Though the California Consumer Privacy Act (CCPA) only just went into effect at the beginning of this year, the state has already passed a substantial revision in the form of the California Privacy Rights Act (CPRA). Also known as Proposition 24, the ballot measure was favored by state voters in the recent election and its terms will begin going active at the beginning of 2023 (though it will apply to data collected from January 1 2022 onward).
The CPRA is a “second act” of sorts for Alistair MacTaggart, the independently wealthy privacy advocate who championed the CCPA but felt that it was compromised on certain key points. The CPRA makes a number of changes that are meant to benefit state residents, but not all of its changes were embraced by privacy and civil rights advocates.
What the CPRA means for California residents
Though CPRA is not without its controversial elements, it does provide several concrete changes to the CCPA that bring California law closer to parity with the EU’s General Data Protection Regulation (GDPR), widely considered to be the world’s premier privacy rights bill.
For example, CPRA will expand consumer control over the use of personal information classed in categories considered to be sensitive: biometrics, health information, race, location data, religion and sexual orientation. Data subjects will be able to opt out of the sharing and sale of any or all of these categories. The “do not sell” terms have also been tightened to explicitly forbid types of sharing between companies that served as a loophole in the CCPA terms.
CPRA also strengthens the penalties for collection and use of the personal information of minors under the age of 16, something that has been an issue for a number of major tech companies headquartered in the state in recent years. Fines for violations of the privacy rights of this age group are tripled under the new rules.
Privacy rights will now be enforced by a new Privacy Protection Agency. CCPA enforcement has been an issue thus far as it is the obligation of the state attorney general’s office, which must divide resources among the many other legal matters it is obligated to.
Finally, the CPRA makes digital privacy rights more fixed and immutable; any future amendment that would weaken the law must obtain a 2/3 majority vote in both houses of the state legislature. By contrast, an amendment that strengthens the CPRA is allowed to pass with only a simple majority.
Does CPRA really improve overall privacy rights?
While CPRA adds some substantial consumer protections, there is some question about its overall value when the full balance is calculated. This is perhaps best summed up by the Electronic Frontier Foundation’s (EFF) position on the bill, with the digital civil liberties group deciding to officially make no recommendation and calling it a “mixed bag” for consumers. Other surprising opponents, such as the American Civil Liberties Union (ACLU) of California, opted to recommend against it.
The central argument against the CPRA is that it allows companies to charge consumers a premium for certain privacy protections. The main concern is that it allows companies to require consumers to join “loyalty clubs” (and similar schemes) to get the best possible pricing on an item, with these arrangements given a great deal of leeway to collect and sell granular personal data. The consumer would not be able to opt out of this data collection without also losing the club benefits.
The CPRA also does not mandate “opt-in” arrangements that protect user privacy by default. Data subjects must still proactively opt out to be covered by the bill’s full range of protections. And it takes small steps backward in at least two areas. Organizations have increased power to refuse data deletion requests in the name of “security and integrity” concerns, and biometric identification data is no longer protected if the organization is not using it for identification and does not have future plans to do so.
This debate over the CPRA’s relative merits may spill over to the national level before long given that these privacy rights laws are seen as something of a prototype for a federal model. Discussion of a national-level digital privacy rights bill had been gaining steam prior to unexpected derailment by the coronavirus pandemic earlier in the year. Developments during the pandemic have increased the pressure to resume this conversation going into the new presidential administration in 2021, primarily the ending of “trusted partner” status for data transfers with the EU and the drastic increase in attacks due to the mass shift to remote work. Some companies, such as Microsoft, have already voluntarily extended CCPA protections to all consumers nationwide.
Organizational compliance programs will not need to start over from the beginning, but will need to be expanded to encompass CPRA. One significant change from the CCPA from this perspective is that the threshold for being subject to these requirements has been raised to the annual collection of personal data from 100,000 consumers or households (from 50,000 under the current rules). But Heather Federman, VP of Privacy and Policy at BigID, points out that being on top of a current CCPA program will be key to smoothly transitioning to a CPRA program: “CPRA will create the first agency in the US dedicated solely to privacy, similar to how EU member states have their own Data Protection Authorities, which could definitely up the ante for enterprises who had previously buried their head in the sand. The amendment also helps to clarify some of the discrepancies and clarifications from CCPA and puts in some interesting operationalization requirements for companies, like retention limits, minimization, audits & risk assessments for high risk processing, and more. That said, one of the main practical challenges for enterprises moving forward will be ensuring they know their consumer’s data, especially when it comes to their “sensitive personal information” (a newly defined CPRA term). Traditional approaches to data discovery like surveys and manual inventories are not great at consistently identifying all of the data that’s in an organization’s scope. For companies that have been taking a half-baked approach to CCPA compliance, this could make CPRA compliance tricky.”