There is no singular, national privacy or data security law or standard in the United States. Rather, privacy and data security in the U.S. is governed by hundreds of laws as well as numerous policies and procedures enacted by big tech and various financial and health care institutions.
Among the most active states in the area of privacy is California, with more than two dozen privacy and data security laws on the books (with more incoming). As is often the case, where California leads, the nation follows.
Where We Are At
The California Consumer Privacy Act of 2018 (CCPA), went it effect on January 1, 2020. Essentially, this law established three fundamental rights for residents of California and how businesses handle their personal and private information. Companies that fail to comply with CCPA can be fined by the California Attorney General.
Under CCPA, Californians have the right . . .
- To learn what information companies have collected about them, the category of companies they’ve disclosed it to, and/or where the information was obtained;
- To demand that companies delete their information (in most circumstances);
- To restrict companies from selling their information.
While the CCPA technically covers only people living in California, a number of companies across the country have elected to operate under these standards nationwide. Similarly, other states are using the CCPA as a guide for enacting their own legislation, much like the CCPA used the European Union’s General Data Protection Regulation (GDPR) as a guide.
What We’ll Be Focused on in 2022
In November 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA) of 2020), which will go into effect January 1, 2023. This new law will replace and amend certain portions of the CCPA.
- Establishment of the California Privacy Protection Agency to implement and enforce the new law. Specifics are few on exactly how the agency will operate and what its authority will be compared to the Attorney General’s office. However, we do know that, per the CPRA, the agency will be governed by “a five-member board, including the chairperson” and that “the chairperson and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member.”
- The CPRA also adds and defines a new category of consumer information it calls “sensitive personal information.” Due to the sensitive nature of this data, the CPRA will require companies to employ greater levels of data protection and will restrict what companies can do with it.
- Many of the consumer privacy rights originally codified under CCPA are expanded by the CPRA, including not only the right to opt-out of third-party sales of your data but also the right to opt out of the sharing of your data; extending the window covered by right-to-know requests; extending the scope of right-to-delete requests to include third parties who bought or received the consumer’s data; offering additional ways for consumers to have their data transferred to others; and further clarifying conditions which must be met when dealing with the personal data of individuals under 16 years of age.
- CPRA also creates several new consumer rights, namely the right of consumers to request companies correct inaccurate personal information, the right to restrict the use and disclosure of their “sensitive personal information” in certain circumstances, and rights to learn about a company’ automated decision-making processes (such as consumer profiling) and to opt-out of such processes.
- The CPRA also changes the definition that determines which businesses need to comply with the law based on the volume of data a company buys, sells, or shares and the percent of its revenue that is derives by selling or sharing consumer data. Under the new definition, some businesses (especially small- to medium-sized businesses) may no longer be covered by CPRA, while others might now be.
- The CPRA expands the definition of personal information that can be actionable under the law if a business’s failure to implement reasonable security procedures and practices results in their personal information being exposed to hackers.
- The CPRA also makes law several elements found in the GDPR, specifically around data minimization, purpose limitation, and storage limitation. Under CPRA, businesses must reasonably limit the personal information it collects to only what is necessary to achieve the purpose for which it is collected in the first place and retain that personal information for the least amount of time necessary to fulfill the purpose for which it was collected.
What It Means for You
“Many California residents and companies doing business in California will rightfully be paying close attention to how the CPRA gets implemented and how it will impact them once it goes into effect,” explains Eric Ludwig, whose California-based law firm, Ludwig APC, specializes in intellectual property, data privacy matters, and business litigation around the globe. “Companies will need to carefully consider where they are today in terms of complying with the existing CCPA and where they’ll need to be 12 months from now under CPRA . . . and create a roadmap to get them there.”
A good first step, says Ludwig, is to begin working with certified privacy experts, such as Ludwig APC, to explore various options and approaches to ensure compliance with the new law.