As the digital landscape grows more complex, consumer privacy laws have changed to give consumers more control over who has access to their personal information and how that information gets shared. Over the past several years in the U.S., individual states have been taking a stab at implementing legislation aimed at protecting consumer rights and personal data. Corporate entities and law firms need to pay special attention this year as a slew of new privacy laws go into effect in states across the country.
California has historically been a leader in establishing consumer privacy rights. The California Consumer Privacy Act (CCPA) — and the new amended version of CCPA, the California Privacy Rights Act (CPRA) — have set the stage for other states to implement privacy laws, which many are doing in 2023. Laws like these will continue to proliferate, and it is important for businesses to understand that just because you do not do business in a state with a local data collection law doesn’t mean you are not liable for compliance or at risk for violating that law.
Let us take a closer look into CPRA, explore how it is different from other privacy laws such as the European General Data Protection Regulation (GDPR), and discuss how you can mitigate risk for your organization when it comes to data privacy.
What Is CPRA and How Is It Different from CCPA and GDPR?
What is CPRA anyway and does CPRA replace CCPA? Not exactly. The CPRA was approved by California voters in November 2020, and its operative date was Jan. 1, 2023. The CPRA is an expansion of CCPA, which was signed into law on June 28, 2018. CCPA created a large swath of consumer privacy rights regulating the collection and sale of personal information, and CPRA is essentially a set of amendments to CCPA.
Despite having its origins in CCPA, CPRA has distinct differences from its parent law. CPRA amends and adds provisions to Title 1.81.5 of CCPA, including defining what “sharing” of personal information means. It also adds a fourth category — contractors — to the groups on which CCPA imposes obligations. Additionally, CPRA grants some new rights to consumers that corporations and legal firms should be aware of, including the right to correct inaccurate personal information and the right to “limit the use and disclosure of sensitive personal information collected about them,” according to the state.
One of the main distinctions between CPRA and GDPR is the potential financial cost of non-compliance. The fines for failing to comply with CPRA are higher than for failing to comply with GDPR. Another difference is the rules around consent. GDPR requires your explicit consent to share data. The California laws do not require explicit consent, but they do require a business to give notice to the consumer that it is collecting their information and to provide a way for them to opt out.
The California laws also define personal data differently than the European regulation, with GDPR defining it more loosely — widening the footprint for risk. CCPA and CPRA define it more specifically, and their rules pertain only to data collection about residents of California.
What Are the Obligations of a Business as They Relate to CPRA Compliance?
CPRA requires businesses to keep a data inventory so they can produce the personal data they have collected on an individual should that consumer request it. The business needs to be able to show what data they have collected in addition to being able to fulfill requests that information be deleted, not shared, or not sold.
How Are CPRA Regulations Affecting Other Privacy Laws?
CPRA actually acts as the influencer — many states are considering adopting at least parts of CPRA and CCPA, with privacy laws in Colorado, Connecticut, Utah, and Virginia also going into effect this year. Those laws borrow a bit from GDPR, and similarly govern consumer rights as they relate to accessing, correcting, and deleting personal data — as well as giving consumers the ability to opt out of the sale of their data.
How Can Organizations Stay Compliant with CPRA?
The first step in compliance is knowing what level of exposure your business has. It’s important to be able to determine whether you have information that could expose you to non-compliance with any data privacy laws.
You should also evaluate your technology stack to see if you have ways to identify personal information, transmit that information, easily redact it, or exclude it from certain other legal obligations you might have. In Casepoint’s Legal eDiscovery and compliance platform, you can track your responses to information requests so you can demonstrate compliance.
Casepoint also has a complete product adoption team, which services all aspects of our products so we can align our solutions with your goals. We help you learn how to use our platform to create compliance procedures — leveraging artificial intelligence and machine learning — so you can better identify personal information and stay compliant. We also have a number of industry experts and in-house lawyers with deep experience advising corporations about data privacy from both a consultative and a technological standpoint.
What’s Next for Data Privacy?
Back to the question, “what is CPRA?” It’s a bellwether that has already influenced other states’ implementation of data privacy laws this year. Corporate entities and legal firms should note that this is just the beginning of a process in which more and more U.S. states are likely to follow suit and establish their own privacy laws. The stakes are likely going to get higher.
While California has led the charge, more states and global regions figure to follow suit. You can expect to see more jurisdictions trying to protect their constituents with ensuing generations of data privacy laws, each of which might be subtly different. Evaluating how your business handles personal information — and how you can change it, delete it, and prevent its sale — is a vital step to take today before regulations grow in complexity and breadth.
Get in touch with Casepoint to learn how our innovative platform can help you manage and safeguard your company’s data Or to learn more about overcoming data challenges, download our whitepaper: The Data Avalanche.