In November, California voters passed Proposition 24, the California Privacy Rights Act (CPRA) of 2020. This ballot initiative builds on 2018’s California Consumer Privacy Act (CCPA) and is sometimes referred to as “CCPA 2.0.” The CPRA is more of a reboot than a sequel, however, and it substantially increases the rights of individuals and the obligations of businesses that handle personal data.
The CPRA earned immense popular support; it won 56% of the vote, making it the second most popular California ballot initiative of 2020. The law’s popularity means that businesses need to take it seriously or risk incurring reputational damage.
Here, we’re going over some of the most significant new additions in the CPRA and offering suggestions for how to prepare.
CPRA Steps up Penalties and Enforcement
The CCPA put enforcement in the hands of the California Attorney General, but the CPRA gives more power to individuals and to a new state agency. In fact, the proposed law was originally called the California Privacy Rights and Enforcement Act (CPREA), which indicates its new emphasis on accountability.
Establishing a new regulatory agency
The CPRA creates the California Privacy Protection Agency (CPPA), which Lexology calls “the first government agency in the US focused solely on privacy.” The CCPA is tasked with enforcing the law by issuing fines and demanding companies undergo risk assessment and audits for their data handling policies.
In addition, the CCPA will provide further regulations, rules, and guidance as to CPRA’s interpretation. According to Prop 24’s website, this new agency will have a budget of $10 million, which “would equate to roughly the same number of privacy enforcement staff as the FTC has to police the entire country.”
This might actually end up being good news for businesses because the CPPA will be able to offer guidance and clarity on the CPRA’s requirements. The CCPA’s language was a source of confusion, and the National Law Review points out that the CCPA has been unpopular because of its “overbroad definitions, ambiguous language, and overall lack of clarity.” This agency could function like the United Kingdom’s Information Commissioner’s Office (ICO), which has helped create clarity and guide enforcement of the General Data Protection Regulation (GDPR).
Expanding private right of action
Under the CCPA, individuals had less power to hold companies accountable for noncompliance. Under CCPA, private citizens can only take private legal action against a business for certain types of breaches and, often, only after giving a business notice and the chance to “cure” the problem. But the new law states that “The implementation and maintenance of reasonable security procedures and practices... following a breach does not constitute a cure.”
In other words, if the cows escape the barn, businesses have to put them back in if they want to avoid legal trouble. Merely putting a lock on the door so nothing gets out next time, will not suffice.
CPRA Follows GDPR’s Lead
The CPRA includes many concepts familiar to anyone who has studied the GDPR. These new additions seek to give individuals more control over their personal data and limit the ways businesses can use it.
A new category of “sensitive personal information”
The CPRA introduces the concept of “sensitive personal information” as a particular class of data, which is held to higher standards than other personal information. This concept is already featured in the GDPR, although the CPRA’s definition is broader.
Sensitive personal information in the CPRA can be divided into two categories: direct identifiers and highly private data. The first category includes government-issued IDs, financial information, and any combination of account credentials that allow access to an account. The second category would encompass precise geolocation, ethnicity, religion, genetic and biometric information, sexual orientation, and the contents of email and text messages unless those messages were sent to the business in question.
The CPRA explicitly gives individuals greater power to limit how companies use this information. Users may now request that a business use this information only as necessary to provide the service or goods “reasonably expected by an average consumer” and only for a limited number of purposes specifically outlined by the law.
This, in turn, creates a new opt-out requirement for businesses, which JD Supra speculates may entail including ”a link available on their website home page titled Limit the Use of My Sensitive Personal Information.” This would be a separate notification from a link that says, “Do Not Sell or Share My Personal Information.”
Introducing the “right of correction”
The CPRA gives consumers the right to request that businesses correct inaccurate personal information about that consumer. (The GDPR refers to this as the “right of rectification.”) Businesses are required to notify consumers of this right, and in the event that someone requests a change, they must make “commercially reasonable efforts” to correct it.
Increasing restrictions for data retention/deletion
The CCPA grants consumers a limited right to request that their personal information be deleted, albeit with several exceptions that make it significantly weaker than the GDPR’s “right to be forgotten.” The CPRA places the onus on businesses (and the parties that handle their information) to delete data on their own. The law requires businesses to keep personal information only as long as necessary to achieve the purposes disclosed to the consumer.
In addition, if a consumer requests deletion, businesses must pass this request to service providers and contractors, who, in turn, must notify their own service providers and contractors to create a shared obligation of deletion.
