The Final Countdown: CPRA Enforcement on the Horizon
July 1, 2021
With the January 1, 2023 kickoff date, CPRA is coming. How does your compliance strategy stand right now?
As we hit the halfway point of 2021, the clock starts ticking in earnest towards January 1, 2023, when the California Privacy Rights Act (CPRA) takes full effect.
Organizations have had about eight months to digest one of the most aggressive regulatory actions in recent memory, passed into law by the state of California in late 2020. By now, compliance strategies should be taking shape as companies seek to avoid onerous enforcement actions stemming from the legislation (which basically amends the California Consumer Privacy Act of 2018.)
Here’s a snapshot of the CPRA and related enforcement actions:
Heavy fines. The CPRA legislation creates a new administration in the Golden State – the California Privacy Protection Agency (CPPA), which focuses specifically on consumer data privacy enforcement. Fines for violating the CPRA’s regulations fall between $2,500 and $7,500, per infraction.
No more 30-day “cure” period. The legislation also significantly adjusts the compliance scope of the CCPA, with the CPRA noting the placement of what were once “reasonable” security measures after a data breach may not constitute a compliance “cure”. That could lead to more immediate enforcement actions – and even more violations and more fines against out-of-compliance companies engaging with California consumers on a digital basis.
Email exposures targeted. Any consumer who is victimized by a data breach stemming from inadequate company protection of passwords and security Q&A’s can now bring a private right of action against the business in question.
No more CCPA exemptions. The original CCPA legislation included a one-year exemption for employee, employment applicant, independent contractor data, and any person acting on behalf of a company. Those exemptions go away with the implementation of the CPRA.
A “look back” period starting January 1, 2022. While the CPRA does officially trigger on the first day of January in 2023, the legislation includes a “look back” provision that targets consumer data gathered and held by a business on or after January 1, 2022. Any inefficiencies or irregularities found by regulators after January 1, 2022 could be included as evidence in any actions taken after the official enforcement period begins on January 1, 2023.
The CPRA may go nationwide. Companies who don’t directly do business with California residents and who believe they’re in the clear on CPRA compliance may want to think again.
That’s due to the political wheels turning in Washington, D.C., with a new sheriff in town.
Former California Attorney General Xavier Becerra, largely credited as the key driver of the CPRA in California, now leads the U.S. Department of Health & Human Services, where he could take the California data privacy regulation model to all 50 U.S. states. Expect more aggressive policies on data privacy coming from the federal government under Becerra’s lead, with more regulations in the pipeline right through 2024.
Where Does Your CPRA Compliance Stand?
If you’re doing business in California, and hold consumer data digitally, you should be well along with the development of your company’s CPRA compliance plan. If you’re not, there’s still time to play catch-up.
The good news is that there is 18 months until the legislation’s implementation date, although January, 2023 may come sooner than an unprepared compliance director may like.
In the meantime, company compliance officers should be actively reassessing their organization’s consumer data storage and sharing processes.
No longer can companies slide by with consumer “opt out” contract language pertaining to data sales. With the CPRA, consumers can opt out of both data sales and data sharing, which is a big departure from previous enforcement measures. Come 2023, businesses engaging with Golden State consumers must highlight a “Do Not Share My Personal Information” on their digital platforms, in clear view of those consumers. Look to online data sharing partners like Google and Facebook to highlight alternatives to companies who rely on data sharing revenues on a regular basis.
Additionally, make sure your compliance efforts include a full review of the “sensitive data” interpretation included in the CPRA. Unlike the preceding CCPA, the new legislation expands the definition of sensitive consumer data to include the following information:
— Demographic information such as a consumer’s racial or ethnic origin, religious or philosophical beliefs, union membership or sexual orientation
— The contents of consumers’ communications
— Genetic and biometric data
— Precise geolocation
— Information about a consumer’s sex life
Coupled together with new “right to know” “and right to correct” provisions buried in the CPRA legislation, the era of loose consumer data practices are likely over in California – and may be widening to include the entire U.S. in the very near future.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.