In the November 3, 2020, election California voters upped the consumer digital privacy ante by passing Proposition 24, the California Privacy Rights Act (CPRA). It amends the California Consumer Privacy Act (CCPA) and goes into effect January 1, 2023, for all data collected starting January 1, 20221. As California is frequently deemed the tail that wags the dog, this new bill is worth taking a closer look at in terms of how it will impact companies that have California residents’ personal information. With 12% of the U.S. population calling California home, almost all companies will need to become familiar and potentially have to comply with this new privacy law.
There are a lot of questions about CPRA and while I won’t be able to address all of them here, I will provide some general information and food for thought. Some of these questions include, what is CPRA and how does it differ from CCPA? How does CPRA relate to CCPA? Will it replace CCPA? These are all valid questions and concerns.
According to Californians for Consumer Privacy, which supported the bill, it differs from CCPA in a number of ways. Chief among them are that it:
- Further protects personal information
- Safeguards children’s privacy
- Establishes an enforcement arm
Two aspects of this new law that are critical for enterprises doing business in California to understand now are:
- CPRA’s new definition of “Sensitive Personal Information” (SPI)
- The creation of the California Privacy Protection Agency
Sensitive Personal Information
The National Law Review notes “Under the CPRA, certain new rights and compliance burdens will attach to a new category of personal information called ‘sensitive personal information.’” It goes on with examples:
Sensitive personal information will include financial information, account log-in credentials, a consumer’s identification numbers (e.g., Social Security number, driver’s license number, etc.), precise geolocation, racial and ethnic information, personal communications, and information about one’s sex life or sexual orientation, and genetic data, biometric or health information, among other aspects.
The definition above is much more comprehensive and specific than those we’ve seen in other consumer privacy regulations. It goes beyond Personal Identifiable Information (PII) specifically calling out geolocation, personal communications, sexual orientation, and biological and health information. By this definition, much more data is sensitive and needs to be protected. And many enterprises that may not have needed to devote resources to protecting that data now do.
The California Privacy Protection Agency
As part of the new bill, CPRA has established the California Privacy Protection Agency (CalPPA). This agency will oversee the enforcement of CPRA, and further establishes fines and penalties for violation of the law. This is the first agency in the U.S. charged solely with enforcing privacy rights. According to the National Law Review, CalPPA:
Will have administrative authority and the ability to enforce the CPRA, including certain audit rights. It is likely that the creation of the CalPPA, will lead to additional enforcement of the CPRA beyond what we have seen with the CCPA. Further, the CPRA has effectively expanded liability as well.
And enforcement will have consequences. According to Proposition 24 itself:
If the agency determines … that a violation or violations have occurred, it shall issue an order that may require the violator to do all or any of the following:
(1)Cease and desist violation of this title.
(2) Subject to Section 1798.155, pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state.
So, ignoring this regulation can have financial consequences. It can also have reputational and consequent sales and share price consequences driven by breach notifications. As privacy advocate Rob Shavell writes in VentureBeat, the CPRA:
[Requires] businesses to “notify consumers when their sensitive information has been compromised,” [and] sets out financial penalties [noted above]. … The newly formed California Privacy Protection Agency will be authorized to enforce these fines.
Shavell goes on to outline likely short- and long-term legal scenarios.
While in the short term, a relatively limited budget is likely to mean the agency will undertake only a few large-scale instances of legal action, every business will face increased financial risk related to data breaches. As the CPRA raises the stakes for businesses regarding data protection, threat actors are likely to be emboldened further. In the EU, the GDPR has been linked to increased ransomware incidences as hackers use the threat of fines as leverage to extract larger ransoms from their victims.
However, California Attorney General, Xavier Becerra, is serious about privacy enforcement and has an innovative approach to scaling enforcement. He offers "authorized prosecutors" grants to more effectively conduct investigations and bring prosecutions to protect the public's privacy rights and/or intellectual property rights.
What’s an Enterprise to Do?
Enterprises should now be working to discover and classify their data to know if they have Sensitive Personal Information that can be breached. If they do, they should start considering remediation plans such as identity access management, encryption, and tokenization. This is a problem of scale and complexity for many organizations, and it is better to start earlier than later. You don’t want to be caught unprepared in January 2023. Moreover, the sooner you get a grip on these issues, the better your security posture will be for multiple other data security regulations, such as the current CCPA, GDPR, PCI DSS, New York State’s Cybersecurity Requirements for Financial Services Companies, and many more. It can also save you from the embarrassment of a breach and the potential damage it can cause.
The Long Arm of California
Finally, California keeps a “wall of shame” of data breaches which contains the names of organizations that have lost control of unencrypted California residents’ PII data. Nobody wants to be on this list because it is tracked by news media and legal firms that are looking for blood in the water. Many companies based outside of California and even outside the U.S. do business with consumers who reside in California and therefore need to follow California regulations. Fortunately, CCPA, CPRA, GDPR and all the privacy standards have many of the same controls. By leveraging data security best practices and using flexible data security platforms, companies can cost effectively keep control of and protect their regulated data no matter if it‘s called PII, SPI, ePHI, CHD, SPD or the next acronym that comes along.
CPRA isn’t the first regulation companies will have to address, nor will it be the last. Thales can help enhance your security to achieve and maintain compliance.