CPRA Poised to Replace CCPA, Bring Stricter Data Enforcement
This fall, California voters will be asked to enact the California Privacy Rights Act (CPRA), a new law that would implement more stringent data privacy protections than the existing law, CCPA. What’s more, CPRA would also create a new state agency tasked with enforcing privacy protections.
CPRA is the brainchild of Alastair Mactaggart, a real estate developer and the founder of Californians for Consumer Privacy, an advocacy group that pushes for stronger data privacy. Mactaggart and his group were very close to putting a data privacy initiative on the ballot several years ago when the California legislature stepped in and created CCPA.
However, Mactaggart says the legislature has watered down the CCPA, which has resulted in lowered protections for California residents. That’s what drove him and his group to put the new CPRA initiative on the ballot, as Proposition 24. “Having seen the attempts to weaken what I see as a fundamental human right, I believe it is time to permanently enshrine these rights,” Mactaggart says.
If Prop 24 passes, then CPRA becomes the new law, and it would be immune from tinkering by the legislature. CPRA would bolster the existing CCPA law and align California’s law closer with the European Union’s General Data Protection Regulation (GDPR). It would do this in several ways.
For starters, CPRA would create a new category of “sensitive personal information,” including race, sexual orientation, union membership, and location, and require companies to become good custodians of that sensitive data. CPRA would also triple CCPA’s fines for collecting and selling private information about children, and would require opt-in consent to sell data from consumers under the age of 16. It would also give residents more power to force companies to correct erroneous information about them, among other changes (you can see the full list of proposed changes, per Mactaggert’s Californians for Consumer Privacy group, at https://www.caprivacy.org/your-privacy-rights/).
But arguably the biggest change of CPRA is that it would create a brand new agency called the California Privacy Protection Agency (CPPA) that would be responsible for enforcing privacy law. While the provisions of CPRA would not go into effect until January 1, 2023, the CPPA would immediately take over enforcement of the CCPA from the California Attorney General.
Prop 24 is almost certain to be passed by voters, thereby making CPRA the law and putting the CPPA in charge of enforcement, says Dan Clarke, president of IntraEdge, a Chandler, Arizona company that provides software to automate privacy protections for large companies like Intel, DHL, and American Express.
“There’s almost no question it will pass,” Clarke tells Datanami. “I think most California voters support additional privacy protection. Very few of them will read the details and the tradeoffs of it. They’re just going to see this as additional privacy protection, so I think it’s very likely to pass.”
The hiring of Andrew Yang, a former Democratic candidate for president, by Californians for Consumer Privacy bolsters the case that Prop 24 and CPRA are almost inevitably going to pass, Clarke says. “I think it’s going to slide under the radar,” Clarke says. “Nobody’s funding opposition to any real degree.”
While Clarke personally favors a national data law that mirrors GDPR, as many nations have done around the world, he questions whether CPRA is the right law at this time. “In terms of my personal view, I question the timing of this,” he says. “We just barely are into CCPA. We’re just starting to see that landscape unfold. We’re in the midst of this crazy pandemic…But at this point, within our client base, we really see this as a fait accompli, that it’s extremely, extremely likely to pass.”
Passage of CPRA would mean more change for California companies, as well as companies that sell to California residents. CCPA went into effect in January, but enforcement by Attorney General Xavier Becerra didn’t begin until July 1. However, it was only last month that Becerra’s office completed its rule-making endeavor around CCPA.
In CCPA, there are key differences between the actual law and the operational rules. For example, do companies have 45 days to respond to a CCPA request, as CCPA specifies? According to the rules past by Becerra’s office, the whole process should be complete in 45 days, but companies must acknowledge receipt of the request within 10 days.
“So it’s very complicated,” Clarke says. “It’s only been a few weeks that we’ve had all of the rules in place, which is why I question the timing of CPRA. But I think we have to accept that it’s so likely to pass that we have to prepare ourselves.”
IntraEdge has already done the work to modify its software to handle the new law, as it does for all privacy laws that it helps its clients comply with. IntraEdge, which got its start by helping develop Intel’s data privacy system for GPDR compliance, today has more than 1,400 employees and touches about a billion people worldwide with its systems, Clarke says.
IntraEdge’s big clients will be fine, but not everybody will be so lucky, particularly if the CPPA begins to crack down on violations in a much stronger manner than Becerra’s office has.
“[CPRA] is a big deal for companies that have taken a wait and see approach,” Clarke says. “The guys who are on the sidelines could really be impacted by this new agency.”