The first major consumer-focused privacy regulation in the U.S., the California Consumer Privacy Act (CCPA), came into effect on January 1st, 2020, which seems like a lifetime ago. Now it’s April 2022, and there are several more privacy regulations about to go into effect, all of which have acronyms that include a different assortment of “C”, “P”, and “A” (just to be confusing). The California Privacy Rights Act (CPRA), also known as CCPA 2.0, is one of these privacy regulations. The CPRA, which goes into effect on January 1st, 2023, is similar to the CCPA but there are some key differences.
What does compliance with CPRA mean for companies that have built privacy programs to comply with CCPA?
Data inventories must now include B2B and employee data.
Although there is no specific requirement to maintain a data inventory in the CCPA, complying with the regulation is nearly impossible without a data inventory. The requirements of the CPRA also necessitate a data inventory. A potential major difference between the CPRA and CCPA is that for the CPRA, B2B data and employee data will no longer be exempt from the privacy requirements of the CCPA starting January 1st, 2023. This means that B2B and employee data will be in scope for Consumer Rights Requests (CRR), privacy notices, etc. “Potential” because there is a possibility that the exemption of employee data and B2B data will be extended. In addition, CPRA gives consumers additional privacy rights when compared to the CCPA. These rights include the ability to opt-out of profiling, opt-out of targeted/cross-context advertising, opt-out of automated decision making, and to limit the use and disclosure of sensitive information.
Consumers have the right to correct their personal information.
The CPRA provides additional consumer privacy rights beyond those provided by the CCPA. In addition to the rights mentioned above (opt-out of profiling, targeted/cross-context advertising, automated decision making, and limiting the use and disclosure of sensitive information), the CPRA also gives consumers the right to correct their personal information.
Organizations must conduct regular Privacy Impact Assessments and annual cyber risk assessments.
The CPRA requires that businesses conduct risk assessments to restrict or prohibit processing that poses a threat to consumers' privacy. These risk assessments are referred to as Privacy Impact Assessments (PIA), not to be confused with GDPR’s Data Privacy Impact Assessments (DPIA). A PIA is intended to be a deeper dive into higher-risk activities that involve personal information to identify risks and remediate those risks prior to the activity or projecting beginning. It’s a proactive risk assessment. Although the requirements for when to conduct a PIA have not yet been finalized, CPRA has provided an initial list of activities that could require a PIA.
Processing activities that could require a PIA include:
- automated processing, profiling, or matching/combining of data sets
- large scale processing of sensitive data
- processing data on a large scale
- new technology/innovation (such as Artificial Intelligence)
- any other high-risk processing which could negatively impact data subjects
The CPRA also includes a requirement for businesses to conduct annual cyber assessments where there is a significant risk to consumers’ privacy or security. These assessments should be independent and thorough.
External privacy notices will need to be updated to reflect new consumer rights.
Given the new obligations and rights provided under the CPRA, companies will need to update their California privacy notices. The external privacy notice will need to be updated to reflect the processing of B2B personal data, new consumer rights, and the process for consumers to make an appeal relating to their rights requests. If a company’s position on sale has changed, that should be reflected in the updated privacy notice. In addition, employee and applicant-facing privacy notices should be updated at least annually and should be based on the latest data inventory.
Record retention requirements are more stringent and must be disclosed.
While the CCPA does not provide specific requirements for records retention, the CPRA does. In addition to keeping personal information for only as long as is necessary for the original processing purpose that the information was collected, the CPRA requires companies to share the retention period for specific categories of personal information. Now, in addition to providing specific information on how the 11 categories of personal information are collected and shared, which is required under CCPA, the CPRA indicates retention periods may need to be listed for each of those 11 categories. Companies need to enhance their retention policies so that they know how long they’re keeping each category of personal information and be prepared to include this information in their privacy notice. To comply with CPRA, companies should also implement a defensible destruction practice.
How should companies be updating their privacy programs in the second half of 2022?
- Update data inventories. Organizations should update their data inventory to include applications and business processes that collect and process the personal information of employees and B2B individuals.
- Identify business processes that involve high-risk processing or the processing of sensitive information. To comply with these new rights, companies should update their data inventory to identify business processes that involve profiling, targeted/cross-context advertising, automated decision making, or the processing of sensitive information in order to comply with these new opt-out rights.
- Enhance consumer rights processes and create consent tracking mechanisms. Companies will need to enhance their consumer rights process to be able to support new consumer rights. Changes will need to be made to the form (or collection point) provided to consumers for making requests, as well as to the back-end workflow to fulfill those requests. Companies should also consider creating a consent tracking mechanism to track the opt-out consent that is now required under CPRA. Given the granularity of these new rights, it will be imperative that companies have an understanding and record of the various rights that each individual has actioned.
- Develop a Privacy Impact Assessment and cybersecurity assessment program. When necessary, employees should be trained on how to conduct PIAs and how to support or conduct annual and objective cyber assessments.
- Update privacy notice to include retention period(s). Given the new CPRA records retention requirements, companies may need to update their privacy notice to include the retention period of each category of personal information.
Conclusion: Invest now to ensure privacy programs are both CCPA and CPRA compliant.
If a company’s current privacy program complies with CCPA, the company can enhance its privacy program to comply with the CPRA requirements listed above. The largest undertaking will be updating the data inventory, updating the records retention schedule, and creating PIAs. Some of these activities can take four to six months or longer to implement, so companies should start focusing time and resources on updating and enhancing their privacy programs to meet the 2023 enforcement date.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.