sharing PI. Thus, consumers have the right to opt-out of the sale and the sharing of their PI.
Adding sharing to the derive definition answers the question, “Does using third-party cookies, identifiers, or trackers on a website or app to collect information from visitors constitute a sale?”
Yes, any sharing, renting, leasing, or disclosing of a consumer’s personal information to a third party for cross-contextual behavioral advertising, whether for monetary value or other valuable consideration, is considered.
This will be important for publishers and advertisers to consider and covers more than third-party cookies. Signals must be placed for consumers to opt-out of cross-context behavioral advertising.
Related to opt-outs is another new right to opt-out of automated decision-making technology and profiling.
California consumer protections extended throughout supply chain
This isn’t new if you’re used to GDPR, but it’s a change regarding CCPA. Consumer protections now need to follow PI throughout the supply chain.
Processors, subprocessors, service providers, contractors, and third-party vendors will need to cooperate down the supply chain to comply with consumer individual rights requests.
CPRA requirements seek to restrict service providers’ control of the personal information shared by businesses and grant service providers the same level of privacy protection as the directly regulated business.
Thus, service providers will be contractually limited to processing PI for the business purposes for which it has received the PI from the business.
Third parties will be required to honor requests to delete or opt-out of the sharing of personal information and requests forwarded to the third party from the business that shared the information.
Service providers and contractors will have to inform any subprocessors and their contractors who have access to PI to make necessary changes as well.
Subprocessors and contractors must notify a business if it’s not possible to meet the obligations.
Going forward, your business needs to embed consumer protections into the procurement process before negotiating contracts with vendors and service providers.
Current agreements must also be examined and updated to meet CPRA and CCPA compliance requirements.
Third-party agreements will likely be the biggest CPRA compliance challenge for most organizations.
Identifying who has access to the information (whether direct or through systems or data sharing) is the first step to prioritizing what agreements need to be amended.
Updates to notices, definitions, and requirements
Draft CCPA and CPRA regulations add a requirement to notify consumers of third-party involvement in collecting their personal information.
Currently, third parties allowed by the business to collect PI must provide notice at the time of collection. The notice can be done through a single notice provided by the business and the third party that covers collective information practices.
Companies need a Do Not Sell or Share PI link on their websites. Additionally, they will need a link to limit the use of Californian’s sensitive personal information on the website.
These links can be combined into a single link that respects the opt-out preferences for personal and sensitive PI.
This can also be accomplished by complying with a global tool such as the Global Privacy Control (GPC) signal to allow for this.
Regulations are still pending regarding the GPC signal. More stringent requirements will likely come in recognizing and honoring the GPC signal.
CPRA adds clarity to data retention requirements. You must notify consumers of data retention practices, and the time the business plans to keep the information in the privacy notice.
If the length of retention is unknown, you have to provide the criteria used to determine how long each PI or sensitive PI category is retained.
New or updated definitions include:
- Contractor
- Precise Geolocation
- Cross-Contextual Behavioral Advertising
- Household
- Publicly Available Information
At the discretion of the new agency, the California Privacy Protection Agency (CPPA), there is no longer a mandated 30-day cure period to fix CCPA and CPRA violations.
However, the CPRA allows curing at the governing body’s discretion. The CPPA is the governing body comprised of 5 members with rule-making and enforcement authority from the California Attorney General. The agency has a $10 million budget to create a dedicated task force for rulemaking, investigations, enforcement, penalties, and providing education.
As with CCPA, we expect more regulations and clarification for CPRA from the CPPA in the coming months.
There are additional data minimization and purpose limitation requirements under CPRA as well.
CPRA explains that data use, retention, or sharing must be consistent with what an average consumer would expect when PI was collected.
The reasonable expectations of a consumer can be determined based on the following:
- the relationship between the consumer and the business,
- the type, nature, and amount of personal information that the business seeks to collect or process,
- the source of the personal information, and the business’s method for collecting or processing it,
- the specificity, explicitness, and prominence of disclosures to the consumer about the purpose for collecting or processing the consumer’s personal information,
- and the degree to which the involvement of service providers, contractors, third parties, or other entities in collecting or processing personal information is apparent to the consumer.
A business shall provide additional notice and obtain the consumer’s explicit consent for any purpose unrelated to the business purposes for which the PI collected is processed.
To determine whether your collection, use, retention, or sharing of PI is reasonably necessary and proportionate to achieve relevant purposes, consider these factors:
- Minimum personal information that is necessary to achieve the purpose identified
- Possible negative impacts on consumers posed by the business’s collection or processing of personal information, and
- Existence of additional personal information safeguards to specifically address the possible negative impacts on consumers.
Data Inventories Now Required for CCPA and CPRA Compliance
A data inventory aims to understand the purpose and intent for collecting or storing data to enable organizations to discover the personal data and processing activities occurring throughout the entire firm.
