It’s been less than a year since the California Consumer Privacy Act (CCPA) took effect. The law is intended to enhance privacy rights and consumer protection for residents of California.
Last week, Californians passed a new set of rules known as the California Privacy Rights and Enforcement Act (CPRA). This new set of rules will supersede CCPA when it goes into effect on January 1, 2023.
The new law expands consumer privacy rights and imposes additional obligations on businesses. That means merchants who sell online and do business with California residents should start preparing now to comply when the deadline arrives.
Karen Schuler, a Practice Leader at BDO’s Governance, Risk & Compliance National Practice and Principal at BDO Digital, spoke to Card Not Present about what merchants need to be doing to prepare for CPRA.
What are the key differences between the California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA)?
Schuler: With the passing of the California Privacy Rights Act (CPRA) on November 3, 2020, companies doing business in California will be required to make some adjustments to their data protection and privacy operations before it becomes effective on January 1, 2023. The California Consumer Privacy Act (CCPA) remains effective until that time, but given the vast changes from CCPA to CPRA, companies must start to address changes to their data protection and privacy operations rather quickly.
The CPRA is a tougher data protection and privacy regulation that creates stronger protections for Californians’ rights to privacy. CPRA mimics a fair number of aspects of the EU’s General Data Protection Regulation (GDPR) by enhancing individual rights, establishing an enforcement agency and introducing a definition for “sensitive personal data.” This is the first of its kind in the United States, but it is worth mentioning that several states are soon to follow—Washington, New York, Maryland and Massachusetts are just some that are trying to pass similar laws.
- The CCPA defines in-scope organizations as those doing business in California with $25 million or more in annual revenues or that earn more than 50 percent of their revenue selling consumers’ personal data.
- The CPRA also defines in-scope organizations as those with $25 million in annual revenues, but then deviates a bit to include: or buys, sells, or shares the data of 100,000+ consumers or households, or derives at least 50 percent of annual revenue from selling or sharing consumers personal data. The distinctions are slight, but still need to be considered.
- The new definition of “sensitive data” is a big change from the CCPA’s personal data definition. It is broader than even the GDPR’s definition of “special categories of data” and would require expressed consent. CPRA highlights new obligations for companies, including:
- Correct data collected about the consumer
- Restricted use of sensitive personal data
- Restricted storage of data longer than necessary
- Restricted collection of more data than necessary
- Restricted use of precise geolocation data
- Transparency regarding automated decision-making
- Restricted transfer of data onward
- Provided opt-out option for the sale of personal data
How will this impact merchants with e-commerce operations that may collect data of California residents?
Schuler: For starters, the definition of sensitive personal data, which mimics Article 9 of the GDPR, will impact e-commerce operations in that information like social security numbers, driver’s license numbers, passports and financial information, as well as race, religion, precise geolocation and biometric data would require special handling and protections and are likely to be the subject of enforcement actions. Tech ad companies will see the greatest impact, especially if an organization uses precise geolocation information to sell products or services by targeting particular demographics or shopping habits.
Companies that provide targeted advertising to personalize product selections will feel the impact of CPRA. Their data collection, sharing and retention habits will need to be altered and an option for consumers to opt out will be required.
The right to opt out of the sale of personal information will impact e-commerce companies that are built on selling data, such that they will need to offset that revenue source. The new definition of “sharing” will also require companies to allow for opt-out of any third-party tech cookie collection that might occur on their website or app. This alone could affect the number of sales driven by advertisements across free and paid websites and apps.
In particular, this could greatly challenge companies like Facebook and Google, as they would not be able to hide behind the CCPA’s lack of clarity around selling data. The ability for a consumer to opt out will require tech companies that share or sell data to stop sharing/selling data upon the consumer’s selection to opt out of that activity. At that time, all third parties must be notified to also stop using that data. If a company is found to violate this aspect of CPRA, then a consumer could file a private right of action.
Like many other companies, e-commerce operations will need to be ready to defend their data retention and the limitation of use obligations. E-commerce operations will need to ensure that data life cycle practices and policies are implemented, managed and enforced throughout an organization. Separately, the sharing or selling of data will require a process that could be difficult to establish. Consider this: if Company A shares information with Company B and Company C, and a consumer of Company A opts out of the sale of their data, Company A will be required to trickle down that option to the other companies. It’s similar to a GDPR controller and a HIPAA covered entity. Ultimately, accountability resides with the covered entity and they could be found at fault for what the processor or the business associate does (or does not do).
What should merchants be doing to prepare to comply?
Schuler: It’s really simple: Merchants need to think more about data protection and privacy versus traditional cybersecurity. They should not take it for granted that they are CPRA compliant if they hold accreditations like ISO or PCI-DSS. Merchants also need to consider data flows and not just an inventory of data sources to ensure they have an understanding of data flowing in and out of the organization. Using guidance like BDO’s Data Protection Framework merchants can better prepare themselves by establishing a governance structure that focuses on:
- Establishing privacy operations that understand how to protect and prepare the organization
- Ensuring that Privacy by Design is followed to introduce privacy into the equation before a product is developed
- Updating their website notices and ensuring they match internal operations
- Implementing a blockchain consent management capability
- Developing and maintaining a consumer rights, requests and complaint center
- Improving their data management practices
- Reviewing their current data security practices
- Updating incident management and breach notification practices
- Reviewing all vendors that interact with personal data
- Training their employees and providing regular awareness of what this means to the organization (if it doesn’t comply)
A key aspect for merchants will be to demonstrate their practices are fair, lawful and transparent to provide the California Protection Agency and Californians the comfort in knowing that they take this law seriously. That, combined with a focus on data limitation, dedication to only use data for its intended purposes and a review of data sales agreements, will demonstrate that a company is taking consumer rights seriously, thus enhancing an organization’s brand and building trust with the consumer.