2023 compliance readiness starts now. The US State of California’s Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA), was passed by voters in the November 2020 election.1 The CPRA provides additional rights to consumers and places additional obligations on enterprises. It also introduces a new data category: sensitive personal information. The CPRA provides additional protections for sensitive personal information and expands the California Consumer Privacy Act’s (CCPA’s) opt out rights to include new types of information sharing. The CPRA requires enterprises to provide additional mechanisms for individuals to access, correct or delete data, with a particular focus on information used by automated decision-making systems.
The CPRA amends and expands certain provisions of the CCPA and is commonly referred to as CCPA v2. The CPRA is set to take effect on 1 January 2023, but it will apply to data collected from 1 January 2022 (referred to as the look back period).
The CPRA will result in:
- A new set of rights for consumers
- A new category of data
- A new enforcement agency
Enterprises must be prepared for new consumer rights and the new sensitive personal information category of data.
New Rights for Consumers
The CPRA adds several specific new rights for consumers, including:
- Restrictions on the use of sensitive personal information
- Right to correct inaccurate personal information
- Right to prevent enterprises from storing data longer than necessary
- Right to limit enterprises from collecting more data than necessary
- Right to know what personal information is sold or shared and to whom and to opt out of that sale or sharing of personal information
- Expansion of the non-discrimination provision to prevent retaliation against an employee, applicant for employment or independent contractor for exercising their privacy rights
New Category of Data Established
Similar to the EU General Data Protection Act (GDPR) data type, the CPRA creates the new category of data, sensitive personal information. With CPRA, the broadest definition of personal information in the United States now includes an entirely new class of personal information such as:
- Social security number, driver’s license information, US state identification card information and passport number
- Account log in information, financial account number, and debit and credit card numbers in combination with any required security or access code, password or credentials allowing access to an account
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, and union membership
- Contents of a consumer’s mail, e-mail and text messages, unless the enterprise is the intended recipient of the communication
- Genetic data
- Biometric information for the purpose of uniquely identifying a consumer
- Personal information collected and analyzed concerning a consumer’s health
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation
New Enforcement Agency
The CPRA will create the California Privacy Protection Agency (CPPA), which will be dedicated to enforcing the new privacy law. The agency will have the power to fine enterprises US$2,500 for each violation of the CPRA or US$7,500 for what it deems are “intentional violations” or those that involve minors. The CPRA triples penalties for violations regarding minors under the age of 16 and removes the 30-day cure period that enterprises can currently utilize under the CCPA. The law further allocates US$10 million per year to the new state agency to investigate and enforce against violations of consumer privacy laws.
Conclusion
The requirements to comply with the CPRA are not insignificant and other US states are expected to introduce mandates similar to CPRA, just as they did with CCPA.
Forward-thinking organizations will start to analyze the CPRA requirements and initiate a readiness assessment to evaluate policy and capability gaps. Once the gaps are identified, organizations can prioritize remediation action to ensure complete compliance with the CPRA requirements. Remediation actions typically have an organizational impact and will take coordinated initiatives to implement.
Data are the new oil and the CPRA mandate clearly prioritizes the value of consumer data. Organizations must take heed and make the appropriate adjustments. 2023 starts now.
Endnotes
1 Jones Day, “California Voters Adopt the California Privacy Rights Act,” November 2020
Uday Ali Pabrai, CCSFP, CISSP, CMMC RP, HITRUST, Security+
Is the chief executive of ecfirst, an Inc. 500 business. He started his career with the US Department of Energy’s nuclear research facility, Fermi National Accelerator Laboratory, in Chicago, Illinois, USA. He has served as vice chairman and in several senior officer positions with NASDAQ-based firms. Pabrai is also a member of InfraGard, a partnership between the US Federal Bureau of Investigation (FBI) and members of the private sector. He can be reached at Pabrai@ecfirst.com.