FIS Modern Banking Platform
Advance your bank with a modern core platform.
Ron Whyte, SVP and group executive, FIS and Elena A. Lovoy, chief regulatory counsel and privacy officer, CENTRL, Inc.
December 14, 2020
The California Privacy Rights Act (CPRA) was voted into law on November 3, 2020 by 56% of the Golden State’s voters. Although this was not the landslide victory predicted in earlier polling, 9 million Californians voted in favor of these new consumer privacy protections. The CPRA, which is frequently referred to as “CCPA 2.0,” amends, expands, and strengthens the CCPA. It closes certain CCPA loopholes while arming consumers with more control over the privacy of their personal information (PI). It will go into effect on January 1, 2023.
The CCPA was spearheaded by California real estate developer Alastair Mactaggart and the Californians for Consumer Privacy coalition as a ballot initiative for the November 2018 election. Mactaggart’s story starts with a conversation he had with a Google engineer who told Mactaggart that he would be "horrified" to know how much data Google collects on its users. He investigated and as a result, decided to take matters into his own hands by pushing for the enactment of a comprehensive consumer privacy law in California. Instead, the state legislature moved forward with the CCPA in 2018 because they wanted to take a pre-emptive strike and adopt a law over which they had some control. The CCPA went into effect on January 1, 2020 and businesses have been navigating compliance with this new law since that date.
Mactaggart and his group did not disappear. They drafted a new ballot initiative, the CPRA, to add even more privacy protections to California law. Although the requirements of the CPRA will be effective in about two years, all other provisions of the current law remain in place and enforceable. In fact, enforcement of the CCPA began on July 1, 2020 and the penalties for noncompliance can be quite costly.
As mentioned, the CPRA will expand consumer privacy rights and includes the following new requirements on businesses:
The CPRA amended the definition of “business”. To be a business subject to the CPRA, one of the following must be present:
The CPRA doubled the number of consumers/households from 50,000 under the current CCPA to 100,000. As such, some businesses may find themselves outside the scope of the CPRA. However, the current 50,000 threshold will still apply until 2023.
In addition to the changes noted above, new rules governing opt-out rights connected with use of automated decision-making technology will be released. Such practices include, but are not limited to, consumer/employee profiling tied to work performance, economic circumstances, health, location, and other factors.
To get ready for the CPRA, companies will need to go back to the drawing board. Certain PI will need to be classified as sensitive PI and certain data that is being shared, but not sold, to third parties may be subject to the new right to prohibit the sharing of this data. All of these changes will require a fresh look at, and likely revisions to, the privacy notices that businesses provide to California residents. The same will be true for data subject access request (DSAR) portals. These will need to be revised to add all of the new consumer rights under the CPRA. In addition, companies will need to rely on their data mapping capabilities, privacy compliance expertise, and custom software options to automate these new processes.
Now that CPRA has passed, it may provide other states with a template to adopt similar comprehensive consumer privacy laws in 2021. The new Congress may also try to finally push a federal privacy law forward in 2021 which could preempt state laws. If companies and consumers have to navigate a patchwork of conflicting state-based legislation, this could tip the scales in favor of privacy action at the federal level.
Let's work together to reach your goals. Contact us at the links below and a representative will be in touch.
We are here to help you and your business. Contact us using the button below.Learn more