California State Capitol Building in Sacramento showing compliance with CPRA

CPRA: The Next Big Mandate (Is Right Around the Corner)

Tackling yet another set of mandates can induce a feeling of dread. It’s just more bad news, right?

We already have an alphabet soup of regulations specifically around privacy: the mighty GDPR (General Data Protection Regulation) in Europe; industry-specific guidelines like HIPAA (Health Insurance Portability and Accountability Act) in healthcare; and the more recent rise of state-centric legislation like CCPA (California Consumer Privacy Act) in California. Other states have or are preparing to launch their own flavors, and at some point we’ll likely get a national superseding directive that adds to the confusion before achieving clarity, if ever. And in this environment, with all the pressures businesses and consumers already face, do we really need more draconian legislation that goes even further?

Doesn’t matter—it’s coming anyway. It’s been signed, it’s the law, and it must be followed. Denial is a bad business practice.

It’s called CPRA, for the California Privacy Rights Act, and it goes where CCPA didn’t go—in fact, it’s fair to think of it as CCPA-plus. And it helps to remember that thanks in part to the global effect of GDPR, CCPA received significant coverage prior to its launch on Jan. 1, 2020. By contrast, the new legislation—previously labeled Prop 24 and passed during a contentious presidential election—has received very little attention. The fact that it doesn’t go into effect until Jan 1, 2023, and will continue to evolve in the next few months, has also pushed it to the back burner.

That’s understandable, but not justifiable. Comprehensive mandates like this require extensive preparation—those with processes in place before it arrives will manage it best, and perhaps even derive benefits from it. The goal here is not to offer a deep dive, but instead offer a sampling of what’s different, why that matters, and identify ways to ensure compliance.

So what’s new?

Let’s understand that CPRA doesn’t replace CCPA; it magnifies and absorbs it, even in terms of defining what constitutes business activities. By the time 2023 arrives, what businesses currently understand to be CCPA will replaced by CPRA in particular categories—for example, entities that get at least half their revenue from selling or sharing information, had gross revenue in excess of $25 million the previous calendar year, and so on. It gets even more complicated after that, and will require a high level of financial analysis and transparency to stay on the right side of the law.

On a related note, consider the foundation for all such directives: consumer rights and protections. CPRA goes big here, more than ever before, with a series of new ordinances. These include:

  • Opting out of the sale or sharing of personal information: The sharing part is particularly important—CPRA describes this as making personal information available to third parties for specific targeted marketing, even without monetary considerations.
  • Opting out of automated decision-making: CPRA doesn’t go too deep on technology, but it does call on the Attorney General to create relevant rules and guidelines. Remember, despite being officially passed, CPRA is still a work in progress, and this is one area where we might see new complications emerge. For example, watch for regulations related to automated profiling and how technologies are used to process consumer requests. This is particularly relevant because of all the benefits associated with advances in Artificial Intelligence and Machine Learning; with potential restrictions in place, there might be some regulatory speed bumps along the way.
  • Being sensitive: There’s personal information, and then there’s sensitive personal information. CPRA makes this distinction based on racial origin, sexual orientation, religion, health, location and more. California consumers will have greater control over how such information is used, and businesses in turn are required to offer that control through homepage links and access buttons. There are even suggestions—more clarity may be needed here—on a comprehensive ‘preference signal.’
  • Data delete: Consumers can ask a business to delete information collected from them (with certain exceptions).  Thanks to CPRA, the business must also notify its own suppliers and other third parties (again with exceptions)  of such requests.

While those directives and others like them apply to all consumers, CPRA, like CCPA before it, goes further to protect personal information on minors and children. The new mandate prevents a business from selling or sharing—again, for specific kinds of targeted marketing—the personal information of any consumer under 16 unless that consumer or the parent (under particular conditions) has affirmatively authorized it. To be clear, the business must have ‘actual knowledge’ of the child’s age, but there’s a seeming lack of definition on whether a business is found to ‘willfully disregard’ this. Of course, all businesses must still comply with the Children’s Online Privacy Protection Act, which is a federal statute.

Organizational burden

The issue of what businesses need to do protect the information they have has always been fertile ground for debate, and the new legislation does not shy away from it. CCPA allowed individuals to initiate private legal action against organizations that failed to implement reasonable security protocols – otherwise known as a private right of action, it didn’t set a security standard that businesses had to meet.  CPRA, however, lays out an explicit and affirmative requirement for reasonable security procedures and practices, at least for businesses in certain categories, and ups the stakes for third parties in this regard also. In fact, CPRA-covered entities are now mandated to receive contracted assurances that certain third parties will offer the same level of protection.

