CPRA could Transform Consumer Protections and Business Obligations
By Isabella Schrammel
In May of this year, TikTok was sued for violating the California Consumer Privacy Act (CCPA), but if the California Privacy Rights Act is passed in November, this lawsuit, and others similarly situated, may become moot.
Photo by Solen Feyissa on Unsplash
As an initial sponsor of the CCPA, the Californians for Consumer Privacy proposed the California Privacy Rights Act (CPRA), which received enough signatures to appear on the November ballot as Proposition 24. The CPRA could expand consumer rights, including the right to know what data is collected and shared, the right to request data deletion, and the right to request that data remain confidential and not be sold.
The existing CCPA empowers consumers with several rights, including the right to know what data is collected and shared, the right to request data deletion, and the right to request that data remain confidential and not be sold. If approved, the CPRA will add to the CCPA, and experts predict that this addition will significantly impact the privacy landscape in California.
“What really needs to be thought through,” Brandon Reilly, Partner at Manatt, Phelps, & Phillips, LLP said, “is should we have a privacy law that is essentially inalterable and immovable for an area of industry that is… technology-driven and changing every day or every month or every year?”
In addition to its efforts to make privacy legislation in California more permanent, the CPRA introduces a new right known as the “right to correction.” This right provides consumers with the right to correct erroneous data a company might possess.
“Organizations can and do make decisions based on the information that they have. If that information is inaccurate, it could have consequences for individuals in terms of whether they are offered opportunities or not—I’m glad that it is in CPRA,” Lydia De La Torre, Professor of Comparative Privacy Law at Santa Clara University School of Law and Counsel at Squire Patton Boggs, said.
The CPRA would also increase public spending by $10 million annually through the creation of the California Privacy Protection Agency, a state agency dedicated to privacy education and regulation. Currently under the CCPA, the California Attorney General handles most privacy-related issues.
“[An] annual budget is a better way to give peace of mind to the agency. They have a way to fund themselves, but also the freedom to distribute that in whichever way makes sense, and an agency that has that kind of power should think about how to educate rather than how to punish,” De La Torre said.
Mike Shapiro, Chief Privacy Officer for the County of Santa Clara, said there still remains some uncertainty regarding the California Privacy Protection Agency’s local privacy regulation role.
“How [the California Privacy Protection Agency] will interact with other localities, we’ll have to see how that plays out. We’ll work to understand better what that relationship is going to be like,” Shapiro said.
In addition to the anticipated CPRA impacts on consumers and California’s regulatory scheme, the act would impact businesses, many of which operate here in Silicon Valley. The fines for non-compliance are expected to be higher under the CPRA, especially pertaining to violations involving minors, which would amount to $7,500 per violation.
Reilly said for many businesses, compliance with a new set of regulations is overwhelming.
“Businesses are very much still trying to figure out what the CCPA means for their data operations,” Reilly said. “What the CPRA does is it really confuses a lot of issues, and it’s going to be tricky for companies to really come to terms and fully understand what they need to do–even if they have a robust CCPA readiness program in place already.”
The CPRA increases the threshold for compliance, thereby lowering the likelihood of brushing up against the law. Under the CPRA, businesses that buy, sell or share the data of 100,000 or more consumers are required to comply, instead of the 50,000 consumer requirements under the California Consumer Privacy Act.
De La Torre said compliance is recommended even if a company falls below the new threshold.
“Startups should just from the get-go have the mentality that these requirements will apply to them, because they will eventually apply to them, and it’s much easier to just build your structure on that assumption than to re-architecture it afterwards,” De La Torre said.
For small companies, the decision to comply (or not comply) voluntarily also raises questions unrelated to the burden of restructuring.
“As a company, you don’t necessarily want to be in the position of having to explain why you do not have to comply with a data subject request,” Reilly said. “The provisions of the CCPA and the CPRA are incredibly burdensome. To expect small businesses to comply with it, I think is an unrealistic expectation, and it shouldn’t be necessarily a cost that they have to deal with when they’re a small company.”
While it is unclear how precisely the CPRA will impact privacy legislation outside of California, privacy professionals agree that the CPRA may serve as a basis for other states’ privacy laws.
Reilly said the CPRA could become “a de facto national standard,” for both consumers and businesses.
“I think it will have far-reaching impacts across the country just because of the size and resources of a state like this,” Shapiro said.
(Editor's Note: This article was originally published in the October 2020 [Volume 51, Issue 1] edition of The Advocate.)