California voters approved a ballot measure on Tuesday that will add new layers of responsibility for businesses attempting to comply with the state’s first-in-the-nation data privacy law, the California Consumer Privacy Act (CCPA).
By a tally of 56 percent in favor to 44 percent opposed, California voters approved Proposition 24, according figures posted by the California Secretary of State. The measure passes a new law, the California Privacy Rights Act (CPRA).
The CPRA will prohibit companies from sharing sensitive information about customers’ health, finances, race, ethnicity, and precise location; triple fines for violations related to children’s data; and put new limits on how companies can collect, share, and sell customers’ personal data. The law will also close a loophole regarding the “sale” of data; all data that is shared or sold will be covered by the CPRA. On several of these fronts, data privacy experts say the CPRA lines up better with the GDPR than the CCPA does now.
The CPRA will eventually replace the CCPA in January 2023. Until then, the CCPA will continue to be in force.
What will change soon, as early as the second quarter of 2021, is the agency tasked to enforce the CCPA. Prop 24 takes regulation and enforcement of the CCPA away from the California Attorney General and places those functions in the hands of a new independent entity, the California Privacy Protection Agency.
California’s fiscal year 2021 state budget contains about $10 million per year to fund the new agency, which will allow it to hire between 46 and 50 employees. Its only mission will be rulemaking and enforcement of the CCPA and, eventually, the CPRA. The earliest the agency could tap the funding is July 1, 2021.
“Think about that for a minute. This agency’s sole purpose in life will be to protect Californians’ privacy,” said Dan Clarke, president of IntraEdge, an Arizona-based software firm that helps companies’ compliance with data privacy regulations like the CCPA and the EU’s General Data Protection Regulation (GDPR). “I expect they will be aggressive.”
Californians for Consumer Privacy, the proponents of Prop 24, said the new law “will give Californians the strongest online privacy rights in the world, including protecting sensitive personal information, tripling fines against companies that violate kids’ data, establishing an enforcement arm for consumers, and making it harder to weaken privacy laws in the future,” the group said in a press release issued Wednesday.
In the same press release, Prop 24 sponsor and real estate developer Alastair Mactaggart called the vote “historic” and said its passage “will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data.”
Former Democratic presidential nominee and chairman of the group’s board of advisors Andrew Yang predicted the “new era privacy rights” established by Prop 24 “will sweep the country.”
Opponents of Prop 24 criticized the new agency as “toothless” and said the privacy law “will cost California consumers and small businesses billions,” according to the opposition group’s Website.
But Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals, predicted the new agency would “blaze a path for privacy enforcement alongside the Federal Trade Commission at the federal level. Importantly, it will catalyze the emergence of additional privacy legislation, first in states such as Washington, New York, and Texas, and eventually in U.S. Congress.”
The Attorney General’s office began enforcing the CCPA on July 1 but has yet to bring a CCPA-related action against any company. The AG’s office has sent notices to companies believed to be out of compliance with the CCPA and has given those companies time to rectify the deficiencies before taking legal action.
How the CPRA builds upon the CCPA
The CCPA requires businesses to notify California consumers about the personal information they collect. The law gives consumers the right to delete their data from a company’s database and the right to opt out from having a business collect their personal information.
The CPRA ladles additional responsibilities onto businesses for how they should handle such private data, like prohibiting companies from sharing sensitive information about customers’ health, finances, race, ethnicity, and precise location; tripling fines for violations related to children’s data; and putting new limits on how companies can collect, share, and sell customers’ personal data. On several of these fronts, data privacy experts say the CPRA lines up better with the GDPR than the CCPA does now.
Stephen Cavey, co-founder of Ground Labs, a vendor that develops data management and regulatory compliance technology, says the AG’s office has done a lackluster job of explaining to companies what they should do to comply with the CCPA and is glad the responsibility for enforcing—and explaining—the law is being handed off to another agency.
“They haven’t really briefed California businesses on what they need to do,” Cavey said of the AG’s office. Other than four public briefings and two videos on its Website, the AG’s office has done little to explain the law to businesses, he said.
“It’s not the way you should roll out the United States’ best privacy legislation,” he said. “They could have done so much better.”
Into the information void have stepped vendors selling products and law firms selling advice, Cavey said.
As it stands, the AG’s office is assuming everyone complies until they are hacked and they lose customers’ personal data, Cavey said. The government response would then be to fine the company, and harmed consumers could file class-action lawsuits, which is allowed under the CCPA.
“There’s really no winners in that scenario,” Cavey said. “Rather, this should be about promoting good privacy practices, not about fining a business and making a press release about it.”
Cavey says there are steps even the smallest of businesses can take to shore up their defenses against being hacked, losing sensitive customer data, and potentially being fined under the CCPA.
He recommends companies turn on the built-in security features on their phones and online platforms. The simplest feature is two-factor authentication, which requires users to log in using a password and to verify their identification in another way, say with a fingerprint, biometric scan, keycode, or other means.
Then, install a password manager app on your phone, many of which are free. The password manager will keep your different passwords organized, allowing you to make sure the passwords are very different for each password-protected use.
Finally, get to know your firm’s data. This doesn’t necessarily involve hiring a consultant. What it means is understanding the nature of the personal data your business is collecting, where and how that data is stored, and why it’s collected. Is there any children’s data in there? Can you delete it without compromising other business functions? Do you really need to collect dates of birth and mother’s maiden name from your customers, or are there other ways to authenticate them without collecting, storing, and potentially losing this personal information?
Answering these questions will get your business on the path to complying with the CCPA, and eventually, the CPRA.