Extending scope to “sharing” data
In nearly every instance where the CCPA mentions “selling,” the CPRA has amended it to say “selling or sharing.” To be clear, the CCPA’s definition of selling is already quite broad. Nevertheless, the CPRA seeks to eliminate loopholes that companies exploit for the purpose of “cross-contextual behavioral advertising.”
This change may make it impossible for companies like Facebook and Google to sidestep the opt-out requirement by insisting that they are not “selling” user data but merely letting advertisers use that data for targeted marketing. As Datawallet reports, this small change could end up “completely changing the status quo of the existing digital advertising ecosystem.”
How Businesses Should Prepare for the CPRA
The good news for businesses is that CPRA enforcement won’t begin until July 2023. The CPRA also extends the CCPA’s exemptions on employee data until that time.
IAPP speculates that this grace period may be intended to give the federal government time to introduce national privacy legislation. Regardless of the reason, businesses have some time to prepare and put new data policies in place.
Step up data deletion policies
As discussed before, the CPRA requires that businesses (and the outside parties who work with them) delete personal data after it has served its purpose. Beyond complying with that element of the law, data deletion is simply good practice since the more personal data you keep, the more you have to lose in a breach. And given the new law’s emphasis on enforcement and its expanded right of private action, every compromised record in a breach could lead to serious penalties.
Tightening deletion policies first requires that all personal data be accounted for, not floating around in the ether. As the IAPP puts it: “While many privacy officers have implemented annual data deletion days as a best practice, getting all employees to comply and delete troves of outdated data, which no longer serves a purpose, has remained a perpetual challenge.”
One solution to this challenge is to connect all personal data under centralized user profiles, accessible through your identity and access management (IAM) system. Having a single repository of customer data simplifies compliance with many aspects of California’s data privacy laws, such as deleting personal data, making corrections, and giving reports to consumers upon request.
Implement MFA for logins
The CPRA singles out login credentials for special attention. In the first instance, it includes credentials under “sensitive personal information.” And while the CCPA only gave individuals the private right to legal action if a breach exposed their unencrypted personal information, the CPRA extends that right to breaches that expose a user’s “email address in combination with a password or security question and answer that would permit access to the account” provided that the breach occurred as a result of the business’ failure to maintain reasonable security practices.
This new language is a clear attempt to combat the epidemic of broken authentication attacks, such as credential stuffing, in which exposed login credentials become the gateway for identity thieves.
One way to improve compliance is to encrypt stored passwords. But encryption alone can be insufficient because encryption standards change, and there’s always the possibility that you have an old database of plain-text passwords hiding in your systems.
That’s why it’s wise to implement multi-factor authentication (MFA) and ensure that credentials alone don’t automatically permit account access. MFA will request an additional form of credential (such as a fingerprint or a one-time code) in the event of an unusual login (such as someone trying to login with a new device).
Examine your relationships with third parties
The CPRA places major emphasis on extending data privacy obligations to contractors, service providers, and third parties. It specifically defines a contractor as someone to whom a business gives access to personal information via a written contract. This contract prohibits the contractor from selling or sharing data with other parties or using it for any purposes not listed in the contract.
The CPRA also requires any service provider, contractor, or third party that receives data to contractually agree to adhere to the CPRA’s standards. The IAPP notes that these requirements “are reminiscent of the GDPR and various international data transfer mechanisms designed to extend GDPR protections and enable cross-border compliance.”
These changes make it essential for businesses to educate themselves about the data privacy and cybersecurity standards of every outside party with whom they share personal data. The work of drawing up contracts will fall to lawyers, but it’s up to security professionals to ensure that third parties live up to their contractual obligations by practicing good data security.
CPRA Is Big (but Not Necessarily Bad) News
When news of “CCPA 2.0” first dropped, soon after the passage of the original law, some business leaders were dismayed. A few seemed to feel that Alastair Mactaggart, the movement’s leader, was personally out to get them. But now that the law has passed, it’s time for everyone concerned to embrace its overall goals.
The new additions in this privacy law are part of a broad evolution in consumer rights. And while this particular law applies only to Californians, there are state laws springing up across the United States with similar agendas. Even though it may be challenging to achieve compliance with this national and global patchwork of laws, they all require the same basic mindset. Respect privacy, practice transparency, and control access to personal data.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.
About the author
Adam Nunn
Sr. Director of Governance, Risk, and Compliance