After a six month grace period, enforcement of the California Consumer Privacy Act (CCPA) is on track to begin July 1, 2020. While many companies are still working to comply with CCPA (that came into law on January 1, 2020), there’s another round of policy changes coming that takes consumer protections even further, CCPA 2.0 – the Consumer Privacy Rights Act of 2020 (CPRA).
July 1, 2020
This new law will be on the ballot in November 2020, and, if passed, wouldn’t go into effect until January 1, 2023. It’s still important to stay on top of the changing requirements, as taking these into consideration in your current compliance strategy can help save you from re-work and the associated extra costs and effort. Being proactive with consumer privacy rights can also benefit your brand and consumer trust in your brand.
“70% of organizations say they received significant business benefits from privacy beyond compliance. This is up from 40% last year and includes better agility and innovation, increased competitive advantage, improved attractiveness to investors, and greater customer trust.”
What’s Different About this Privacy Law?
CPRA is meant to take consumer protections even further by differentiating how companies may use sensitive personal information, enabling consumers to correct inaccurate data, and implementing additional rules around using data for profiling. The new law would also establish a protection agency whose mission would be to enforce CPRA.
With a stronger focus on key vulnerable data areas, CPRA allows for higher fines for intentional and even unintentional misuse of a minor’s data, along with further requirements for sensitive data. “Sensitive” personal information includes what you’d expect: social security numbers, driver’s license, passport information, or an account login in combination with credit/debit card and credential that allows access to the account. However, it also includes geolocation data, racial or ethnic origin of the consumer, religious or philosophical beliefs of the consumer, and a few other seemingly unconnected areas of data that you may have about your consumers.
Similar to GDPR (General Data Protection information) in the European Union, the CPRA would introduce requirements that allow consumers to correct misinformation a company may have on them. This introduces deeper complexity to manage this data than simply deleting someone’s information, as required by CCPA.
An agency would also be established to enforce the California consumer privacy rights. The agency would serve to provide guidance to both industry and consumers in an ever-changing technical world. This agency would also pursue privacy law enhancements, including around the use of data for profiling, and ensure privacy protection is strengthened over time, fighting against attempts to weaken these laws.
“The rights of consumers and the responsibilities of businesses should be implemented with the goal of strengthening consumer privacy, while giving attention to the impact on business and innovation.”
While the CPRA requirements seem like they are well in the future, we all know time flies. Since CCPA will have already been in place for three years by then, we may not see the flexibility in snapping to compliance like we have with CCPA, which saw its first six months without enforcement action.
Key Dates to Watch:
- June 25, 2020 – Collected signatures have been validated; CPRA (CCPA 2.0) will be on the ballot in November
- November 2020 – CPRA to be voted on
- January 1, 2022 – CPRA (once in effect) applicable to all personal data collected from this date on
- January 1, 2023 – CPRA takes effect (If passed in November)
While January 2023 may be the date for compliance to start, it will be important to have the structure in place by January 2022, as all personal data collected from this point on would ultimately be subject to CPRA compliance. Data privacy is an ever-evolving area of business, and consumer rights will continue to gain priority and attention.
Managing data to run a business is complex. It becomes even more so when balancing the need to comply with various privacy laws, while simultaneously leveraging that data to deliver the best experience for your customers. Consumers want these protections in place, and proactively addressing these needs will enable you to better serve your customers, while also saving time down the road in being able to adapt to changing laws, regulations, and consumer perceptions.
A Couple of Best Practice Tips:
- Be upfront and clear with your customers about the data you capture, how you use it, why it benefits them to share it with you, how you will protect it, and how easy you make it for them to remove or restrict your use of that data
- When capturing data, set up your system to clearly identify what kind of data each data point is. This will enable you to more quickly and easily identify data points that need to be acted upon (now, or under future changes in the law)
- Establish processes that help prevent any accidental use of data and audit regularly to ensure you are remaining compliant. Changes in URL structure, data layer, marketing activities and other legit business activity can accidentally introduce Personally Identifiable Information (PII) where it shouldn’t be. Establish a thorough review to prevent this from happening, and to be able to catch anything that mistakenly does slip through.
“For every dollar spent on privacy, the average organization is getting $2.70 in associated benefits. Most organizations are seeing very positive returns, and more than 40% are realizing at least double their investment.”
Privacy Progression and Being Your Best Self
Should this new CPRA (CCPA 2.0) law not get passed in November, there are still bound to be other efforts to protect consumer privacy, and all of these requirements will continue to evolve. I encourage you to consider building flexibility into your data privacy and compliance strategy to make it as easy as possible to continually monitor, pivot as needed, implement additional controls, and ultimately best serve your customers.