Like everyone, I’m exhausted by the confusion and controversy surrounding the election — this week has been a year. So, great news: today’s blog is going to be about a confusing, controversial law just passed in California by a wide margin!
The law in question is the California Privacy Rights Act, also called Prop 24, or as we like to call it — CCPA II: McTaggart’s Revenge. Yes, Alistair McTaggart, the real estate magnate who was the driving force behind the California Consumer Privacy Act (CCPA) is behind this law as well. His position seems to have been that, after all of the flurry of amendments it went through, CCPA was not sufficiently protective of privacy rights, and that loopholes needed closing. He embarked on another (costly) campaign, referendum, and vote mobilization effort and, once again, got what he wanted. CPRA is now on the books. Given its complexity and the issues at stake, we’re going to do a three part series on the Act and what it means for you and your business.
If you know anything about California law, you know that it is a leader when it comes to standard setting and norm establishment. In other words, as California goes, often so goes the nation. Privacy law is not going to be any different, as we know, because when CCPA passed the California legislature, businesses around the country swiftly moved to figure out how to comply and just how much wiggle room they had when it came to the use of data. That process is about to begin all over, and likely with just as much confusion as before, because CPRA does not correct some of the more baffling aspects of CCPA (as we’ll see).
The reasons for this scramble are simple: California is the largest economy in the US (and one of the largest in the world) and data flows in and out of the state are a crucial component of business and commercial strategy for companies, regardless of where they are located. So even if you own a business in Maine, it’s possible that your operations will fall under the auspices of CPRA.
Privacy Across the Atlantic
As with CCPA, the most important thing to note about the law is that, while it’s sometimes referred to as an “American GDPR,” it is not technically the same thing as GDPR. That means that you can’t rely on compliance with one to stand you in good stead with respect to the other, although, from our perspective, GDPR remains the gold standard and is likely going to be the best framework to build your privacy practice around. That said, there are substantial similarities between the two regimes, particularly in terms of how they empower individuals to have control over their data.
To that end, CPRA gives consumers the right to access, correct, and delete their data, and maintains the CCPA principle of “Do Not Sell” personal data — so you still have to keep the “delete my data” button on your website. In addition, the act ensures that individuals who have shared “sensitive data” — a category similar, but not identical to, sensitive data under the GDPR — may limit its use by companies that process it. A sensible approach, to be sure.
What’s more complicated is the definition of sensitive data. There, the distinction from GDPR is meaningful because CRPA defines sensitive data as including government-issued identifiers, account log-in credentials, and financial account information. Why does that matter? Most American businesses don’t collect GDPR-style sensitive data (sexual orientation, religious views, trade union membership, etc). But virtually all American e-commerce enterprises collect some kind of log-in credentials combined with either financial information at some point, many others also use government identifiers (your driver’s license number or a passport screenshot) to verify a customer’s identity.
That’s an extremely important point to understand when it comes to assessing risk. Why? Because credit card and login information are some of the most widely held information and, consequently, some of the most frequently lost, stolen, or sold. Under CPRA, a breach that touches upon this kind of information carries with a substantially higher economic and legal risk, not only because the new California Privacy Protection Agency can come and impose penalties (more on that next time), but because failure to safeguard this information (which is now statutorily defined as sensitive) likely makes the duties of care in a tort lawsuit look different. That’s right — statutory duties can affect what counts as “reasonable” under tort law, which implicates a huge array of litigation and legal compliance risk.
We’ll get into how you need to think about compliance in the third installment of this series, but for now, the major takeaway is this: the risk under CPRA is substantially higher for you if you’re in e-commerce than it was even under CCPA. You have to develop both privacy and cybersecurity protocols and enforce them. Taking CRPA seriously isn’t an option, it’s a requirement if you want to do business in the world’s fifth largest economy. CRPA may not be in forced for two years, but the time to start preparing for it is today.