In January 2023, California rolls out the California Privacy Rights Act and sets the stage for other state digital privacy laws to follow in the coming months, creating a more complicated regulatory challenge for companies that handle and store customer—and in the case of California, employee—data.
Many of these state laws have similar provisions, such as the right to access and delete personal data and the right to opt out of the sale of personal data, but there are specific nuances to each law and its reporting requirements.
We spoke with Jordan Fischer, Partner at Octillo about what all of this regulation means for companies and what they can do to work towards compliance.
What is the CPRA and why is it important for companies to take note?
California has led the charge when it comes to creating a more general privacy law, beginning with the California Consumer Privacy Act (CCPA), which went into effect in January 2020. In the last two years, businesses have worked to address the regulation’s requirement, highlighting areas of the law that require some clarification. The California Privacy Rights Act (CPRA) provides some additional clarification around the law, as well as some additional definitions. One of the bigger updates is a broader definition of “sensitive information” that will be regulated by the law. Further, what is unique to California is that the state is aligning with the European approach in setting up a separate agency, the California Privacy Protection Agency (CPPA), which will enforce privacy within California, unlike other states where the privacy laws are enforced by the attorney general alone.
How has the CPRA updated the CCPA?
In essence, the CPRA is the CCPA 2.0. For example, the CPRA clarified key exemptions under the CCPA, including whether the statute applied to employee data. While employee data is currently exempted under the CCPA, that exemption soon expires when the CPRA takes effect and will apply to employee data in addition to customer and consumer data. For some companies with a larger presence of employees in California, this change in the law will require a deeper look into the company’s collection and processing of employment data. Notably, employers will need to review privacy notices that are provided to employees as well as provide employees with certain rights to direct the processing of their data, similar to the rights currently afforded to consumers under the CCPA. In general, we expect this update alone to impact a large segment of businesses and will likely have a ripple effect across jurisdictions as employers work to operationalize these notices and data rights across a multitude of locations.
What are the concerns for companies around the CPRA?
It is challenging for companies to keep up with the evolving guidance and updated regulations. In essence, companies are trying to keep up with a moving target. For most companies, there was significant work that went into addressing the requirements of the CCPA. We are just now starting to see regulatory actions coming out of California—and now the law and implementing regulations are changing again. Adding to this complexity, in 2023, Virginia, Utah, Colorado, and Connecticut will enact their own laws that are driven by what’s going on in California. They each have their own take and their own approach. What we are seeing in the industry and by businesses is not so much of a focus on the CPRA specifically, but more of a worry that we’re moving towards 50 different state privacy laws, just like we have 50 different data breach notification laws, and there is an exhaustion point. How will we comply with 50 different privacy laws that sometimes require different notices, obligations, do not sell buttons, do not share, and the like?
How ready is the average company when it comes to complying with the CPRA or other state privacy laws?
Every business is at a different level of maturity when it comes to privacy and security compliance. Businesses that are most compliant tend to be the ones that are in historically regulated spaces, such as healthcare and finance. Because of the years, if not decades, of regulatory compliance requirements, these companies already have a compliance infrastructure that can be leveraged to address privacy and information security. At the same time, because of the reliance on data within businesses at almost every level, privacy compliance often loops in new departments and new operations, impacting the entire organization.
For those organizations that are completely new to compliance, implementing and operationalizing privacy within an organization often requires a significant cultural change. It doesn’t happen overnight. Enduring a breach is the worst way to learn about this area of the law, but unfortunately it is not uncommon for companies to start there. Again, we see more companies waking up to the fact that they need to be doing something about privacy, but their approaches are very different and vary vastly across industry, the size of the organization, and their risk level.
What should businesses be doing to comply with this law?
An important first step is freeing up resources to proactively address privacy concerns. These regulations require a strategic look at your data governance and technological infrastructure. While there are many areas to consider, a few include:
- Reviewing specific privacy notices to understand to whom they must be given and what information is required.
- Understanding what kind of information you are collecting, which will inform what you tell individuals about their data rights, such as whether they can access the information and request that it be deleted.
- Updating your third-party contractual provisions and, in some instances, revisiting your language and existing agreements between vendors.
- Revisiting technological and security controls to protect information subject to privacy requirements.
- Developing a process to address data subject rights.
While there are many factors to consider in an overall privacy compliance program, it’s important to start the conversation early and create a plan to strategically address the requirements.
What does it mean to have privacy regulated by an entity that is not the attorney general?
California is the first state to employ a stand-alone privacy agency. But we can’t forget that the attorney general will still maintain a consumer protection mandate. That means that while the CPPA will be able to bring claims related to the CPRA and privacy violations, the attorney general will still be able to bring claims if there are violations of other rights or other statutes. The hope is that individuals who are hired and work at this agency will be deeply knowledgeable about privacy and security and will understand the limitations of technology in a way that might allow them to interface with businesses at a more practical level. But on the flip side, you now have people solely dedicated to privacy, which means that they’re going to be out there asking the questions that the attorney general, who has multiple mandates, might not be asking. Everyone is waiting to see how the agency is deployed within California to really push the state’s privacy initiative.
With all this in mind, what is your advice for companies concerned about this law?
The worst time to be learning about your data and network infrastructure and how you address privacy and security is when a regulator is watching you. The earlier you can gather key information about your data, information governance, and technology, the more proactive you can be in setting your business up for whatever might come down the pike. Make changes—whether that’s small, incremental, or larger changes—and put in place a plan to move things forward. Not doing anything in today’s environment is like putting your head in the sand and no one should be taking that kind of risk.
Thank you again to Jordan for providing valuable insight and clarity on this subject.
Octillo is a women-owned, 360-degree technology law firm and one of the few firms in the United States with a recognized focus solely on data security and privacy compliance, incident response, and litigation. Octillo works with executive leadership and cross-disciplinary teams to understand their business objectives and regulatory obligations to craft out-of-the-box, practical, and legally defensible technology, and legal strategies.
Octillo is also NetDiligence-authorized Breach Coach® law firm. Learn more about our Breach Coach certification program.