🚨🚨 Privacy news 🚨🚨
The Consumer Privacy Rights Act, on the ballot as Proposition 24, has been approved by voters in California, passing with 56.1% of the vote.
We are thrilled to announce the passage of #Prop24, the California Privacy Rights Act, with a decisive majority of Californians supporting the measure to strengthen consumer privacy rights. #California once again makes history and leads the nation!
— Yes on Prop 24 — Californians for Consumer Privacy (@caprivacyorg) November 4, 2020
Californians for Consumer Privacy, the grassroots organization that helped put CPRA on this year’s ballot, is the same group that inspired the ballot initiative in 2018 that later became the California Consumer Privacy Act (CCPA).
CPRA becomes enforceable on July 1, 2023, with a lookback to January 2022.
An easy way to think about CPRA is as CCPA 2.0.
It’s an amendment to the CCPA that both bolsters that law by making it more difficult for regulators to weaken privacy laws in the future, and institutes a handful of new privacy rights for California citizens.
For example, CPRA establishes a new category of “sensitive personal information” that covers everything from race and ethnicity to biometric data and precise geolocation, and it enhances children’s privacy by tripling fines for violations involving the information of kids under 16.
CPRA also adds new requirements for data minimization, places limits on data retention, calls for annual audits and risk assessments for “high-risk processing” and expands the “do not sell” remit within CCPA to “do not sell or share” – which has a direct impact on ad tech companies.
“Between CPRA, the efforts that have been made by major browsers and the recent iOS14 privacy updates to do away with third-party cookies, the ad tech industry will need to evolve,” said Heather Federman, VP of privacy and policy at privacy tech company BigID. “Otherwise, their business models are at risk of becoming obsolete.”
But one of the most significant developments enshrined within the CPRA is the creation of a California Privacy Protection Agency solely focused on defending consumer rights. Historically, that job fell to the California attorney general’s office. The new agency will have a $10 million annual budget and will function in a way not all that different from the data protection authorities in each EU member state, Federman said.
An agency exclusively dedicated to consumer privacy could “up the ante for enterprises who had previously buried their head in the sand,” she said.
So, what should companies be doing now?
For businesses that have been taking a “half-baked approach” to CCPA compliance, CPRA compliance will be tricky, Federman said.
But companies that have spent months getting ready for CCPA “should be heartened to know that they won’t need to tear down their privacy operations and start over,” said Cillian Kieran, CEO and founder of privacy compliance startup Ethyca.
“Rather, the CPRA is about adding nuance and sophistication to the basic privacy systems businesses have already started to put in place,” Kieran said.
The de facto standard
But with CPRA’s passage comes, again, the perennial question of what might happen with federal privacy legislation down the line.
It’s premature to say, but if a federal privacy law doesn’t include the preemption clause favored by Republicans, then California could become a blueprint for other state-based privacy laws and set a floor – rather than act as the ceiling – for privacy protections writ large.
By the same token, most businesses are likely to become compliant with CPRA across the country out of necessity, making it the de facto standard regardless of what happens at the federal level.
“I believe this does become the de facto standard,” said Jay Friedman, president of Goodway Group. “With CPRA looking more like GDPR than CCPA did, the standard is potentially being created without the federal government needing to add or change much.”