CPRA explained: New California privacy law ramps up restrictions on data use

The California Privacy Rights Act more closely aligns with the EU's General Data Protection Regulation. Mid-sized companies not yet GDPR compliant face the biggest impact.

CCPA | California Consumer Privacy Act  >  Satellite view of California's network of lights / lock
Skegbydave / Getty Images

In November, Californians approved a ballot measure, Proposition 24, a.k.a. the California Privacy Rights Act (CPRA), to create a new consumer data privacy agency. It puts California yet another step ahead of other states in terms of privacy productions for consumers—and data security requirements for enterprises. California already had a privacy law in place, the California Consumer Privacy Act (CCPA), adopted in 2018. It went into effect in January 2020, and enforcement officially began this past July.

The CCPA was supposed to help keep California from passing a more stringent privacy initiative via ballot. "CCPA is probably one of the leading privacy laws in the US that protects consumers today," says Christophe Bertrand, analyst at Enterprise Strategy Group, but it was originally supposed to be more restrictive. "It was the product of many political negotiations that weakened the final product."

That's not going to happen with the new law. Once passed, it can only be strengthened, not weakened. It did pass. The CPRA was approved by voters 56% to 44%.

Surprisingly, there wasn't a lot of lobbying against the ballot initiative by the big tech companies. "I think part of it is the dumpster fire of 2020 and the pandemic and the runup to the election," says Jessica Lee, partner at Loeb & Loeb and co-chair of the firm's privacy and security practice. "A lot of things were happening at the same time. Also, over the past couple of years we've had a backlash against the big tech companies and a lot of privacy scandals. So, for a tech company to come out against a privacy bill, there are probably some PR and brand considerations."

In addition, the largest companies already must comply with Europe's General Data Protection Regulation (GDPR). "It's not like it's a business-crushing proposition for a lot of the big companies," she says.

CPRA toughens some requirements, reduces risk elsewhere

The CPRA toughens some requirements, brings California more in line with the GDPR, and creates a new state agency—the California Privacy Protection Agency. Previously, the state's attorney general dealt with consumer privacy issues on top of all their other responsibilities. Data privacy now gets a dedicated agency with a $10 million basic budget, plus it will also get part of the fines and settlements it collects from companies that break the law.

The law goes into effect on January 1, 2023, Lee says, and enforcement will begin six months later. "Companies essentially have two years to prepare," she says.

Those two years might bring changes that result in additional scrutiny, penalties and enforcement activities, says Orson Lucas, principal in cybersecurity services at KPMG. That could be a result of evolution in the technology and business landscape or other developments. "For example, if there are a series of substantial breaches between now and January 2023," he says.

A couple of aspects of CPRA will reduce companies' potential risks and liabilities. First, the CCPA applies to companies serving at least 50,000 California residents, households, or devices.  The CPRA raises this to 100,000 and removes "devices" from that list, says Catherine Lyle, head of claims at Coalition, a cyberinsurance company. Businesses won't be held responsible for CPRA violations committed by third parties if certain agreements are in place and the business partner themselves is in compliance with CPRA, she says. "It could reduce your potential liability."

CPRA impact minimal for prepared companies

For companies that are already in compliance with 2018's CCPA—and especially with Europe's GDPR—the changes will be minor. That's the case for Branch Metrics a, global online marketing company that counts Airbnb, Target and Yelp among its thousands of business customers. The company processes billions of consumer records, putting in squarely in the law's crosshairs.

"One thing that is nice about CPRA is that, in some ways, it more closely aligns with GDPR than CCPA does," says Branch Metrics CEO Alex Austin. "So, it's less of a heavy lift if your company has prepared for GDPR." That means that the incremental changes it will have to make to comply with the CPRA will be "relatively minor," he says. "It also helps that we have a lot of time to make any required changes," he adds. "The law doesn't come into force until 2023, and generally only affects data reaching back to 2022, which means more than a year to get your house in order."

In general, Austin says, the more harmonization among the various privacy laws springing up around the world, the better. "For companies operating globally like Branch, any such closer alignment is a good thing."

New data minimization requirements

For some companies, the changes between the CCPA and the CPRA will be significant, says Dan Frank, US privacy and data protection leader at Deloitte. For example, take data minimization. The new rules prohibit businesses from retaining personal information "longer than absolutely necessary," he says. That's a problem, since when it comes to deleting data, companies avoid it like the plague, he says. "Some data is good, more data is better, all data is best." Data can be analyzed by machine learning and AI systems and can help companies develop new products, services, and applications.

Deleting data is a thorny issue. First, there are legal holds and other regulatory and compliance requirements to retain data. Then there's the technical side. "You've got all these interdependencies that exist across systems that make deleting data scary," he says. "We don't want to break anything."

