The California Privacy Rights and Enforcement Act of 2020 (CPREA) ballot initiative passed yesterday and will significantly impact organizations doing business in the Golden State. Compliance will require updating privacy policies but also implicate additional internal and organizational controls.
If your organization is already CCPA compliant, you are likely in a relatively favorable position but will still need to not only update policies but introduce or modify internal compliance and organizational controls and undertake a fresh analysis of current procedures. To get started, here are some key takeaways from the CPREA:
- Delayed Impact: The law takes effect in January of 2023, so you have some time to prepare. It does, however, create a California Privacy Protection Agency with much greater resources to look at current practices of companies. In other words, you have some time, but you may need it to be prepared for a new regime and you’ll need to be cautious of enforcement actions.
- New Obligations: The initiative creates some additional obligations beyond CCPA:
- Opt-in is required for the sale of “sensitive personal information” such as financial, healthcare, or “precise” geolocation data (anything within 1/2 mile)
- The notification an organization provides at the point of collection must include the specific purposes of the collection and use
- Business can only retain information as necessary for disclosed purposes and must enact data minimization measures to ensure the uses and retention of data are closely tied to the original purpose(s) and are “necessary and proportionate”
- They must also make “reasonable efforts” not to collect, retain or share inaccurate information
- Businesses must provide express notice to the consumer of whether data will be used for profiling (consumer analytics to predict personal aspects of a consumer).
- Cleaning up some Messes: The CCPA was drafted in what many consider a rushed manner and has some ugly gaps that leave companies guessing regarding how to comply. The CPREA clarifies some concepts in the CCPA, and in that sense it could be helpful to companies trying to decide on how best to comply with California law. But there will also be more potential classifications to keep track of under the CPREA.
- Relevant entities are expanded to “businesses,” “service providers,” and “contractors.” Any entity that does not fall into one of those buckets is now deemed a “third party”
- Service providers and contractors have an affirmative obligation to notify the business if they decide to use sub-processors or sub-contractors
- A “Sale” of data can only occur if the disclosure is to a Third Party. For automotive clients, there is an express exemption for dealer/OEM sharing of data for repairs or warranty items
- “Personal information” will no longer include public information widely available or made public by the individual consumer in question
- Consent will require an affirmative act (this is implicated by sections addressing children’s data and research or financial incentives).