6 Questions About the CPRA, Answered
After this year and this election season, no one is going to blame you if it’s just now dawning on you that there’s another U.S. privacy law you’ve got to figure out.
If you’re emerging from your election cave like a sleepy bear coming out of hibernation, blinking and groggy, you likely have some questions about this new California privacy law called the California Privacy Rights Act (CPRA). Perhaps you’d appreciate a quick primer on the basics of this new law.
That’s what your friendly awareness nerd is here for. I’m no lawyer, but I track the progress of many laws and regulations that impact the way we train employees. And then I try to boil it down to simple terms that help people translate those laws for their employees.
What Is this New California Privacy Law?
It’s called the California Privacy Rights Act of 2020, and it was approved by California voters in the election on November 3.
When it goes into effect on January 1, 2023, it will replace the California Consumer Privacy Act (CCPA). These California laws are often called America’s answer to the General Data Protection Regulation (GDPR), a reference to the European Union regulation that is widely considered to be the global standard for privacy protection and has been emulated in countries around the world. Though this is a state law, the relative importance of California in the U.S. economy gives it outsized influence.
Why Did We Need a New California Privacy Law?
Because the CCPA was too weak. Basically, the privacy advocates who passed the CCPA in 2018 realized that it was not strong enough in its existing form.
The attorney general charged with enforcing it didn’t have enough time and money to do so, and corporate interests actively sought to change the law, according to the LA Times. “If CCPA represented the collective will of the people saying ‘don’t sell my data,’” writes Wired contributor Sidney Fussell, “what followed was two years of companies obfuscating the meanings of the words sell, my, and data.”
So original bill sponsor Alexander McTaggart and his team revised the law and took it straight to the voters, who passed it with 56.1% of the vote.
How Does the CPRA Affect the CCPA?
The CPRA revises and updates the CCPA, which remains in effect now. But it’s no minor revision—the CPRA is a substantial update and introduces numerous new elements. Here are just some of the most significant additions:
- Establishing of a new enforcement agency, the California Privacy Protection Agency, with the budget to enforce the act and promote awareness about privacy risks
- Creating a new category of personal information called Sensitive Personal Information with specific compliance requirements
- Expanding the CCPA’s data “opt-out” requirement to including both the sale and sharing of a user’s personal data
This overview of the top 10 most impactful provisions from our friends at the IAPP will get you started, but you can read more in the sources I cite below. The good thing is, if you’re already complying with the CCPA, you won’t have to start from scratch, but there are some new elements that you can’t ignore.
Who Has to Care About the CPRA?
Everyone has to care a little, and some people have to care a lot.
The CPRA does one really important thing that should matter to everyone: it gives individuals legal rights to control their data and to seek justice (and compensation) when companies don’t respect those rights. That’s a big step forward in the American treatment of privacy. You can quibble about the details—it only applies to Californians, it only applies to some companies, etc.—but you can’t deny its importance.
One of the best things you can do to understand why you should care is to read the “Findings and Declarations” and “Purpose and Intent” sections of the CPRA itself, available on the state website. In these sections, the authors make it clear why protecting privacy is so important.
These sections take up only a few pages of the 53-page document, and they’re quite clearly written. I’ll quote just one small bit: “Consumers should know who is collecting their personal information and that of their children, how It is being used, and to whom it is disclosed, so that they have the information necessary to exercise meaningful control over businesses’ use of their personal information and that of their children.” That’s not asking for a lot!
Now, the people who need to care a lot about the law are those running the companies that have to comply—that is, companies who handle the data of Californians (and have more than $25 million in revenue), no matter where those companies are located. These companies will have to invest in the processes and systems (and legal advice) that helps them interact with consumers and handle consumer data in ways specified by the law. And they’ll need to train their employees to do the same.
There is so much really good advice out there on how to comply with these laws, and it comes from the IAPP, from the state attorney general, from law reviews and law firms, and from the ever-expanding array of vendors in this space. (And remember, since the CPRA revised the CCPA, a lot that’s out there on the CCPA is still useful.)
Do I Have to Train My Employees?
Of course you do! Not only is it required by the CPRA, but it just makes good business sense.
Companies where employees understand and respect the consumer’s right to privacy earn consumer trust and avoid penalties.
The best companies provide basic training in good data handling practices to all employees, they provide deeper training to those in roles that directly face the consumer or work closely with consumer data, and they remind employees all year round how important privacy is to them and their customers. (PSST: I know a company that can help with this.)
Are We Done Passing Privacy Laws Yet?
In California, yes; elsewhere, not by a long shot.
The way the CPRA was written makes it unlikely that it will be either amended or replaced soon. This should be the last California privacy law for a while.
But the CPRA is not the last privacy law by any means. Other states are following or will soon, with laws that bear some resemblance to the CPRA. The IAPP does a great job of tracking those on a state-by-state basis.
If the messy situation of 50 unique privacy laws doesn’t bring you any peace of mind, IAPP analyst Caitlin Fennessy’s view may cheer you up: she suggests that the two-year gap between passage and enforcement of the CPRA was put in place specifically to create the “impetus and time for the adoption of U.S. privacy legislation.”
I hope these straight and simple answers have motivated you to learn more about this important change to American privacy law.