What most organizations plan to do is to anonymize expired data, Frank says. That way, it can still be used to train AI systems and may create fewer dependency issues. "We'll see how that plays out in the long term," he says. "If that data can in any way be attributed back to an individual -- directly or by inference -- then it's no longer anonymized. It's challenging."

The law's use of the word "reasonable" is also a red flag. Who decides what's reasonable? A strong data governance system can also help companies address another aspect of the new law -- allowing consumers to correct inaccurate data about themselves.

"This is a challenge if a company has not really streamlined its master data management and doesn't have a gold record of that data," says Angela Saverice-Rohan, Americas privacy leader at Ernst & Young. "If you change certain data in one system, how will that impact all of your other processes?"

New data sharing requirements

Companies will now also need to ensure that any business partners they share data with also comply with the CPRA. Since part of the law involves having reasonable cybersecurity measures in place, CISOs may need to get involved, says Saverice-Rohan. "This is work that usually happens during security risk assessments," she says.

Another big change has to do with how consumers allow their information to be shared. Under the earlier CCPA, companies had to offer California customers the opportunity to opt out of having their data sold to third parties. Now, that includes all kinds of sharing, not just sales, says Deloitte's Frank. “Consumers need to be able to opt out of particular uses of personal information," he says. "If they do that, you have to be able to stop using it which, if you think about it, is a pretty arduous task. It makes data governance so critical. It's going to require fine-grained consent management."

More liability exposure for data breaches

Another difference is that companies will have additional worries about data breaches, says Frank. For example, breach liability now covers email addresses when used in combination with a security question. If a data breach involves information about minors, the fines can be tripled. "You better know what information you have about children and apply enhanced data protections in case of compromise," he says.

Both the original CCPA law and the new CPRA allow individual consumers to sue companies after a data breach. Now people will have more potential reasons to file these lawsuits, he says. "Maybe you collected more information than I allowed you to," he says.

The CPRA also expands the potential for breach-related lawsuits in another way, according to Alan Friel, a partner at the BakerHostetler law firm. Under the CCPA, companies had a window of opportunity to fix problems after consumers filed a complaint, he says. The law was a little confusing in exactly what kinds of problems could be "cured" in this way.

Now, the CPRA clarifies that the right to cure does not include the ability to avoid penalties by plugging security holes after a breach has occurred. "If you fail to maintain adequate security, and you have a breach, and then you remediate what caused that breach, you're still subject to private right of action and statutory damages," Friel says. "That is definitely going to be something that's welcomed by the plaintiffs’ bar."

Another change is that consumers no longer must show that they were harmed by a breach. "You could sue previously, but you had to show harm," Friel says.

BakerHostetler is currently defending companies against several privacy-related lawsuits in California. "We were much more successful in knocking off the lawsuits where there was a harm standard," Friel says. "Most consumers can't show actual monetary harm from a data breach, which is why they get free credit monitoring. It's the banks and the retailers that end up having the out-of-pocket costs -- consumers, generally, not so much. The game changer here is that the mere fact that the breach has occurred is sufficient harm for standing to bring a lawsuit."

Expect more privacy-related lawsuits

Companies have already started seeing privacy-related lawsuits. Last month, children's clothing retailer Hanna Andersson agreed to a $400,000 settlement in response to a class-action lawsuit stemming from a 2019 data breach. Other companies that have already been sued under CCPA include Salesforce, Walmart, online stationery retailer Minted, the Sunshine Behavioral Health Group, TikTok, Zoom, and Houseparty.

It's not just consumers and their lawyers that companies will have to defend themselves against, says Ernst & Young's Saverice-Rohan. Even though the CPRA itself won't be enforced until 2023, the new agency is expected to go to work right away, enforcing existing laws. "In January, the new agency will have the ability to enforce the existing CCPA," she says. "And they'll be looking for actions. Enforcement isn't just likely. It's imminent -- and it's happening in 2021."

Mid-sized companies are going to be particularly hard hit, predicts Benjamin Wright, US attorney and senior instructor at the SANS Institute. For companies with less than $25 million in annual reviews, the requirements are less onerous, he says. "Giant companies can throw armies of lawyers and compliance professionals at disputes." Middle-tier companies don't have the kinds of economies of scale that would allow them to hire armies of lawyers, he says.

Plus, depending on how much support the new agency gets from California's other officials and legislators, it might not have the resources or talent to go after the biggest targets. This is already happening in Europe under GDPR, Wright says, with regulators often more likely to bring actions against smaller and medium-sized companies.

"The giant companies can fight for years in court, whether it be in Europe or in California," Wright says. "For regulators, it is very draining and expensive to fight lawsuits for years. A weak agency that fights a lawsuit for years against a powerful adversary can suffer a lot of staff turnover."

Opportunities for companies the comply with CPRA

CPRA isn't all bad for companies. "Expect smart companies to try to leverage this as an opportunity to demonstrate their compliance and support for privacy," says Steve Durbin, managing director at the Information Security Forum.

Copyright © 2020 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations