CPRA kicks into gear in six months (gasp!), and along with it, there are many changes privacy leaders will need to make. To help our customers, the privacy community, and YOU figure out where to focus, we pulled together a report that summarizes the key things to focus on as privacy leaders gear up for CPRA.
The CPRA updates, expands, and amends 2018’s California Consumer Privacy Act (CCPA). Like most regulations, there are a lot of nuances in the CPRA, and it is easy to get bogged down in the details. Let’s start with the big changes from CCPA to CPRA.
- California employees will have the same rights as consumers, and can ask businesses to delete/access their data
- Companies need to offer Californians the option to OPT-OUT of their data being shared for advertising purposes, viewed as an expansion of the original Do-Not-Sell provisions
- The “look-back” provision, which means companies need to be able to account for personal data looking back to Jan ‘22
- There is the formation of a data protection agency, the California Privacy Protection Agency (CCPA)
Thankfully, most companies have already sought to comply with GDPR and/or CCPA, putting them on the right track for CPRA. However, it doesn’t mean they’ll automatically be compliant with CPRA. Read on (or download the full report), for more details.
The Look-back Period: Traveling Back in Time
Unlike CCPA, the CPRA makes privacy requests retroactive with its look-back provision. Think of the look-back provision as a privacy Wayback Machine, meaning a company’s present-day data practices can (and will be) scrutinized tomorrow and could lead to fines. If a California resident asks to see all their personal information on Jan 1, 2023, a company will need to reach back to Jan 1, 2022.
The look-back provision is a forcing function for California businesses to rethink their personal information collection and retention practices ahead of the 2023 start date. As a result, data minimization is a highly-recommended best practice going forward. Data minimization refers to the principles of limiting data collection and retention to only what is directly necessary to accomplish a specific purpose.
The time to start thinking about data minimization is now: creating data retention and minimization policies take time, and it takes even more time for those policies to be adopted across an organization.
Opt-Out Expands to Include Data Sharing, which Will Increase Privacy Costs
When CPRA goes into effect, many more organizations will be required to give consumers the ability to opt-out of third-party sales and sharing for “cross-context behavioral advertising.” One of the many advocate criticisms of CCPA was that it only enabled an opt-out for the selling of personal data, but not sharing it. Companies like Facebook took advantage of this lack of clarity and do not offer users the option to opt-out of their data being shared.
For data to be considered “shared” an organization must have:
- Shared personal information with any third party entity which is neither a service provider nor a contractor, and
- Used the information gained from other distinct and independent sources to provide targeted advertising to the consumer.
Data from our 2022 CCPA Trends Report shows consumers are taking steps to reduce their online footprint and stop the sale of their data. The volume of opt-out requests nearly doubled in 2021, which means the costs doubled, too. It jumped from $192,000 per 1M identities to roughly $400,000 per 1M identities year-over-year.
Costs will only increase as more companies will be required to enable an opt-out of sharing personal data to a third-party under CPRA.
California Employees Have Privacy Rights
As of January 1, 2023, employees, contractors and business contacts will be able to exercise their California privacy rights like any other California “consumer”.
Like other consumers, employees will also have the right to request information about automated decision-making processes based on their personal information and can request a description of the likely outcomes that will result from these processes. Now that employees, contractors and business contacts are on equal footing with other Californians, getting a handle on all HR and financial systems that contain personal data should be a top priority.
Under the CPRA, businesses will need to comply with employees’ data requests pertaining to data from January 1, 2022, onwards—so the time to take a system inventory is now.
Looking back to prepare for what’s ahead, the numbers show the volume of DSRs is increasing—specifically DNS and deletion requests—contributing to an overall cost increase of running a privacy program. Costs will continue on an upward trajectory as CRPA goes into effect. Because consumers can opt out of their personal data being “shared” for advertising purposes (with CPRA), the number of enforceable opt-out requests will go up tremendously. Organizations need to be prepared on the backend for a surge in requests— their tech stack needs to be in order.
Looking ahead, the CPRA will force companies to make privacy an interdisciplinary function. Companies should take steps now to integrate privacy into their overall business. By adopting the GDPR principles, the CPRA tasks organizations with reaching a holistic understanding of their data practices, including retention. Organizations should use the next few months to get ahead of CPRA—particularly those organizations that handle a lot of diverse data or engage in “cross-context behavioral advertising.”.
Conversations about personal data usage can be hard because of competing priorities across the organization. That’s where strong leadership and an organization-wide understanding of a company’s approach to privacy are critical. More and more, we see leading brands, many of them DataGrail customers, calibrating their privacy programs around a comprehensive view of all their data so they can build robust privacy control centers that manage DSR fulfillment, consent, consumer preferences, and risk assessments and management.