What You Need to Know About the CPRA, California's Data Privacy Law

You may have spent the past two years learning the California Consumer Privacy Act (CCPA) and, if you have customers overseas, the EU’s General Data Protection Regulation (GDPR). Updating your internal processes was tough, and just when you were getting the hang of it, California turned around and passed another data privacy law. The California Privacy Rights Act (CPRA), passed in November 2020, expands the CCPA that you know and love so well (or maybe not so much). And like the CCPA, the CPRA has a long reach, impacting organizations far beyond California’s borders.

Right now, businesses must continue complying with the CCPA, but plenty of changes must be made by January 1, 2023. Consumers have several new rights relevant to data subject access requests (DSARs), and enforcement is maturing.

A New Definition for Businesses

You’ll need to review several updated definitions, including what constitutes a business regulated by the law. For its definition of a business, the CPRA increases the threshold number of consumers or households from 50,000 to 100,000. Businesses now include those that generate most of their revenue from sharing personal information (PI)—not only selling it.

The updated definition will pull in new businesses and free some small-to-midsize companies.

The CPRA’s Data Minimization Requirements

The CPRA looks like the GDPR in a few ways, particularly concerning the data you’re allowed to store and use. It formalizes data minimization.

Covered organizations should officially only collect, use, retain, and share PI reasonably necessary and proportionate to your disclosed purposes. You have to tell consumers your retention periods for your PI categories, and those periods should be reasonably required, too.

Speaking of your intentions for the data, you can’t collect or use PI for a new reason incompatible with your previously disclosed purposes without first telling consumers.

Your company may already strive to minimize data collection and retention because of GDPR. Or simply because storing redundant, outdated, and trivial (ROT) data is costly and presents a cybersecurity risk. But if you haven’t focused on this issue in recent years, now’s the time to start. Authorities could hold you liable for failing to minimize data even if non-compliance doesn’t lead to additional violations.

There’s a bright side to most things. Data minimization is initially a burden, but it helps in the long run by limiting the data you must comb through after receiving verified DSARs. However, with the right tools in place, sorting and altering data shouldn’t be painful, no matter how much of it there is.

How the CPRA Expands Protections for Sensitive PI

Under the CPRA, your company has to consider Sensitive PI. This shouldn’t cause too much anxiety because it isn’t technically a new data category. CCPA protected Sensitive PI all along. The critical distinction is that the CPRA creates new disclosure and consent requirements for Sensitive PI versus other PI types.

Sensitive PI includes:

• Government identifiers
• Financial account and login information
• Precise geolocation
• Race
• Ethnicity
• Religious or philosophical beliefs
• Union membership
• Content of nonpublic communications
• Genetic data
• Biometric or health information
• Sex life or sexual orientation information

To better protect Sensitive PI, you’ll have to update disclosure requirements, purpose limitation requirements, opt-out requirements for use and disclosure, and opt-in consent standards for use and disclosure.

New Consumer Rights Established Under the CPRA

What’s good news for consumers’ data privacy might be hard for you to hear. There are several new and modified rights, and your business may need to adjust its internal processes within the next two years to avoid violations. These are bound to impact your disclosures and DSAR response process.

Here’s a quick overview of the new consumer rights:

• Right to Restrict the Use of Sensitive PI
• Right to Rectify (Correct) PI
• Right to Access Information About Automated Decision Making
• Right to Opt-Out of Automated Decision-Making Technology

Upgraded Rights

Some of the privacy rights you already know are changing:

• Right to Know: The PI relevant to a consumer’s Right to Know now includes PI collected beyond the previous 12 months if your company gathered it after January 1, 2022.
• Right to Delete: You’ll have to notify third parties to delete the PI they bought or received (there are some exceptions).
• Right to Data Portability: Consumers can ask you to transmit specific PI to another entity to the extent that it’s feasible.
• Right to Opt Out: Consumers can opt out of you selling and sharing PI for cross-context behavioral advertising (versus non-personalized advertising) whether or not there’s an exchange of money or other value.
• Opt-In Rights for Minors: The opt-in right now includes sharing PI for behavioral advertising.

How the CPRA Will Be Enforced

The CPRA takes a page out of the GDPR playbook and creates an enforcement body. The California Privacy Protection Agency (CPPA) will investigate and enforce the rules—and have rule making powers to keep data privacy rights up to date in the years to come.

What’s most important is the loss of the 30-day cure period. Right now, if the Office of the Attorney General notifies you of an alleged violation, you have time to fix it. That grace period won’t be available under the CPRA, which makes proactive compliance that much more important.

Building On Your Current Best Practices

By now, your business has implemented processes for validating and responding to DSARs. Unless you’re a business newly regulated by the CPRA, you aren’t starting from scratch.

But in evaluating the changes you need to make over the next two years, you might find your processes aren’t as efficient as you’d like. Your manual review process or third-party vendor might be time-consuming and costly. At this point, it’s more than an inconvenience. It’s a legal risk. A difficult process is more likely to break down and lead to a violation.

Reviewing data in response to a valid DSAR doesn’t have to be a thankless task. There are pain-relieving technologies that were perfected for a similar process—discovery during litigation.

With the right tool, finding the relevant data and acting on it can take minutes instead of weeks or months. Equally important to efficiency, your DSAR process can gain security, consistency, and defensibility—not to mention the abiding appreciation of your coworkers.