The potential of more consumer protection
New privacy legislation is coming to life in California through the California Privacy Rights Act (CPRA). The initiative, which would further raise the bar for other states, achieved 900,000 signatures, substantially more than the 675,000 signatures required to secure a place on California voters’ November 2020 ballots. Following the signature verification process, California Secretary of State Alex Padilla certified the measure to appear in November.
The CPRA is intended to amend the language of the California Consumer Privacy Act (CCPA), impose additional requirements on organizations and create a new California Privacy Protection Agency to act as the regulator of privacy violations. If passed, the new law would go into effect on Jan. 1, 2023; however, several provisions would go into effect as soon as Jan. 1, 2021, including the establishment of the California Privacy Protection Agency.
While most businesses impacted by the CCPA have already taken significant steps toward designing a privacy compliance program, the CPRA will bring additional requirements, some of which will take substantial effort to implement or result in an increased level of risk. As your organization begins to contemplate CPRA compliance, consider these key steps.
- Ensure data retention practices are in place.
The CPRA requires that businesses do not retain personal information, including sensitive personal information, for longer than is reasonably necessary for its disclosed purpose. Additionally, the CPRA will require businesses to provide notice to consumers of the length of time the business intends to retain each category of personal information, and the criteria to determine the period of time.
As we have seen in Europe with the General Data Protection Regulation, implementing data retention programs requires a significant level of effort and coordination across an enterprise. Developing retention policies that consider all types of data, and the many regulatory, legal and business purposes for retaining such data, may be daunting. Differences in both industry and jurisdictional requirements can impose another layer of complexity. It will be a major challenge to implement a data retention policy and provide notice to consumers by Jan. 1, 2023. Yet failure could increase the risk of fines or private actions. Organizations should begin now to establish a data retention schedule and a supporting policy. A strong data inventory will be fundamental in determining primary systems subject to purge or anonymization practices.
- Prepare for stronger enforcement.
A key component of the CPRA is establishing the California Privacy Protection Agency, which will allow for greater oversight and investigations into privacy complaints, independent investigations and prosecution. This new agency also increases the risk associated with noncompliance.
To prepare, organizations should establish mechanisms for monitoring compliance to demonstrate the defensibility of their privacy program operations. This preparation may include:
- A data inventory that addresses all categories of personal information, including the newly defined sensitive personal information under the CPRA, along with the purpose for collection and use of personal information.
- Having solid contracts in place with service providers or other third parties that may have access to or receive personal information. Contracts should include limitations on use of personal information, mandatory notice to the service provider or contractor and any sub-contractors when consumers exercise their rights to have access to or deletion of their personal information, and required notification to the business if the service provider is unable to comply with its obligations.
- Making sure privacy notices are updated to reflect the expanded privacy rights under the CPRA and made available to consumers.
- The performance of internal audits and/or privacy risk assessments to prepare against enforcement action. Assessing key areas of risk, identifying gaps in privacy compliance and developing a plan of action to remediate those gaps will help to avoid violations and potentially costly agency investigations.
- Recognition that businesses that present a significant risk to consumers’ privacy or security will be held to a higher standard. The CPRA calls for the California attorney general to develop regulations requiring these businesses to perform an annual cybersecurity audit and to submit risk assessments on a regular basis to the California Privacy Protection Agency.
- Enhance data security and breach prevention.
At the heart of the CPRA is an increase in consumers’ rights to privacy protections. The findings and declarations introducing the text of the CPRA specifically call out that organizations should be held directly accountable to consumers for data security breaches and for failing to take reasonable precautions to protect data.
Organizations must implement reasonable security procedures and practices to protect personal information from unauthorized or illegal access, destruction, use, modification or disclosure. What is considered “reasonable” has not been clarified. In the absence of specification, organizations should revisit their security practices to evaluate if they are sufficient to meet this standard and be prepared to defend them.
Additionally, the CPRA imposes increased liability for personal information security breaches, including tripled penalties for violations regarding minors under the age of 16 and expanding the private right of action for consumers to include breach of an email address in combination with email account login credentials.
By reviewing current practices through audit, privacy and security assessments, and taking steps now to revisit breach preparedness through tabletop exercises, organizations can proactively prepare to address these increased CPRA requirements. In the event of a breach, the CPRA specifically calls out that the implementation and maintenance of reasonable security procedures and practices following a breach does not constitute a cure. The best “cure” is prevention.
What lies ahead?
There is no guarantee that the CPRA will become law. However, the privacy regulatory landscape continues to grow, with more states each year passing additional privacy laws and regulations. The implementation of data retention policies, robust privacy operational controls and strong data security measures not only will help your business adopt privacy best practices but also prepare your business for compliance with the CPRA and future privacy regulations.