Are you ready for the California Privacy Rights Act (CPRA)?
The CPRA, which becomes effective January 1, 2023, is essentially an extension and amendment of the California Consumer Privacy Act (CCPA). In my last blog post, I wrote about the first CCPA enforcement action by the California Attorney General, which resulted in a $1.2 million settlement with Sephora Now the CPRA has created a new well-funded California Privacy Protection Agency (CPPA), which will likely to be far more aggressive in bringing actions than the California Attorney General’s Office has been.
Other states have followed California and passed more stringent data privacy laws. Virginia’s Consumer Data Protection Act also goes into effect January 1, 2023. The Colorado Privacy Act becomes effective July 1, 2023, as does the new data privacy law in Connecticut. Utah’s Consumer Privacy Act becomes effective December 31, 2023.
While these state laws have some common features, there are enough differences that businesses should take a close look at what steps may be necessary to assure compliance in 2023. Businesses should focus on four essential areas:
- cookie consent and consent management
- data subject access rights (DSARs)
- privacy policies
- service provider agreements
Differences Between CCPA and CPRA
The CPRA added a new right to correct personal data and requires specific notices on how long data will be retained. This new “right to correct” should immediately be included in website privacy policies, and internal processes and procedures for data retention and responding to data subject requests should be updated.
The CPRA also added new restrictions on “sharing” personal data. Businesses should review their cookie policies and how they manage op-out requests relative to the sharing of personal information with third parties for purposes of targeting advertising. While a cookie banner and express consent is not required by the CPRA, in light of the Sephora action, the CPPA will likely be looking at how certain cookies are used by a business to track users’ personal information and allow for targeted advertisements. What opportunities does the business give users to opt-out of such tracking? By what mechanism may users to withdraw their consent for such tracking? The CPPA may review how businesses respond to and process requests for the sale or sharing of data with third parties. Cookie consent and management may become a focus of enforcement activity. Accordingly, some businesses, to assure compliance with the CPRA, may decide to add a “DO NOT SELL OR SHARE MY DATA” link to their website.
CCPA Exemptions for Employee and Business-to-Business Information Eliminated
The CCPA focused on the rights of “consumers,” and imposed a moratorium on the personal data collected on employees and information collected as part of a business-to-business (or “B2B”) relationship. The CPRA eliminates these exemptions as of January 1, 2023. Employees, former employees, and job applicants will now have the same rights as other California residents under the CCPA. We anticipate that many DSAR requests in 2023 will seek employment related data. Persons involved in a B2B relationship will also have new rights. They will be able to discover what information another business has about them, to request that such information be deleted, to request corrections, to request that the sale or sharing of the information be limited, etc. The processes already in place to enable “consumers” to make such requests under the CCPA will now need to be modified to include employment and B2B data.
In contrast, the Virginia, Connecticut, Colorado and Utah laws are limited to consumers and do not cover employees.
Not-for-Profit Exemption
The Colorado privacy law applies to any entity that conducts business in Colorado or which “produce products or services that are targeted to the residents of the state.” Consequently, while the California, Virginia, Connecticut, and Utah privacy laws specifically exempt non-profits, the Colorado law’s broader scope may cover non-profit organizations.
Agreements with Service Providers
All of the new state data privacy laws impose requirements on contracts with parties who may have access to or process personal data on behalf of a business. These mandatory contract provisions restrict the use and sharing of data and require assurances that the vendor will exercise the same level of protection for any personal data.
Data Privacy Impact Assessments (DPIA)
The CPRA empowered the CPPA to issue regulations that might require a business to submit to the agency a risk assessment with respect to certain forms of data processing activities. We haven’t yet seen such regulations for a DPIA. The Colorado and Virginia data privacy laws reference privacy impact assessments, but such assessments are only required if a business processes personal data that presents a “heightened risk of harm” to consumers.
Basic Takeaway
Legal compliance is a complicated and multifaceted process and requires a team effort, especially considering that privacy programs must continually be updated as new laws come into effect. Even if the legal landscape for data privacy compliance is ever changing and evolving, though, businesses can still take actions now that will mitigate risk and liability in 2023.
Wishing everyone a happy, healthy, and secure new year!
No comments :
Post a Comment