A data inventory reveals what type of data is collected or processed and why, where it’s located, who it’s collected by, and all variables needed to help you assess risk to prioritize actions.
Establishing a data inventory is the easiest way to understand the initial risk before any actions are taken to reduce that risk.
Breach obligations are extended not just to unredacted or PI if encrypted or unredacted, but also if emails and password combinations are compromised, which will trigger the breach requirement under the CPRA.
There’s also a new requirement to implement reasonable security procedures for practices with access to PI. This means conducting and submitting risk assessments such as PIAs and DPIAs.
Requirements for these annual assessments depend on the CPPA’s rule-making – more to come.
You likely have something like this already in place for international businesses to comply with EU GDPR. Documenting these results is critical if your business processes PI and presents a significant risk to privacy or security.
Prepare for CPRA regulations
Assuming you’re already CCPA compliant, review your decisions for CCPA or GDPR compliance. Do those still hold?
The key is to build on what you already have in place and leverage CCPA requirements to prepare for CPRA faster. Then, identify the first set of decisions that the team will need to make.
Answer these questions to start your CPRA compliance efforts
- What key decisions drive other major workflows?
- For example, are you going to need to build new business processes?
- How will you facilitate the development and adoption of those new processes across the organization?
- Will you need to implement new technology?
- What are the processes for technology selection and implementation?
- What is the risk, and what is your company’s risk tolerance?
- Does the CPRA definition of a data sale change whether or not you are selling or sharing data?
- If you’re compliant with CCPA, next, how do you add the ability to flow through the correction right for the consumer?
- How do you add a button for opting out of sharing information?
Start with things visible to the regulator, including website banners, links, and web forms. Ensure your privacy policy is showing and reflects the retention schedule.
Do you have a data retention schedule? What is it?
Beyond the legal obligation, you may want to consider how your data retention schedule compares to others in the industry.
Getting consensus from legal, regulatory, and other business team needs can help develop the right policy for your business.
Next, decide how to manage third-party contract amendments and data subject requests downstream. Who has direct access to your systems, etc.? Do you have a current data inventory?
Ensure roles and obligations are clearly defined. What other teams you can leverage to drive CCPA and CPRA compliance? You’ll need as much support as you can find!
Know your highest data processing risk areas
Start with a data inventory to understand and locate your risks. Then prioritize those processes or systems with the highest risk levels. Essentially: Where is your most sensitive information being processed?
Are you merging datasets or conducting any automated decision-making? Are you using advanced technologies such as AI?
This is a massive undertaking that requires support from across the business. It’s not a one-person task.
It’s the foundation for any privacy program to understand what data is collected and where it’s stored, how it moves across and out of business, and to create parameters around that.
Partner with IT and Cybersecurity teams to understand their efforts as they’re trying to secure the network for your organization.
Do they need data elements tagged to identify personal and sensitive personal information, enabling IT to build privacy by design guidelines?
Train people on the impacts of data privacy regulations
Some people in the organization might not be interested in what the privacy office is doing. But it’s time to bring them on board and start communicating the impacts of data privacy regulations across different parts of the business.
Employees in marketing, sales, human resources, and customer relations need to understand what the new obligations are and, as a result, what processes will need to be changed or updated to comply.
Establish a culture of accountability to ensure privacy processes are followed and continuously monitored and improved. It takes everyone within a company to drive the principles of privacy.
More data processing transparency
California passed the toughest privacy law in the U.S., but rest assured it won’t be the last State privacy law. Leverage your CCPA and CPRA work to drive other organizational initiatives that create more transparency around how and why the business uses and stores data.
- Create a common understanding for the organization about maintaining accurate data inventories and maps.
- Explain that it’s critical to know where the information is in the case of consumer requests and the downstream of vendors and contractors that may also have access to that data.
- Drive data governance through data inventories, knowing the data lifecycle, and processes around the lifecycle for all of your information, specifically for PI and sensitive PI – segregate and manage those separately.
Consumer first data privacy management
It’s time businesses shift their mindset regarding consumer data practices. It’s possible to stop chasing compliance with new regulations and move on to a consumer first data privacy program.
Put yourself in your consumers’ shoes – what information would you want businesses to collect about you?
Turn the page from covert tracking and build a relationship with your consumers instead. Businesses that do so will benefit from consumers who gladly provide their information to organizations they trust.
You can start by evaluating the existing tracking technologies on your website with the TrustArc Website Monitoring Manager.
Next, put consent in the hands of your customers with Cookie Consent Manager, Consent & Preferences Manager, and Individual Rights Manager. Depending on business requirements, these tools help you manage consumer opt-ins and opt-outs, do not track signals, universal opt-out requests, and engage customers on their terms.