Passage of California privacy act could spur similar new regulations in other states

On November 3, California citizens approved the California Privacy Rights and Enforcement Act (the CPRA), a comprehensive privacy law that amends another privacy law that went into effect in the state on January 1, the California Consumer Privacy Act (CCPA). The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.

Most privacy attorneys agree that the CPRA was created with the European Union’s General Data Protection Regulation (GDPR) in mind, adding teeth to the stipulations that existed in the CCPA. Consumers will be able to correct inaccurate personal information that business hold, and fines are steep for violating the children’s data protection requirements under the CPRA. Most of the law’s provisions will go into effect on January 1, 2023, with some provisions requiring a look-back to 2022.

The CPRA defines “sensitive personal information” to include an expansive range of data elements, including government-issued identifiers such as drivers licenses, passports, and Social Security numbers as well as financial account information, geolocation, race, ethnicity, religion, union membership, personal communications, genetic and biometric data, health information, and information about sex life or sexual orientation.

One key change in the CCPA requirements in the CPRA is an extension of an exemption for businesses in terms of their employees’ data. The CPRA gives businesses the exemption from meeting the consumer privacy requirements’ tough standards for their employees until January 1, 2023. However, businesses will have to comply with certain aspects of employee privacy protection between now and then.

The CPRA has several other expansive provisions that will grant consumers substantial privacy rights, including limiting business use of their data to the specific purposes for which it has been obtained, increased breach liability, storage limitations, and data minimization.

Other states expected to enact CPRA-like laws

Prior to the COVID pandemic, “Approximately eight other states had a copycat version of the CCPA in the works,” Peter Stockburger, partner in the Data, Privacy and Cybersecurity practice at global law firm Dentons, tells CSO. Among those states are Virginia, Florida, New Hampshire, Washington, Nebraska, New York, Maryland and North Dakota.

Washington appears to be the farthest along, pushing toward 2021 enactment. Although up for consideration when the next legislative session begins in January, no required action has been specified yet in Washington. What is clear is that the privacy moves in Washington and the other states have been spurred by the CCPA’s tougher privacy trailblazing.

The CPRA, however, is the “first of its kind in terms of saying you have to have a lawful and business purpose for what you’re going to do with the data. That sort of processing restriction is European; that’s what the GDPR requires,” Stockburger says. “If that becomes a trend in the States, that’s going to radically change how people handle data and what they do with the data.”

Unlike the CCPA, this requirement could make the CPRA a tougher piece of legislation to copy in other states. “Right now, it’s sort of a free-for-all when you get data, as long as you’re telling people what you do, you can do with it as you wish so long as you’re not doing anything unlawful or you’re not doing something where you’re supposed to obtain consent. That’s a big change. I don’t know that other states are going to follow that,” Stockburger says.

Not all experts think the tougher rules of CPRA will be a harder sell in other states. “I expect that we’ll see several other states propose CPRA copycat legislation in 2021, just as many states proposed CCPA copycat legislation in 2019 and 2020,” Laura Jehl, global head of McDermott’s Privacy and Cybersecurity Practice, tells CSO. “CPRA is intended to strengthen, streamline and otherwise improve CCPA, as well as to better conform the law in some respects to the EU GDPR, so I would expect states that are interested in adopting comprehensive data privacy laws to use CPRA as a basis.”

“I also expect that they won’t copy all aspects of CPRA and that they’ll include some components that aren’t in CPRA,” Jehl adds, “which means that US privacy compliance is about to get even more complicated.”

COVID-19 pushed privacy laws to low priority

The COVID-19 crisis has derailed a lot of legislative activity across the country, making it difficult to get a solid sense of where privacy initiatives are headed. “The challenge you’re going to find is that post-pandemic most of the state legislatures said anything that’s not COVID related is not being considered,” Stockburger says. After the pandemic recedes from its urgent priority status, many states could kick new legislative efforts into gear. “Next year, that’s when you’re going to see big new developments and introductions,” he says.

Will federal privacy legislation preempt the state laws?

Another question that remains is whether the federal government will step in to create a more consistent privacy law framework. In the past, Silicon Valley giants stood staunchly opposed to the stringent provisions of the CCPA and sought a national privacy law to preempt and water down the CCPA’s requirements. However, their resistance has weakened over the past several years.

“At the federal level, there’s just a real challenge in getting any type of omnibus legislative efforts pushed through,” Stockburger says. “That’s been a challenge since probably 2016 when the Democrats got whooped in the midterms, and since then, we’ve had divided Congress.”

The strange lack of desire by the public to push for privacy protections has added to the partisan gridlock. “I don’t think there’s a lot of public pressure on it. You’ve got several fits and starts at the federal level. I think any federal data privacy law is going to have to be pretty principle-based and generic in terms of everybody has a right to know, but it’s subject to state regulation or something to that effect,” Stockburger predicts.