What does California Privacy Rights Act mean for the future of data protection?

About the author

Scott M. Giordano is an attorney with more than 20 years of legal, technology, and risk management consulting experience. An IAPP Fellow of Information Privacy and a Certified Information Security Systems Professional (CISSP), Scott serves as Spirion’s subject matter expert on multinational data protection and its intersection with technology, export compliance, internal investigations, information governance, and risk management.

On November 3rd, California voters will have an opportunity to vote for (or against) Proposition 24, better known in data protection circles as the California Privacy Rights Act of 2020 (CPRA or the Act). Voters might wonder why they need a new data protection law so soon after the California Consumer Privacy Act (CCPA) went into effect. The answer is that the CPRA is groundbreaking in many ways and offers substantially improved protections for privacy; if I had to pick three, it would be the following:

  • The creation of the California Privacy Protection Agency (CalPPA). CalPPA is an independent agency that will be tasked with enforcement of the CPRA and other state privacy regulations. In GDPR terms, CalPPA is a supervisory authority. In layman’s terms, it’s the privacy police. And this agency will have teeth – included in its arsenal is subpoena power, which gives it the ability to demand both testimony and supporting documents. The position of Chief Privacy Auditor will be created in order to conduct audits of businesses suspected of privacy violations.
  • The creation of a new class of personal information, sensitive personal information. Unlike the GDPR, the CCPA does not call out certain types of personal information as “sensitive,” or “special,” or some similar appellation, meaning that all personal information is treated the same. Contrast this with the CPRA, which takes a similar approach to the GDPR but expands on it. Under the Act, information such as a consumer’s precise geolocation, private communications, and biometric information are “sensitive.” Not only can businesses not sell such information without consent, they can’t even use it – this is a remarkable change in and of itself, and the list of information considered sensitive is lengthy.
  • Restrictions on cross-context behavioral advertising. Cross-context behavioral advertising (CCBA) is another way of saying profiling, i.e., targeting of advertising based on “consumer’s activity over time and across time and multiple businesses or across multiple, distinctively branded websites, applications, or services.” All of the current CCPA-based rules regarding sales of personal information apply to CCBA, meaning that consumers can opt out. Also, CCBA data cannot be used internally by a business, e.g., to develop or evaluate marketing campaigns. As a practical matter, advertising would be limited to non-personalized advertisements, the kind used during the early days of the World Wide Web.

The (near) future of data protection

So, assuming the CPRA/Prop. 24 is approved by voters, what impact will the new law have on data protection practices writ large? Here are some changes that will likely take place at the corporate level:

  • Data inventories will become more detailed. A data inventory is a living record of how personal information is collected, processed, stored, shared, and protected by an organization. The creation of a new class of personal information, sensitive personal information, means that organizations will have to review all of the software applications and processes that may collect or process personal information, determine if any of that information is sensitive, and update the inventory accordingly.
  • Updated risk assessments will be needed. All or nearly all data protection laws mandate a risk assessment, even though they don’t always use that phrase. Both the CCPA and CPRA cite a business’s “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information[.]” [emphasis mine] This duty translates into an assessment of the nature of the personal information, including the potential for harm if the information is stolen or if it is misused by a third party. Passage of the CPRA will necessitate updated risk assessments, or perhaps entirely new ones.
  • Additional controls will have to be implemented. Some types of personal information are particularly amenable to misuse, like biometrics or geolocation data, and as a consequence additional technical and organizational controls will likely have to be implemented based upon the risk assessment. In particular, encryption at rest and multi-factor authentication are routinely cited as appropriate technical controls, while data minimization policies and partner audits are cited as appropriate organizational ones.

The longer term

The CPRA will, if approved by voters, become the default national standard for data protection. This is so owing to the size of the California population as well as the state’s economic and political power. In addition, neither U.S. nor multinational companies will want to function with two standards and the CPRA is close enough to the GDPR (a topic I’ll save for another post) to function as a unit. This single “standard” will have a profound influence on new or updated data protection laws in other U.S. states and will likely lead to the:

  • Offering to residents the ability to access their personal information and to make corrections or to delete it entirely;
  • Imposition of mandates to not use or sell personal information without consent and to provide greater protection to “sensitive” personal data; and
  • Adoption of principles, best practices, and technologies such as data minimization, Privacy by Design, and differential privacy, respectively.

The upshot of all of this is the steady evolution of a default national standard that will eventually become codified in federal law. This has to potential to offer unimpeded data transfers from the EU to the U.S., the necessity of which was underscored in a recent decision by Court of Justice for the European Union. While the U.S. and EU currently take largely different approaches to data protection, approval of the CPRA will likely get us to the same place.