Hear from CIOs, CTOs, and other senior executives and leaders on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more

After reaching a smaller-than-expected mandate of 56% on November 3, the California Privacy Rights Act (CPRA) has now been passed. This new law revises the pre-existing California Consumer Privacy Act (CCPA) and marks a turning point for consumer privacy.

Essentially, the ACPL fills some potential gaps in the CCPA – but the changes aren’t uniformly more stringent for businesses (as I’ll show in a moment). It also brings California data protection laws closer to the EU’s GDPR standard. When the CPRA becomes legally enforceable in 2023, California residents will have the right to know where, when and why companies are using their personally identifiable information. With many of the world’s leading tech companies based in California, this act will have national and potentially global repercussions.

The increase in privacy is undoubtedly good news for consumers. But the passage of the law is likely to create concerns among businesses that rely on customer data. With tighter enforcement, tougher penalties, and more onerous obligations, many businesses are likely to wonder if this new law will make it harder for them to operate.

While many of the finer details of the CPRA are subject to change before it becomes binding, here’s what your business needs to know right now.

Will you be subject to the ACPL?

The pre-existing CCPA law only applied to companies that:

1) had over $ 25 million in gross income

2) derive 50% or more of their annual income from the sale of consumers’ personal information, or

3) Purchased, sold or shared for commercial purposes the personal information of 50,000 or more consumers, households or devices.

The ACPL keeps most of these requirements intact, but makes some changes. First, the revenue requirement (point 1 above) is now clearer: a business must have achieved gross revenue of $ 25 million in the previous calendar year become subject to the law.

Second, when it comes to personal information (point 2), sharing is now equated with selling. While the CCPA applied to companies that made more than half of their income from the sale of data, the CPRA now also applies to companies that derive half of their income from sharing personal information with third parties.

Finally, point 3 is now more lenient, the threshold for companies based on personal information having been reduced from 50,000 consumers, households or devices to 100,000.

For companies wondering if they can avoid regulation for sister companies under the same brand, ACPL has clarified the meaning of the term “common brand”. The CAPL now defines “a shared name, service mark or trademark, so that the average consumer would understand that two or more entities are held in common. “

He also specifies that a sister company will fall under the CPRA if it has “personal information shared with it by the company subject to the CPRA”. Concretely, this means that two related companies (one of which is subject to the CPRA) which could share a trademark but have different legal identities, will only be subject to the CPRA if they share data. The same joint responsibility for consumer information also applies to partnerships where a shared interest of more than 40% exists, regardless of the brand.

So, with the CPRA, some businesses are now more likely to be subject to data protection laws while others may no longer fall under California law.

For organizations that operate multiple legal entities, it’s always ideal to have a single approach to consumer data privacy. By allowing non-subject companies to certify themselves that they are compliant, the ACPL also gives companies the possibility of being transparent with their customers on the use of data, even if they do not necessarily need to being.

Consumers have the right to know why you are collecting their “sensitive personal information”

The CAPL will give consumers additional rights to determine how businesses use their data. In addition to being given the right to correct their personal information and to know how long a business can keep it, under the CPRA, consumers will be able to opt out of location-based ads and authorize the use of their sensitive personal information. .

The concept of “sensitive personal information” is itself a new legal definition created by CPRA. Racial / ethnic origin, health information, religious beliefs, sexual orientation, social security number, biometric / genetic information, and content of personal messages all fall under this definition.

Businesses should also be careful when it comes to dealing with the data they have already collected. Suppose a company plans to reuse a customer’s data for purposes “incompatible with the disclosed purposes for which the personal information was collected”. In this case, the customer must be informed of this change.

Like the CCPA, employee data is now the responsibility of the CPRA. While this won’t be legally enforceable until 2023, one of the ACPL’s stipulations is that companies will need to be transparent with their staff about data collection.

Businesses will soon have to offer consumers more comprehensive withdrawal capabilities every time they interact with them, but it may still be some time before unified standards around these procedures become mainstream. There will undoubtedly be more than one way to communicate consumer requirements under CPRA. In addition to opt-out forms, businesses can increase their use of Global Privacy Control, a browser add-on that simplifies opt-out processes. However, as location-based targeting becomes more legally problematic, businesses may need to reconsider their use of certain forms of targeted advertising.

There will be fines for data breaches

The ACPL states that “businesses should also be held directly accountable to consumers for data breaches.” In addition to requiring companies to “notify consumers when their sensitive information has been compromised”, ACPL provides for financial penalties. Companies that allow customer data leaks face fines of up to $ 2,500 or $ 7,500 (for data belonging to minors) per breach. The new California Privacy Protection Agency will be authorized to enforce these fines.

While in the short term, a relatively limited budget means the agency will only take a few large-scale legal actions, every business will face increased financial risk from data breaches. As the CPRA raises the stakes for businesses in terms of data protection, threat actors are likely to become more emboldened. In the EU, the GDPR has been linked to an increase in the incidences of ransomware, with hackers using the threat of fines as leverage to extract larger ransoms from their victims.

In this regard, compliance will mean adopting stronger organizational security postures through increased use of multi-factor authentication and zero trust protocols. It is also likely to increase the costs of insuring businesses for cybersecurity.

You have until 2023 but don’t delay

Although CPRA does not become law until January 1, 2023, its regulations will apply to all information collected from January 1, 2022. So from now on, you have more than two years to prepare. However, as polls earlier this year show, the vast majority of companies still have to comply with the CCPA legislation currently in force.

The deadline for CPRA compliance is relatively generous. As regulators and businesses rush to catch up on their new obligations, businesses are unlikely to face a torrent of lawsuits in the near term.

Nonetheless, in the longer term, the ACPL is likely to lead to new legislation across the United States. This law could be the start of a push towards federal data protection regulations, which will have similar rules, requirements and penalties for businesses regardless of where their customers are located. Businesses should start preparing for a future where customer data is now protected by law.

Rob Shavell is co-founder and CEO of online privacy firm Abine / DeleteMe and has been a strong supporter of privacy law reform, including as a public defender of California Privacy. Rights Act (CPRA).


VentureBeat’s mission is to be a digital public place for technical decision-makers to learn about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in managing your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the topics that interest you
  • our newsletters
  • Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
  • networking features, and more

Become a member

Source link


Modernization of DLA applications focused on business needs, not technology requirements


Your business needs a succession plan: here are the basics

Check Also