With election season coming to a close, there have been many ballot measures around the country that have drawn people's attention.
One of these measures is Proposition 24 in California, known as the California Privacy Rights Act of 2020 (CPRA). The measure passed with a majority of people voting to strengthen consumer privacy rights.
What is California's CPRA?
The new measure will update existing conditions from the 2018 California Consumer Privacy Act (CCPA) and add some new wrinkles, which regulators and businesses alike will take time to adjust to. Most of the CPRA will not be enforced until July 2023.
The group Californians for Consumer Privacy claims this new law will give California the "strongest online privacy rights in the world." What this means for consumers in California is they will now have more protections to their sensitive personal information, fines will triple against companies that violate children's data, and an enforcement arm for consumers will be established, making it much harder to weaken privacy laws in the future.
Andrew Yang, former U.S. presidential candidate and Chair of the Board of Advisors for Californians for Consumer Privacy, was a prominent voice behind the measure. Yang said:
"I look forward to ushering in a new era of consumer privacy rights with passage of Prop 24, the California Privacy Rights Act. It will sweep the country and I'm grateful to Californians for setting a new higher standard for how our data is treated."
Mohit Tiwari, Co-founder and CEO at Symmetry Systems, says the impact will extend all the way to developer-frameworks.
"CPRA adds more teeth to enforcement and emphasizes additional focus on kids' privacy—both are valuable moves towards incentivizing products that respect consumers' privacy.
The initial effect may be that organizations will try to instrument their sprawling infrastructure to measure data risk and add protections where they are needed most.
Longer term, this is a clear signal from the people to entrepreneurs—there is a keen demand for products that complement the ad-driven 'town-square' model, and we should innovate on both respectful products and privacy-centric developer-frameworks to build these products."
How does the CPRA impact organizations?
Legal firm BakerHostetler issued an initial overview of what the CPRA may mean for organizations. However, it says there are a lot of open ended questions.
"The CPRA is 52 pages long, half of which are either additions or revisions. Given the ballot initiative process, there will be no legislative history to inform rulemaking or judicial interpretation. There is a four-page statement of intent that provides some general guidance as to what the CPRA aims to accomplish, but on a 60,000-foot level."
However, one thing that is spelled out about CPRA is that California plans to heavily enforce it. This includes:
- Establishment of a new data protection agency, the California Privacy Protection Agency (the Agency)—tasked along with the AG with enforcement of the CPRA—will take over all rulemaking responsibilities. The Agency is apportioned a sizable budget that must be increased by the legislature "as may be necessary to carry out the provisions of this title." Administrative fines collected by the Agency will be used to reimburse the state courts and the AG for costs related to CPRA enforcement, with a small portion of the proceeds going to the Agency itself.
- Any "person"—any individual or organization—has the ability to bring a CPRA complaint to the Agency. This means that consumers, competitors, vendors, customers, consumer advocacy groups and other parties have standing to bring complaints about a business's privacy practices.
- The Agency may also investigate possible violations on its own initiative, and will have discretion "not to investigate or decide to provide a business with a time-period to cure the alleged violation." There is a five-year statute of limitations for the Agency's administrative actions, which can be tolled if violations were fraudulently concealed.
- Although both the AG and the Agency will have enforcement authority, the AG has the power to require the Agency to stay any administrative investigation or action. The AG, however, cannot bring a civil action based on a violation that has been the subject of an Agency administrative decision or order.
Impact on U.S. and other countries
Proponents of Proposition 24 say that it is a huge win for consumers in California, but it is also possible that it is the first step to more consumer privacy regulations around the world.
Many experts believe that this law will set the bar for other states to follow, and that federal laws are likely not far behind.
Brendan O'Connor, CEO and Co-founder of AppOmni, agrees with the experts that this will have a much greater impact outside the state of California.
"CPRA is the latest chapter in a global trend towards enhanced privacy for consumers, and harsher consequences for companies that fail to put appropriate safeguards in place. This is a 'win' for consumer privacy, but implementing the appropriate safeguards to comply with CPRA can be quite challenging.
Data doesn't live in one place—it has a footprint that spans many systems and applications throughout the enterprise. The pandemic has greatly accelerated the adoption of Cloud applications, and more data than ever before is stored and accessed outside the corporate perimeter.
This is a lot for security and privacy teams to manage. Successful organizations will invest in technologies that show them who has access to consumer data in Cloud applications, and provide continuous assurance that appropriate safeguards are in place."
How do you tackle a changing privacy landscape?
Jordan Fischer of XPAN Law Group says tracking privacy law changes in the U.S. is a daunting exercise: "The cyber and privacy legal landscape is like a target of moving targets."
On a recent episode of The SecureWorld Sessions podcast, Fischer explains how to think about this challenge, how to start tackling it, and the legal exposure for companies who ignore it. Listen here:
For more details and specifics of the CPRA law, check out the official California Consumer Protections Act of 2020.