'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on October 16, 2020 AUTHOR PRIVACY RESEARCH TEAM
Despite the California Consumer Privacy Act (CCPA) entering enforcement only most recently, Californians are holding their breath to see whether the CCPA will become old news very fast. This is because the California Privacy Rights Act (CPRA) will feature on the November 2020 ballot this fall. And if it is voted in directly by the residents of California, the CPRA will significantly amend the recently passed CCPA to create a whole new host data privacy rights for Californians while increasing the obligations of businesses, online service providers and other data processors who deal with the personal information and data of residents of California. It would be like the CCPA never came. It would become a footnote in history i.e a stepping stone for the true heir: the CPRA.
The CPRA has been spearheaded by the same privacy groups and activists who were behind the CCPA. Back in 2018, a ballot initiative termed as the ‘Consumer Right to Privacy Act’ was supposed to appear on the November 2018 ballot in California as the first comprehensive data protection law in the United States. Due to lobbying by businesses though, a compromise was struck and the California legislature passed the CCPA and the initiative was withdrawn. However, regardless of CCPA’s strict language and current protections of personal information, Californians are now pushing for it to become more stringent through the amendments brought about by the CPRA because of the loopholes it has left behind which allow for weak enforcement and a lack of mention of sensitive personal information, consent, dark patterns, online profiling, data contractors etc. all of which are very important terms in the world of data privacy regulation.
Despite some criticism from consumer rights groups, it is likely that the CPRA will be voted into law. Polls conducted in late 2019 showed CPRA having an approval rating of 80% among Californians. Also, it has gained the support of Andrew Yang, a recent presidential candidate and public personality. Thus, businesses which collect, process, sell and buy personal information of California residents and have had to make difficult and costly adjustments to comply with the CCPA must accept that the CPRA, in its current form, will most likely be passed and enforced as is. Interested stakeholders must study this new law and its protection requirements and work towards compliance right now so as to avoid any last minute panic.
While the CCPA can be currently amended (and even repealed) through a simple majority of the California legislature, as per Section 24 of the CPRA, if the law is passed no amendment to the CPRA can be made by the California legislature which would ‘weaken the privacy rights of the consumers’. Thus when CPRA becomes law, businesses should lose all expectations of their obligations under the law of California to be amended in their favor. Any amendment would only bring stricter obligations and the California legislature would not be able to repeal the law as well unless they legislate something even more stringent.
The CPRA is state law and there is a chance that it might be preempted by any Federal legislation on data privacy. One of the most recent bills by the Republican party, SAFE DATA act, proposes just that.
However, it should be remembered that one of the popular bills currently being considered by the Senate, the Consumer Online Privacy Act (COPRA) will allow states to promulgate and enforce their own data privacy laws as long as they enhance the data privacy standards for consumers as laid down by the federal law. A perusal of the provisions of COPRA and of CPRA makes it clear that CPRA definitely expands and enhances data privacy protections and therefore it shall not be preempted if COPRA is passed.
In fact, arguably, given how California has historically been known to be a leader in terms of bringing about innovative legislation which is then eventually adopted by other states (i.e interracial marriage, same-sex marriage, increase in minimum wage, stem cell research) it would be safe to assume that the obligations on businesses towards data privacy protections in the CPRA will be adopted by other states very soon and might even be treated as an inspiration for any future federal privacy law.
Finally, understanding the CPRA and the duties and obligations it places on businesses and data processors is vital for the online global business community because of its expanded territorial reach.
The CPRA has mandated in Section 4 a new significant duty on businesses operating in California who collect data and then disclose, share or sell personal information to any other entity for any specific business purpose - the business MUST sign a contract with the entity, in which the entity must agree to be bound by the entire data privacy protection obligations of the CPRA and must provide ‘the same level of privacy protections’ to the shared/bought personal information.
This is a definite step up from the requirement in the CCPA for businesses operating in California who collect the personal information of Californians and then sell, disclose or share that information with other entities to only sign a written contract ensuring the data was used for the specific business purpose it was provided for and that if it was re-sold, the consumers in California would receive a notice to opt-out of the sale.
This new duty on businesses who operate in California and collect the data of Californians (which arguably are some of the biggest data processing companies of the world) would effectively make the entire CPRA apply globally, as any entity these companies choose to share their data with would have to accept to be bound by all of its requirements and protections of the law.
In view of these factors, businesses should be keeping a close eye on California and understanding the stringent new standards and requirements which are set forth by the CPRA right now. The earlier those standards are understood and worked towards, the faster and less costly compliance would eventually be. This is where SECURITI.ai can help.
SECURITI.ai is a leader in global privacy compliance software. Our award-winning compliance solution revolves around the concept of PrivacyOps, which calls for utilizing robotic automation, artificial intelligence and machine learning to provide enterprises with a system that automates the majority of compliance tasks and freeing up crucial resources for other areas of business. Our innovative automated mechanisms can help businesses comply with the complex requirements of the CPRA with the simple click of a button.
Keep following our blog where we will go through every change the CPRA will bring to provide a comprehensive overview of this next big data privacy regulatory framework or contact us now to start managing your compliance needs today.