2023 turned the switch from data privacy anticipation to data privacy execution as we ushered in several data privacy laws and regulations.
In a recent IAPP webinar, Alex Krylov and DeAndrea Salvador from DataGrail, joined Austin Smith, VP of Legal Product Over Privacy from SixFifty, to discuss the changing U.S. privacy landscape and the next steps now that 2023 (and the CCPA as amended by the CPRA) are upon us.
With millions more people now covered by a data privacy law in the United States, many businesses are taking note of what is currently in effect and how to prepare.
CPRA vs. CCPA – What Does It All Mean?
CCPA vs. CPRA, and what’s the relationship? If this alphabet soup has you a little tripped up, here’s a quick breakdown; as summed up by the California Privacy Protection Agency (CPPA) in their FAQ, the CPRA amends the CCPA; it does not create a separate, new law. As a result, the Agency typically refers to the law as “CCPA” or “CCPA, as amended.”
It is also sometimes called CCPA 2.0. Now that the terminology is defined, let’s dive into what the experts shared on what to do now that the changes are in effect.
What Makes California Unique
The webinar covered a few things that make California’s CCPA (2.0) stand out. There are some elements that California does have that others don’t, such as disclosing retention periods for categories of stored information. And starting in 2023, personal data concerning employees, contractors, job applicants, and business contacts are fully covered.
Don’t Forget The Other States
Anticipation of the CPRA changes to the CCPA took up most of the mental headspace of privacy practitioners for most of 2022. While that is mostly warranted, neglecting to consider the impact of other privacy laws on your 2023 program can be a common pitfall.
Virginia’s CDPA commenced on Jan 1, and Colorado, Connecticut, and Utah’s laws will go live later this year. As you look closely, you’ll notice that while similar, there are many differences between the laws (and how to comply). Despite sharing similar substantive requirements, these laws have unique aspects. For example, CA, VA, CT, and CO mandate privacy impact assessments; UT does not. The California law covers workforce members; the other laws defer to preexisting labor laws. Conversely, affirmative consent of sensitive PI is emphasized in Virginia law in a way not seen in other states.
Altogether we have five significant changes to the US privacy landscape this year alone. Minding the gaps between the current and impending laws is a must to avoid accidental negligence in your privacy program.
Takeaway: Don’t Forget About the Other Comprehensive State Privacy Laws. Don’t assume CCPA 2.0 compliance equals compliance with other states.
CCPA Compliance Rules Remain a Moving Target
Complying with the CCPA as amended by the CPRA realistically comes in two parts.
You have the text of the law, which is in full effect as of January 1, 2023. All that applies today, including HR and B2B data, the CCPA Regulations (the original set of clarifying guidelines and rules that the Attorney General issued back in 2020), still remain in effect.
“So, the text of the law, the broad interpretive standards, they’re in effect, and the specific requirements with a pre-updated law are in effect, So there’s a bit of a disconnect right away.” – Alex Krylov
From the last board session in California, the Privacy Protection Agency will finalize its updated regulations to meet the full scope of the amended CCPA by April 1. That means these revised rules and standards that speak to updated notice requirements, honoring GPC opt-out signals, and leveraging explicit consent to override global opt-outs will be finalized and available for implementation around April 1.
This creates a delta in our understanding of the law’s implementation: the law itself and the direction of the CPPA is clear enough, but the brass tacks of what the Agency will consider ‘compliant’ will continue to evolve in phases. Case in point, there’s an outstanding second set of rules covering heady topics like cybersecurity and privacy risk assessments, automated decision-making, and the handling of HR data that the Agency has only just started on.
What does this mean for CCPA 2.0 enforcement? The original set of CCPA (1.0) rules remains in force. Meanwhile, the first set of updated “nitty-gritty” rules are not enforceable until July 1 at the earliest. And the second draft of rules is unlikely to be enforceable sooner than the Fall of 2023
Takeaway: Keep an eye on the CPPA. While the main tenets of the law and its obligations are clear enough, a number of key specifics remain moving targets. Nevertheless, take what steps you can comply and iterate on further compliance as more becomes known over time. As Krylov put it, “bob and weave” to avoid obvious hits to your business.
Refresh Your Documents (If You Haven’t Already)
Remember, the CPRA amendments bring expanding transparency obligations covering SPI. And, like under the EU GDPR, workforce members need to understand their employer’s corporate privacy practices. Internal privacy policies and employee handbooks should include updated guidance around HR privacy practices and exercising privacy rights. Don’t forget the mind the nuances and gaps between legislation. Scope, definitional, and regulatory interpretive differences will make a monolithic approach hard.
Takeaway: In privacy law, details matter. Now is a great time to review your vendor contracts and internal and external policies and calibrate your operations for California and beyond.