However, CPRA still doesn’t go so far as to define the standard for reasonable security. There are many reasons for this: measuring the costs of particular standards is mathematically impossible; different industries have different requirements; some sectors lack a clear standard for personal information, and so on.

The dynamic nature of the technology industry is also an issue—yesterday’s foundational platform is often tomorrow’s legacy. The methods and tools used to gather, collate, store, protect and analyze information changes regularly, and any legislation tied to specific tech-enabled capabilities might become obsolete before it’s even enacted. However, the fact that there are always new advances coming through the pipeline is reason to raise the privacy standard, not lower it.

Innovation works both ways: for those trying to steal information, and those seeking to protect it. Consumers are tech-savvy too—in addition to the legal requirements, they have justifiable expectations that organizations have a duty to protect the confidential information used to fuel business initiatives.

Government body

In addition to the restrictions, guidelines and requirements, the new legislation calls for the formation of the California Privacy Protection Agency, a body specifically created to implement all the components of CCPA/CPRA. It is duly funded and overseen by a board of experts in privacy and technology. That board will in turn appoint multiple officials, from an executive director and legal counsel on down, to administer and enforce the laws, as well as promote public awareness, offer guidance to consumers, monitor technology and market trends, etc. If there was any doubt about the potential strength of the law, then penalties imposed by the Agency for non-compliance will surely put that to rest.

Again, this is just a sampling—the actual legislation is granular and sweeping, going far beyond its predecessor. But at least it’s still a couple of years away, right?

Not exactly—the timeline is tighter than appears at first glance. CPRA features a two-year ramp-up to help businesses adjust their practices, and does extend CCPA personnel/employee and B2B exceptions. However, the California Attorney General has already transferred authority to the Agency to adopt CPRA regulations. The final regulations will be adopted by July 1, 2022, and the full law will go into effect on Jan. 2023.

But here’s another wrinkle: A look-back provision means that the personal information businesses collected as of Jan. 1, 2022, will become subject to CPRA. How far away is that date?

Conclusion

Neglected so far or otherwise, CPRA marks a major milestone in the modern-day privacy movement. CCPA was already the most comprehensive privacy-centric legislation in the country, and CPRA goes even further, inching even closer to the scope of GDPR. The mandates are there, the architecture to monitor and enforce it is there, and the penalties for non-compliance loom large. As such, it will likely serve as a template for other states seeking to legally strengthen privacy protection.

So what should companies do between now and then?

Start with the basics: Find out what data resides in-house, including all employee cloud accounts. One serious drawback of the digital era is that data exists everywhere—from corporate servers to employee flash drives—and therefore PII (Personally Identifiable Information) can exist anywhere. Most companies don’t actively manage the vast majority of their digital data, because it’s physically impossible; business users receive up to 200 MB of data a day but don’t read it, because its biologically impossible.

It’s currently estimated that up to 80% of all organizational data resides in employee-controlled and managed devices and removable media—unread and unmonitored, yet still subject to privacy and other compliance mandates. It gets even more complex when there’s data sharing downstream with partners and other third parties. This becomes a perilous vulnerability when needing to separate and secure the new category of sensitive data.

It may be wise to create a comprehensive data lifecycle—knowing where data originates, who controls it, where it’s stored, how it’s used, and when it can/should be deleted. This is admittedly a steep hill to climb due to the long-standing corporate culture of leaving non-records management to individual employees, but be warned: CPRA doesn’t leave much room for interpretation, and attorneys are waiting to pounce on perceived discrepancies.

Next, identify areas of responsibility to ensure compliance. Data belongs to the company, not individual employees, and oversight crosses multiple disciplines. In the data privacy world, professionals in compliance, security, legal, technology, operations, marketing and more must play together in the sandbox, with board-level and management guidance, data audits and policy enforcement.

Finally, there’s advanced technology to address external threats and internal misuse. Once companies have comprehensively identified and categorized all data in house—particularly all PII, including how it’s used—they can begin to consolidate it, and ensure central protection so that it can be searched and acted on. Some current technology offerings lack industry-specific compliance capabilities. A centralized information management and archiving solution that allows the capture of all corporate data, no matter where it’s generated, and can responsibly manage it for all regulatory, legal and business intelligence obligations is the ideal solution.

#Privacy-related mandates will only grow as a management and business priority. Centralizing data management and archiving is a reliable strategy to ensure that #compliance is ongoing, effortless and comprehensive. #CPRA #respectdataClick to Tweet

Privacy-related mandates will only grow as a management and business priority. Centralizing data management and archiving is the most reliable strategy to ensure that compliance is ongoing, effortless and comprehensive.

 

Vice President of Global Compliance & eDiscovery at Archive360