The California Privacy Rights and Enforcement Act of 2020 (CPRA) is a groundbreaking achievement for consumer privacy that is likely to be the model for federal law and for local laws around the country. It amps up the CCPA, to require much more stringent privacy standards, akin to the protections afforded to Europeans by the General Data Protection Regulation (GDPR.) Once it’s in effect, Californians will have a right to know exactly where, how and why businesses use all of their personal data. It’s great news for consumers, but businesses are concerned that implementing these rights will be expensive and make it harder to do business.
The CPRA goes way beyond the California Consumer Privacy Act (CCPA) providing consumers with additional rights to decide how businesses use their sensitive personal information, the right to correct their information, to know how it will be stored, and to opt-out of geolocation-based advertising. It defines “sensitive personal information” as:
The CPRA, like the CCPA, also applies to employee data, but the CPRA requires more transparency with employees about data collection. Under the CPRA, businesses will need to provide consumers with greater abilities to opt-out, but it’s not clear what procedures will be used. It’s likely that businesses will employ browser add-ons such as Global Privacy Control to assist consumers that choose to opt-out.
The CPRA narrowly passed with just 56% of the vote in a California ballot initiative on November 3rd, and won’t go into effect until January 1, 2023. Two years seems like a large amount of time to prepare unless you consider that there’s a good chance that the federal government could pass similar rules that go into effect sooner. Additionally, most businesses are not in compliance with CCPA due to lax enforcement, and it’s not far-fetched to anticipate that the passage of the CPRA may prompt stricter enforcement of the CCPA. That’s why it makes sense for every business that might qualify to begin preparing to meet the requirements of the CPRA.
The CCPA applies to businesses with over twenty million dollars a year in revenue AND derive 50% or more of that revenue from selling personal information OR bought, sold, or shared the personal information of 50,000 or more consumers, households or devices for commercial purposes. The CPRA makes only minor changes except for the last point, upping the requirement to 100,000 consumers, households or devices. More companies may actually have to comply because the “sister company” loophole was closed by clarifying the term “common branding” to mean “a shared name, service mark or trademark” that would cause the average consumer to consider the entities to be commonly owned. Now it’s clear that “sister companies” that share a trademark will be subject to the CPRA if they share data. The CPRA allows businesses that are not forced to self certify as compliant to impress customers with their transparency.
The GDPR set the standard for “privacy as a human right” and the legal obligation for businesses to protect the privacy of consumer data they collect. The CPRA is modeled on the GDPR, so it’s not surprising that the requirements are very similar. The key differences are that the CPRA does not require the express consent of a consumer to process sensitive data, but it requires businesses to establish a legal basis for the use of data, complete a register of processing activity or appoint a data protection officer. It does require some extra options for consumers such as a prominent “do not sell my info” button and the ability to browse without pop-ups or sale of information.
The penalties under the CCPA are $2,500 for each violation or $7,500 if the violation is intentional. The penalties under the CPRA are three times the amount under the CCPA for violations involving the sensitive private information of children. The penalty is increased by another $7,500 if the business, service provider, contractor or other involved person had actual knowledge that the information belonged to a person under the age of 16. This may not sound like much of a burden, especially for the very large businesses it applies to, so it’s important to keep in mind that it applies to each piece of personal information. For example, there is a separate fine for the name, address, email address, phone number, social media account name, etc. One of the greatest limitations of the CCPA to protect consumer privacy has been lax enforcement with only a vague structure that anticipates enforcement by the Attorney General. The CPRA, on the other hand, includes plans to establish a new agency or authority to enforce the rights under the law. It’s important to note that both the CCPA and the CPRA allow individuals to bring actions for violations against the responsible companies, but the expense of such actions, where it is usually difficult to prove substantial damages, makes these lawsuits impractical.
With just a little more than two years to change the way huge amounts of personal information are handled, companies are turning to cybersecurity companies to help them implement the changes required under the CPRA. Forbes predicts that investment in cloud security platforms and applications will almost triple from 2020 to 2023. Companies are increasingly utilizing artificial intelligence and machine learning for cybersecurity, and this trend is expected to continue. According to Forbes, some of the leaders in the game are Absolute, Centrify, Deep Instinct, Infoblox, Kount, Mimecast, MobileIron and One Identity. Each of these companies has a somewhat different approach to securing data and preventing intrusions, but all of them provide state-of-the-art solutions.
One of the key reasons business has opposed privacy regulations is the expense of implementation. The CPRA has exponentially increased how much data businesses must protect, which will require many businesses to completely overhaul and/or augment their cybersecurity systems. The other hurdle is that the classes of information will be much more nuanced, requiring much more sophisticated methods of data identification and protection methods than they currently have. The CPRA mandates communication with consumers that may not be able to be completely managed electronically, so the cost of training customer service personnel is part of the equation. A crunch to get compliance systems up and running is anticipated in 2022 that will drive the costs higher, so it’s wise to at least begin assessing a company's needs as soon as possible.
Consumers are applauding greater restrictions on the use of their sensitive private information, but may not be thrilled with the rise in prices as companies pass along the cost of implementation to their customers. Businesses are concerned about the cost of implementation, but they may find themselves benefitting in other ways from the systems overhauls that were prompted by CPRA.
ABC Legal is the nation’s leading service of process and court filing company and is the official process server to the U.S. Department of Justice. Docketly is a subsidiary of ABC Legal, providing appearance counsel on a digital, custom-built platform that smoothly integrates with our applications and services. ABC Legal’s applications are cloud-based and compatible for use on desktop, browser, and smartphones. Our solutions and digital approach ensure process server partners, law firm customers and their clients save valuable time and resources when serving legal notices safely and with maximum compliance, control, and transparency. ABC Legal is based in Seattle, WA, with more than 2,000 process servers throughout the U.S., as well as internationally in more than 75 countries. To learn more about ABC Legal, our solutions and subsidiary company Docketly visit www.abclegal.com.