New Data Rules Drive Operational Changes

CPRA and CCPA Data Rules

In November 2020, California passed the California Privacy Rights Act (CPRA) which updates the data rules established by the California Consumer Privacy Act (CCPA) that was originally passed in 2018.  There are those that argue that a patchwork of privacy laws makes it difficult for companies to do business, but the reality is that when these companies adhere to the most stringent requirements and apply them across the board, this issue largely goes away.  CPRA has the potential to become one such lighthouse issue that drives action far outside the California borders. 

CPRA properly recognizes that privacy cannot be ensured unless the data has been properly secured.  Data security is a prerequisite that must be considered before an effective data privacy policy can be put in place.  The law requires that companies that store personal information implement reasonable measures to detect security incidents, resist malicious or illegal actions, and to aid in the prosecution of malicious individuals responsible for such actions.  The requirement that companies aid in prosecution of individuals implies the need to keep detailed records about such attacks.  On the surface, this may not seem like an onerous requirement given that most data security systems log detected security events, however, by linking security to privacy, CPRA has created a need for security threats to be correlated to data repositories and then to potentially impacted individuals.  Most organizations do not have a complete (and auditable) directory of the data held within their organization and this issue may be a major obstacle in meeting these new requirements.

CCPA required consent before an organization could begin collecting personal information.  CPRA has made the definition of consent more specific.  For example, consent requests cannot be incorporated into broad and general statements of policy.  Consent agreements have to be explicit, self-standing, so the request and its limitations are clear to the individual.  CPRA also calls for consent agreements to be reasonably specific as to the purpose of the data collection, the type of data collected, and how the data will be used.  In addition, organizations cannot assume any general activity on the part of the user can be construed to imply consent.  For example, by simply putting the consent form on the screen, the organization cannot assume the person would agree based on making the consent information available to them.  

CPRA  expands the definition of what is considered personal information.  Technologies that monitor a person’s behavior through heat maps, mouse tracking, historic use patterns, etc are not prohibited but they are considered personal information.  As such, organizations have to obtain a user’s consent before these technologies can be used.  CPRA also goes as far as to set organizational limits to consent agreements.  For example, if the user consents to allowing Budweiser to collect data about them, it does not mean that they have agreed to allow Corona access to that data even though both companies are part of the InBev group.

CPRA serves to extend the regulatory reach of these agreements into the data supply chain.  If an organization provides data to a third party and the user later asks to be deleted from the data set, that request must be passed on to all third parties who received the data, directly or indirectly, from the source organization.  This implies that any organization who provides data to a third party must also track their data distribution systems.  Further, any third parties that accept data from another source are bound to the conditions that the original organization established when the data was first connected.  This requires that not only must a company track (and presumably audit) the data that is held within the organization, this data directory has to also be capable of tracking third party data as it enters or leaves the organization.  Essentially, the organization has to track the provenance of the all data within and flowing through the organization.  If an organization discovers that a down-stream partner is not using the data in accordance with the established consent agreements, the organization is expected to take reasonable steps needed to remediate use of that data.  

CCPA required organizations to disclose the type of information collected about individuals. CPRA expanded the requirement to allow individuals to request organizations disclose the exact information they hold about them and the retention policy associated with their data.  As a part of this process, people can ask that erroneous information be corrected or deleted.  The law also mandates that retention periods cannot be unreasonably long and should be tied to the use case described when consent was obtained. 

CPRA put additional clarity around the activities that are covered by the law.  As originally written, CCPA rules applied to the sale of data between two entities.  CPRA clarified the point by establishing that other non-commercial transfers of data are included under these regulations.  The consent agreement must also indicate any expected data sales/sharing arrangement that might make use of the collected data.  If, by chance the organization decides to share data with a third party after the data has been collected, the original consent agreement needs to be modified and sent to the individuals in order to affirm their continued consent . 

Despite the fact that the ‘C’ in CCPA stood for Consumers, the CPRA laws also applied to employee data held by the company.  CPRA makes it clearer that these privacy rules apply to any personal information held by the organization, not just ‘customer’ data.

CPRA also created a new state agency, the California Protection Agency, which is tasked with enforcing the CPRA laws.  This agency can levy fines and it also has the authority to audit an organization’s privacy (and security) practices.

CPRA only applies if an organization is a for-profit entity that has either more than $25M in revenue OR if 50% of its revenue comes from its data sharing activities.  While small companies and nonprofits are not covered by the law, these other organizations should consider adopting the CPRA practices as a normal market expectation. 

CPRA won’ be enforceable until 2023 giving organizations some time to get their house in order but once it does become effective, it will cover all data that was collected from January 1, 2022 onward.  These requirements have driven many organizations to name a Chief Security Officer (CSO) or a Chief Data Officer (CDO) that is intended to establish and then oversee the organization’s efforts to secure the data they hold.  These personnel have 2021 to get their strategies defined and in place so they can begin monitoring data systems within their organization at the start of 2022.