On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. This regulation was the first of its kind in the United States, but it followed closely on the heels of Europe’s groundbreaking General Data Protection Regulation (GDPR). Both regulations have gradually been followed by other states and localities.
In January, 2023, California is amending its privacy laws with the enactment of the California Privacy Rights Act (CPRA). This measure, in conjunction with existing provisions in the CCPA, will introduce some important changes to privacy policies that may affect your business in important ways. In this post, we’ll look at the state of privacy in California (and beyond) and provide a checklist to ramp up CPRA compliance ahead of next January.
Answering the Biggest Questions Related to CPRA and Ediscovery
Privacy regulation plays a big role in developing and maintaining defensible ediscovery preservation programs. Staying up to speed on evolving regulation is also essential for creating a robust approach to data governance. Here’s a quick reference guide to some of those most frequently asked questions relating to the CPRA:
What organizations must comply, and what are the consequences for non-compliance?
CPRA language defines a “business” as an organization which meets any of the following criteria:
- Annual revenue that exceeds $25 million
- Collected personal information from more than 100,000 customers
- Earns more than 50% of annual revenue from the sale of California resident data
The intensifying focus on consumer privacy means that the penalties for non-compliance have also gotten steeper. In addition to levying stronger fines, the CPRA also creates a new, dedicated enforcement agency, the California Privacy Protection Agency (CPPA). Violations can apply to the way data is used by the business and also the way data has been protected in the event of a breach:
- Violations deemed intentional are subject to a fine of $7500
- Accidental violations are subject to a $2500 fine
- Culpability in a data breach will result in damages paid to compromised data subjects in the range of $100-$750 each
What new rights do consumers have under CPRA regulation?
Existing CCPA statutes already provide for stronger consumer rights when it comes to the use of personal data. CPRA regulations augment these rights in the following ways:
- Consumers must be given the option to opt out of the selling and the sharing of personal information
- Organizations must limit the use of new categories of sensitive data, which include identifiable information, location data, or information about consumer race, ethnicity, religion, or sexual orientation
- Consumers have the right to correct personal information
- Organizations must provide consumers with “meaningful information” regarding the use of data in automated decision-making and provide the opportunity for opt out in such instances
What new obligations do businesses face under CPRA regulation?
In addition to new protections for consumers, the CPRA also obliges businesses to take action related to three specific areas:
- Data retention and minimization provisions state that consumer information collected must be “reasonably necessary and proportionate to either the purposes for which it was collected or another disclosed purpose.” Additionally, retention rules will place limits on the amount of time personal information can be stored.
- Cybersecurity audits and privacy risk assessments will be required on an annual basis for those businesses that meet a standard of higher risk for the processing and use of personal information.
- Vendors and third parties, classified as “contractors” under the CPRA, must coordinate with partners regarding the use of consumer data and add new contract language for disclosure of personal information when such information is used as part of a contract.
Be Proactive in Your Preparation for CPRA
The CPRA is only one in a series of state privacy regulations that will soon go into effect: Virginia, Colorado, Utah, and Connecticut have passed similar legislation. Managing that complexity will require a clear plan of attack, dedicated resources, and great process. As you build or augment your privacy strategy, the following checklist—while by no means exhaustive—can be a handy reference:
Determine whether your organization is subject to CPRA regulation with these criteria:
- Your annual revenue exceeds $25 million
- You buy, sell, or share personal information from more than 100,000 California consumers
- At least 50% of your annual revenue comes from selling or sharing California consumer information
The CPRA regulates the usage of personal information, defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Do a thorough audit of all stored data to see if it includes any of the following:
- Social Security numbers, drivers licenses, or other forms of identification
- Financial account numbers and login credentials
- Geolocation data for consumers
- Data related to race, ethnicity, sexual orientation, religious beliefs, or membership affiliations
- Internal communications that include emails and text messages
- Biometric data or health records of any kind
Make sure your use of any personal information or consumer data has been properly disclosed under these guidelines:
- Consumer data is only used in instances for which consent has been granted
- Consumer data cannot be used for any additional purposes without further notice of opt in/out capability
- Consumer data cannot be collected beyond the scope of disclosures
- Individual pieces of consumer data can be restricted at the subject’s discretion
Perform an audit/update of documentation related to new regulation, including:
- Disclosure notices
- Declaration of new consumer rights
- Opt-in/out language
- Website notifications (ensure clarity, both in language, visibility, and equal access)
- Service agreements (ensure compliance with new vendor and third-party obligations)
Update, augment, or build strong internal processes related to:
- Handling and responding to consumer rights requests
- Data governance policies around data minimization and data retention
- Risk assessments and cybersecurity audits
- Compliance training for those who work closely with personal consumer information
Get Your Ediscovery Process Compliance-Ready
Changes to the way your company collects, shares, sells, and uses personal consumer data could also have a significant impact on your legal holds and ediscovery process. CPRA has especially relevant provisions regarding data retention that could impact defensibility if not fully addressed.
At first glance, this may just seem like another procedural headache on top of already-complex ediscovery practices. But as we’ve discussed before, many of the behaviors and requirements of privacy regulation are already practiced by your legal team in some form—cataloging and collecting data, reviewing for relevance and personally identifiable information, and producing data.
Reach out today for a closer look at how Zapproved can help you tackle the challenges of privacy regulation.