California's New CPRA Raises the Privacy Stakes for Everyone

Published On February 03, 2021

With so much attention riveted on the presidential race in 2020 it's understandable that many people missed the news that voters approved the California Privacy Rights and Enforcement Act of 2020 (CPRA), a new regulation that could have far-reaching implications for the way all organizations collect and manage data about consumers.

The California Privacy Rights and Enforcement Act of 2020 (CPRA) strengthens and expands the provisions of the California Consumer Protection Act (CCPA), which took effect just a few months ago. The CCPA was already considered the toughest set of privacy regulations in the U. S. Now the rules have been made even tougher. Any organization that collects personal information about consumers should be familiar with them because the law applies to any entity that does business in California, regardless of whether it is physically located in the state.

The CPRA, which takes effect on January 1, 2023 and which will be formally enforced six months later, borrows a provision from the European Union's General Data Protection Regulation that gives consumers the right to correct information an organization has about them, a right that isn't included in the current regulation. Consumers will also be able to opt out of having information collected about them from multiple sources for use in behavioral advertising, strengthening a current provision that only permits them to opt out from the sale of such information.

The CPRA creates a new category of data called "sensitive personal information" and defines how it can be used. The designation includes details about a person's Social Security, driver's license or government-issued ID card numbers as well as financial accounts, login credentials, geolocation, race or ethnic origin, genetic data, sexual orientation and health status. Consumers can limit how this information is used and organizations will be subject to stronger notification requirements.

A new privacy enforcement agency called the Consumer Privacy Protection Agency (CPPA) will be created to add some teeth to the rules. Among its responsibilities will be to oversee newly required privacy impact assessments and independent security audits for "high risk" activities. Security provisions are defined more specifically than in the past. The CPRA formalizes the requirement that businesses provide "reasonable security" for personal information, a stipulation that was not included in the CCPA. It also lays out specifics of what those security practices should entail, including the requirement that organizations be able to detect security incidents, resist "malicious, deceptive, fraudulent, or illegal actions," and help prosecute offenders.

Standards for the gathering of information about children have been tightened. Parents will be able to limit what information may be collected about their offspring and demand that organizations erase any data that has already been collected.

Broad Impact

While the regulation is limited to California residents, its effects will be national and even international in scope. California is the largest economy in the U. S., meaning that virtually all large advertisers will need to adhere to the standards. The passage of the law may also break the logjam in privacy legislation on the federal level, where it has been bogged down in negotiations. "I think that was intentional on the part of the ballot initiatives' proponents," said Caitlin Fennessy, research director at the International Association of Privacy Professionals, to Business Insider.

The implications for records management are significant. The CCPA retention requirements make no distinction between digital, paper and microfilm/microfiche records, meaning that organizations must have governance processes in place to enable rapid retrieval of records in any form. The 30-day waiting period that was provided under the CPPA has been removed, leaving it to the CPPA to establish what it believes are reasonable response deadlines for each situation. Delaying response to a consumer request will be less of an option.

While California privacy regulations look increasingly like those in Europe, the penalties are less severe. Potential administrative penalties are capped at $2,500 per violation, although they can be as high as $7,500 in the case of an "intentional violation" or one involving minors.

Given that more than 80 countries have now implemented privacy regulations, the message is clear for information and records management professionals: The importance of their role in protecting their organizations from prosecution has never been more critical. That is a big responsibility but also a recognition to be proud of.