California ‘setting the tone’ for privacy push with CPRA updates

The California Privacy Rights Act (CPRA), which passed as a ballot measure in 2020, expanded on the protections offered by the California Consumer Privacy Act (CCPA), the nation’s first comprehensive state data privacy law. The CPRA established the California Privacy Protection Agency (CPPA) to implement and enforce the law, a change from keeping CCPA oversight with the state attorney general.

Four other states—Colorado, Connecticut, Utah, and Virginia—have approved privacy laws taking effect this year, though none are considered as comprehensive as the California legislation.

“California has led the way in setting the tone for state privacy laws,” said Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals.

More laws are sure to follow, given the absence of federal action on the issue and consumers’ appetite for greater privacy protections. For companies having to confront data privacy compliance for the first time, the work ahead might be daunting. Some, however, prefer to view it as an opportunity.

“The CCPA is requiring businesses to learn more about themselves—to know what personal data is collected, where it is stored, and the quickest way to access it in order to honor requests,” said Myriah Jaworski, member at law firm Clark Hill. “If you do it right, you can streamline your operations and maybe operate in new ways that offer a competitive advantage.”

Even though the CPRA took effect at the start of the new year, the rules to implement its updates to the CCPA are still in the draft phase. Proposed regulations were advanced by the CPPA on Feb. 3, but the agency has not yet indicated when the rules will be finalized.

“We recommend going forward,” said Jenny Holmes, deputy leader of the cybersecurity and privacy team at law firm Nixon Peabody. Now is a “great time to proceed full steam ahead, with the hope or understanding there may be some need to include some tweaks when those rules come out,” she said.

Businesses looking to avoid standing in place might consider what is already known about the CCPA and its amendments to come, including the following:

Enforcement: The CPPA will assume enforcement authority of the CCPA beginning July 1.

To this point, the attorney general’s office has made clear, in statements and through its actions, it has closely watched for violations of opt-out request requirements.

Since the CCPA took effect in 2020, the attorney general has mounted a series of high-profile public sweeps of companies suspected of not complying with the law. A sweep of online retailers resulted in the state’s only significant action thus far under the CCPA: a $1.2 million settlement with cosmetics giant Sephora in August.

“The CCPA is requiring businesses to learn more about themselves—to know what personal data is collected, where it is stored, and the quickest way to access it in order to honor requests. If you do it right, you can streamline your operations and maybe operate in new ways that offer a competitive advantage.”

Myriah Jaworski, Member, Clark Hill

Sephora ignored customer opt-out requests and continued to sell their data, California AG Rob Bonta alleged. It had 30 days to correct its violations but failed to meet the deadline.

“There are no more excuses,” Bonta said at the time of the enforcement action. “Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Under the CPRA, there will be no 30-day grace period regarding apparent violations.

In January, Bonta’s office notified an unspecified number of businesses with mobile apps in the retail, travel, and food service industries they were allegedly failing to comply with the CCPA’s opt-out request requirements.

Data breach lawsuits: One of the more notable updates under the CPRA is an expanded “private right of action,” under which a California customer or employee can sue a company following a data breach.

Among businesses, “There is concern about a tidal wave of filings, but we haven’t seen that because it’s limited to data breaches,” Jaworski said.

The CCPA already allowed private right of action; the CPRA will add email addresses in combination with security questions to the list of data types actionable under the law in the event of a breach.

Employees: The CPRA significantly expands the reach of the CCPA by applying the law to employees and remote workers who are residents of California.

“That’s a big deal,” said Kristen Mathews, a partner in law firm Morrison Foerster’s global privacy and data security group. “Now you need a privacy notice disseminated to all California employees and job candidates, and you need to extend to them a bunch of rights they haven’t had before.”

Whereas the consumer aspects of the law kick in only if the company handles the personal information of at least 100,000 California residents annually, the employee privacy rights must be honored for any California-based employees of companies with gross revenues of $25 million.

“There’s a lot of preparation involved to be ready so if you receive requests you’ll be able to comply with the law,” Mathews said.

Sharing of data: Under the CCPA, businesses must honor consumer and employee requests their personal information not be shared and/or sold.

It’s imperative to have a contract with service providers about their use of personal data. Without a contract, California considers sharing of information a sale, Holmes said.

But five years in, it’s still not clear to businesses how “sale” is defined, Zweifel-Keegan said.

“The challenge is that the definition of sale, especially in the update, is very broad and includes most types of data sharing—not just selling for money but trading for a service that other company is providing for you,” he added. “There is a lot of ambiguity in the opt-out portion of the law. That’s a bad word for compliance professionals.”

Sensitive information: Also new under the CPRA is consumers and employees have special rights when it comes to the collection of data considered sensitive, such as Social Security numbers, credit card numbers, information concerning a person’s health, union membership, or sexual orientation.

“If your organization is collecting these more sensitive types of data, you need to start today and get a compliance plan in place,” Jaworski said.