If you’re like most people, you’ve got some questions about the new California privacy law that passed in November of 2020.
Called the California Privacy Rights Act (CPRA), it’s a comprehensive privacy law that provides significant protections to California citizens who wish to exert more control over the data they share with companies.
Below you’ll find a quick primer on the basics of this new law. I’m not a privacy lawyer, but I track the progress of many laws and regulations that impact the way we train employees and I try to break it down in simple terms. We don’t all need to be privacy or security experts, but we all need to know and do enough to understand and apply these laws and their underlying principles to our work and to our personal life.
What is this new California privacy law?
It’s called the California Privacy Rights Act of 2020, and it was approved by California voters in the election on November 3.
When it goes into effect on January 1, 2023, it will replace the California Consumer Privacy Act (CCPA). The CCPA was already compared to the big kahuna of international privacy regulation, Europe’s General Data Protection Regulation (GDPR), and the CPRA makes the CCPA bolder and stronger. (If you’re not already up on the GDPR, just know that it is widely considered to be the global standard for privacy protection and has been emulated in countries around the world.)
You may wonder, what’s the big deal with a mere state law? Well, it’s California, a state that if it were a country would have the world’s fifth-largest economy. The relative importance of California in the world economy gives it outsized influence.
Why did we need a new California privacy law?
Because the CCPA was too weak. Basically, the privacy advocates who passed the CCPA in 2018 realized that it was not strong enough in its existing form.
The attorney general charged with enforcing it didn’t have enough time and money to do so, and corporate interests actively sought to change the law, according to the LA Times. “If CCPA represented the collective will of the people saying ‘don’t sell my data,’” writes Wired contributor Sidney Fussell, “what followed was two years of companies obfuscating the meanings of the words sell, my, and data.”
So original bill sponsor Alexander McTaggart and his team revised and strengthened the CCPA and took it straight to the voters, who passed it with 56.1% of the vote. Let’s not underestimate the importance of a privacy law that is voted in by the people. It’s a clear sign that citizens see the need for stronger privacy protections.
How Does the CPRA Affect the CCPA?
The CPRA revises and updates the CCPA, which remains in effect until the new law takes force in 2023. But it’s no minor revision—the CPRA is a substantial update and introduces numerous new elements. Here are just some of the most significant additions:
- The establishment of a new enforcement agency, the California Privacy Protection Agency, with the budget to enforce the act and promote awareness about privacy risks. The IAPP’s first article in an in-depth series on the CPRA is all about this agency, which will get up and running early in 2021.
- Creating a new category of personal information called Sensitive Personal Information with specific compliance requirements
- Expanding the CCPA’s data “opt-out” requirement to including both the sale and sharing of a user’s personal data
This overview of the top 10 most impactful provisions from our friends at the IAPP will get you started, but you can read more in the sources I cite below. The good thing is, if you’re already complying with the CCPA, you won’t have to start from scratch, but there are some new elements that you can’t ignore.
Who Has to Care About the CPRA?
Everyone has to care a little, and some people have to care a lot.
The CPRA does one really important thing that should matter to everyone: it gives residents of California legal rights to control their data and to seek justice (and compensation) when companies don’t respect those rights. That’s a big step forward in the American treatment of privacy. You can quibble about the details—it only applies to Californians, it only applies to some companies, etc.—but you can’t deny its importance.
I don’t generally recommend privacy laws as worthwhile reading—but the “Findings and Declarations” and “Purpose and Intent” sections of the CPRA make a pretty compelling case for why this law matters. (You can read it yourself in a nice online version hosted by Transcend.io, or in the original PDF on the state website.)
I’ll quote just one small bit: “Consumers should know who is collecting their personal Information and that of their children, how it is being used, and to whom it is disclosed, so that they have the information necessary to exercise meaningful control over businesses’ use of their personal information and that of their children.” That’s not asking for a lot!
Now, the people who need to care a lot about the law are those running the companies that have to comply. This means any company that handles data of Californians (and has more than $25 million in revenue), no matter where those companies are located (this means you, any large American or global company).
These companies will have to invest in the processes and systems (and legal advice) that helps them interact with consumers and handle consumer data in ways specified by the law. And they’ll need to train their employees to do the same.
We’ll know more about the importance of the CPRA once the first enforcement actions occur, of course. If enforcement is strict and is applied to companies of various types and sizes, I predict we’ll see a substantive improvement in American data-handling practices. If it is incremental and limited, I doubt we’ll see much change from the status quo. So, watch what happens when enforcement starts to gauge the real power of this law.
There is so much really good advice out there on how to comply with California privacy law, and it comes from the IAPP, from the state attorney general, from law reviews and law firms, and from the ever-expanding array of vendors in this space. (And remember, since the CPRA revised the CCPA, a lot that’s out there on the CCPA is still useful.)
Do I have to I train my employees?
Of course you do! Not only is it required by the CPRA, but it just makes good business sense.
Companies where employees understand and respect the consumer’s right to privacy earn consumer trust and avoid penalties. The best companies provide basic training in good data handling practices to all employees, offer deeper training to those in roles that directly face the consumer or work closely with consumer data, and remind employees all year round how important privacy is to them and their customers.
Are we done passing privacy laws yet?
In California, yes; elsewhere, not by a long shot.
The way the CPRA was written makes it unlikely that it will be either amended or replaced soon. This should be the last California privacy law for a while.
But the CPRA is not the last privacy law, by any means. Other states are following or will soon, with laws that bear some resemblance to the CPRA. The IAPP does a great job of tracking those on a state-by-state basis.
If the messy situation of 50 unique privacy laws doesn’t bring you any peace of mind, IAPP analyst Caitlin Fennessy’s view may cheer you up: she suggests that the two-year gap between passage and enforcement of the CPRA was put in place specifically to create the “impetus and time for the adoption of U.S. privacy legislation.” But don’t hold your breath waiting for a federal law; it’s been predicted for years but the inability of the major parties to reach compromise (sigh) has consistently put agreement out of reach.
I hope these straight and simple answers have motivated you to learn more about this important change to American privacy law.