You’ve probably heard the classic idiom about “keeping up with the Joneses.” According to Miriam-Webster, it means “to show that one is as good as other people by getting what they have and doing what they do.” Generally, that’s usually meant people buying expensive cars or other things they can’t afford to try and maintain the same pace as their peers.
When you consider privacy legislation in the United States, we are decidedly not “keeping up with the Joneses”—or, namely, Europe.
When it became effective in 2018, the GDPR provided a blanket blueprint that led to over a dozen countries updating their national privacy laws to “keep up” with the new industry standards.
But unfortunately, the U.S. has yet to do the same when it comes to federal data protection legislation—as it stands right now, Congress will need to compromise on the two key issues of preemption and private right of action before more progress can be made.
That’s left us with a patchwork of state and industry legislation that hasn’t done much to help demystify U.S. data protection. Our dedicated privacy practice and team are tasked with staying abreast of potential and emerging changes to this landscape, and with a significant change on the horizon, we want to help you prepare.
There’s a new law on the way in the California Privacy Rights Act (CPRA), and in this article, we’re going to break down what you can expect, including by drawing comparisons to the older California Consumer Privacy Act (CCPA). Let us simplify at least this part of the privacy landscape so that you can more easily “keep up” with regulations.
What is the CPRA?
So what is the CPRA, and why should you care?
When it becomes effective on January 1, 2023, the CPRA will represent California’s latest state legislation concerned with protecting the digital privacy of CA residents.
For what it’s worth, California is doing its part to somewhat “keep up with the Joneses”—the CPRA and the GDPR share similar concepts and extraterritorial reach. The former contains GDPR-like provisions regarding things like data minimization, retention, and conducting risk assessments.
While the GDPR speaks to personal data of natural persons in the EU, the CPRA applies to businesses dealing with the personal information of California residents, but to actually fall under its jurisdiction, an organization must meet at least one of three established criteria. Your organization will be subject to the CPRA if you:
- Buy, share, or sell the personal information (PI) of at least 100,000 consumers or households annually.
- Make $25 million in gross revenue in the preceding year, as of January 1.
- Receive 50% or more of gross revenues from sharing or selling personal information collected from your users.
CPRA vs. CCPA
The CPRA can be considered a new iteration of an earlier piece of California legislation—the CCPA, which went into effect on January 1, 2020, and created an array of consumer privacy rights and business obligations with regard to the collection and sale of personal information.
The CPRA builds upon its predecessor—some even call it CCPA 2.0—but there are some key differences between the two regulations you should understand, including significant expansions:
|
CPRA |
Effective Date |
January 1, 2023 |
Expanded Consumer Rights |
“Opt-Out” Right
Expanded Access Right
|
Website Declarations |
The CPRA revises the CCPA’s “Do Not Sell” button to be a “Do Not Sell or Share My Personal Information” option. It also requires a "Limit The Use Of My Sensitive Personal Information” option, and these buttons must be clearly labeled. |
New Consumer Rights |
Right to Correct
Right to Limit Use of Sensitive Info
|
Defines Sensitive Personal Information (SPI)
|
The CPRA introduces a new classification of data called SPI. The regulation dictates that your security measures for data must be appropriate for the data type. Now with this new category of SPI, we assume that this kind of data will require further safeguards and protections. That’s because SPI constitutes things like Social Security Numbers, driver’s license or passport numbers, financial account information—including card numbers—genetic or geolocation data, as well as health information. |
Data Minimization and Purpose Limitation |
Businesses must collect, use, retain only what is reasonably necessary. |
New Threshold for Jurisdiction |
To be subject to this law, one criterion is that you must buy, share, or sell the PI of at least 100,000 consumers annually. (Friendlier to small businesses) |
New Enforcement Agency |
The California Privacy Protection Agency (CPPA) |
What is the CPPA?
The CPPA is likely the most anxiety-inducing change for organizations. With an office now solely devoted to responsible for safeguarding all Californian’s digital privacy, resources will be increased exponentially and enforcement should see a big uptick after the July 1, 2023 enforcement date.
But the CPPA won’t just be dropping the hammer. They’ll also be responsible for further rulemaking, including drafting and implementing regulations on requirements for performing annual cybersecurity audits and conducting risk assessments, some of which will be required to be submitted to the CPPA on an annual basis.
What’s Next for Privacy in the United States
California certainly has been leading the charge in the United States where data privacy is concerned, but it’s also important to note that several other states are close on its heels with their own legislation as well.
In Connecticut, Virginia, Colorado, and Utah, new laws are set to become effective in 2023, and while they have some similarities to the CPRA when it comes to scope and requirements, there are key differences as well regarding factors such as:
- Revenue thresholds;
- Carve outs; and
- Private right of action.
Other states, as you can see here, are making progress as well:
As much as this is all good news for data protection, all these new laws with varying jurisdictions and requirements will continue to cause additional headaches for organizations pending an established baseline to adhere to that stretches across the entire United States.
For more details on the U.S. patchwork of privacy law, check out our on-demand webinar that delves deeper into the subject, including the CPRA.
Complying with The CPRA
Until federal privacy legislation is passed, privacy standards in the U.S. will continue to be surpassed by more countries across the globe. And as the privacy “Joneses” will continue to leave us in the dust, organizations will continue to encounter an increasing barrier to e-commerce—for those reasons, we can only hope that Congress prioritizes the passing of a national privacy law sooner rather than later.
But for those organizations conducting business in California, you’ll have to contend with the new CPRA and its expanded requirements for the time being. With the establishment of the CPPA to enforce these data privacy regulations, you may want to adopt a more conservative approach with your privacy notices and protections to ensure you remain in compliance.
For more information on how you can address privacy through other standards right now, check out our other content regarding the different ones to see which might suit your organization best:
- Should You Include Privacy as a Trust Service Category In Your SOC 2?
- ISO 27018 vs. ISO 27701
- What are the Benefits of an APEC CBPR/PRP Certification?
About CHRIS LIPPERT
Chris Lippert is a Director and Privacy Technical Lead with Schellman and is based in Atlanta, GA. With more than 10 years of experience in information assurance across numerous industries, regulations, and frameworks, Chris developed a passion for and concentration in data privacy. He is an active member of the International Association of Privacy Professionals (IAPP), holds his Fellow of Information Privacy (FIP) designation, and advocates for privacy by design and the adequate protection of personal data in today’s business world.