The CPRA (CCPA 2.0) Passed, What Organizations Need to Know

In November 2020, the people of California voted “yes” to Proposition 24, which calls for the amendment of the California Consumer Privacy Act (“CCPA”), passed in 2018. The California Privacy Rights Act (“CPRA”) will supersede the CCPA and will add stronger privacy protections to California consumers. The CPRA will become effective until January 1, 2023 and organizations will have a 6-month grace period to comply. In the interim, organizations will need to maintain their ability to comply with the CCPA, which will remain in effect until then. In a previous blog about CPRA, we breakdown the top implications of the CPRA. Now that the CPRA has passed, in this blog our team presents the changes in scope and what organizations should consider for their existing privacy programs. Although there will be many changes between now and the effective date as guidance is released, planning for many of the major changes will help organizations be ahead of the curve.

Will the CPRA Affect All Organizations Currently Complying the CCPA? 

Certain organizations that were obligated to comply with CCPA may not be obligated to comply with the CPRA and vice versa. The following are the current thresholds for the CCPA:

  • Annual gross revenues of $25 million or more
  • Annually buy, sell, receive, or share for commercial purposes the personal information (“PI”) of 50,000 or more consumers, households, or devices; or,
  • Derive 50% or more of its annual revenues from selling consumers’ PI

The CPRA will keep the first threshold ($25 million or more in gross annual revenue) the same, but the second and third thresholds will be updated as follows:

  • Annually buy, sell, receive, or share for commercial purposes the personal information (“PI”) of 100,000 or more consumers, households, or devices; or,
  • Derive 50% or more of its annual revenues from selling or sharing consumers’ PI.

While the addition of “sharing” to the third threshold will most likely affect few organizations, the increase from 50,000 to 100,000 or more consumers, households, or devices in the second threshold could relieve many small businesses of their compliance obligations. With these changes in scope, it is imperative that organizations understand, organize, and properly identify their data as this could signify whether they will need to comply with CPRA.

How Will the CPRA Affect Privacy Operations?  

New Risk Assessments and Audits

The CPRA will add two unique requirements that will help organizations strengthen their privacy and security posture. The CPRA will require organizations whose personal information processing poses a “significant risk” to consumer security or privacy to undergo an annual cybersecurity audit. For many global organizations that currently perform cybersecurity assessments as part of their security programs, this new requirement might not present a huge challenge. In contrast, for other organizations, it will require significant preparation. To ensure compliance, organizations must implement a full cybersecurity program, including breach/incident response, defined roles and responsibilities, employee training, and security safeguards. Implementing a security framework, such as NIST CSF, NIST 800-53, ISO 27001, is the first cornerstone to protecting privacy in the organization and providing the foundation for an effective privacy program.

Organizations should review existing security assessments and ensure any identified gaps are understood and formulate action plans to remediate any noncompliance. In addition to evaluating the effectiveness of the organization’s security controls, it is important to recognize that audits place a particular emphasis on governance. Therefore, ensuring security policies and procedures are in place will be key to the success of the audit.

Organizations will also be required to perform regular risk assessments on personal information processing. This requirement is similar to the General Data Protection Regulation’s (“GDPR”) Data Protection Impact Assessment (“DPIA”). Organizations will need to further analyze their processing activities and review and update existing records of processing (“RoPA”) or initiate an assessment to understand how data is processed and the risk levels associated with each activity.

Implement New Mechanisms

The CPRA will affect how organizations fulfill consumer rights. Currently, the “Right to Know” under the CCPA only requires organizations to include information from 12 months prior, the CPRA expands this right beyond the last 12 months. This means that when the CPRA goes into effect, a consumer will have the ability to request information about them that reaches back to 2022. This right could present unique challenges to many organizations; however, organizations may want to consider limiting the personal information collected from the consumer to what is necessary and proportionate to provide a service.

The CPRA will also introduce two new consumer rights: “Right of Correction” and “Right to Limit Use and Disclosure of Sensitive Personal Information”. Additionally, the CPRA has also expanded the definition of “sale” to include “sharing” of personal information, this will require organizations to provide consumers the means to opt-out of the sharing of personal information and allow the consumer to consent to “sharing”. For these changes in rights, organizations will need to develop the means to exercise and fulfill them. Given the similarity of the “Right to Correction” and “Right to Limit Use and Disclosure of Sensitive Personal Information” to those under the GDPR, many organizations subject to GDPR compliance may leverage existing mechanisms and processes, including updating intake forms for additional request types, and internal workflows to enable consumers to make those requests. The CPRA also requires businesses to display a link similar to the “Do Not Sell my Personal Information” to their homepage for sharing and limiting sensitive information. Organizations can combine into one link or have separate links for opt-out of sharing or alternatively offer an “opt-out preference signal for consumers to consent. Organizations will also need to review their privacy notices to reflect new consumer rights and how the data is collected and used.

Update Contract Verbiage

The CPRA adds a new definition for contractors and places new data protection obligations to service providers, contractors, and third parties. Under the CPRA, the service provider and contractor will need to enter into a written agreement that includes the terms outlined in the CPRA. Additionally, service providers and contractors must notify the business if a sub-service provider or subcontractor is engaged and the engagement must have a written contract. Organizations will need to review and update contract language specifically to call out privacy protection and regulatory requirements, including ensuring that contractor or service provider do not provide cross-context behavioral advertising. To aid in this effort, organizations should ensure that service providers, contractors, and third parties are properly identified across the organization and evaluated on a periodic basis to identify any risks that may limit their ability to properly provide for privacy and security protection.

Conclusion

The CPRA reflects a trend we have been following in privacy, and it is to give consumers greater control over their personal data and require increased transparency from organizations on the ways personal data is processed and used. Although adopting the CPRA will present unique challenges to organizations, the adjustment from the CCPA to the CPRA will largely depend on the organization’s privacy and security program maturity. However, organizations should still be wary of the various updates that will directly affect their obligations to comply, internal operations and audit procedures, consumer rights management, and other aspect of business. While all organizations have different needs and strategies, it is important that organizations take a risk-based approach to the organization’s privacy and security obligations and perform a comprehensive assessment to identify, and understand any potential risks and vulnerabilities in its current operating environment that could affect their compliance with the CPRA.

Interested in talking more about privacy and data protection? Get in touch with us.