On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA), a new privacy law that introduces significant amendments to the California Consumer Privacy Act (CCPA). Modeled after the European Union's General Data Protection Regulation (GDPR), the CPRA will build upon the CCPA's foundation in order to strengthen consumer privacy rights, expand various obligations and requirements, and establish a more comprehensive privacy law.
While certain provisions of the CPRA went into effect immediately upon its passing, such as those related to the collection of personal information, most of the changes in this law will not take effect until January 1, 2023, with enforcement beginning July 1, 2023. However, businesses cannot simply wait until late 2022 or early 2023 to start preparing for the CPRA's requirements.
Starting on January 1, 2022, the CPRA's 12-month look back provision, which affects the data privacy practices of businesses, will take place. Similar to the CCPA's look-back provision (which went into effect in 2019), the CPRA will require covered businesses to disclose information about the data collection, usage, and sharing of a consumer's personal information covering the 12-month period preceding the date of a verifiable request. In addition, the CCPA's exemption for employee, job applicant, and contractor data will sunset when the CPRA goes into effect. Therefore, businesses will need to maintain accurate records of consumers' personal information in accordance with the CPRA beginning on January 1, 2022 – one year before the CPRA officially goes into effect.
In this blog, we'll take a closer look at the CPRA's look-back provision and how your business can act now to avoid potential look-back violations in 2023.
The CPRA Look-Back Provision
While once considered the strictest data privacy law in the U.S, the CCPA has been criticized over the absence of certain consumer rights, its ambiguous language, and the exemptions and limitations that weaken the law's effect. As a result of these concerns, the CPRA was created to supplement the privacy protections found in the CCPA, increasing consumer rights, placing additional obligations on businesses, and establishing a new enforcement agency – the California Privacy Protection Agency (CPPA) – to oversee and enforce the law.
The CPRA becomes fully operative on January 1, 2023; however, the law's look-back provision applies to personal information collected on or after January 1, 2022. The look-back provision is part of the CPRA's expanded Right to Know, although it shares many similarities to the CCPA. As in the CCPA, consumers are able to submit a request to know what personal information is being collected about them and the business must provide the consumer with their personal information going back 12 months. The CPRA expands this obligation by requiring that businesses provide access to information beyond the CCPA's 12-month period unless doing so would prove impossible or would involve a disproportionate effort. And, while the CPRA has extended the CCPA's employee exemption until January 1, 2023, at that time, the full scope of consumer rights under the CPRA will also be granted to employees, job applicants, and independent contractors. This increases the amount of data a consumer has the right to know and brings the CPRA more on par with the GDPR.
CCPA Compliant Businesses
Despite its many similarities, compliance with the CCPA alone will not be sufficient to meet the new expanded requirements of the CPRA. But, if your business is already CCPA compliant, transitioning to the CPRA's 12-month look-back provision shouldn't be too demanding. Under the CCPA, businesses should already be maintaining accurate recording keeping of a consumer's personal information for the last 12 months, which should be made available upon request. The same is required under the CCPA, but a few additional changes will need to be made in order to achieve proper compliance.
Extended Look-Back Timeline
A change made to the CPRA extends the timeline of the look-back period to enable consumers (including employees, job applicants, and contractors) to request personal information collected beyond the CCPA's 12-month window. The law does not require business to keep personal information for any specific period of time, though, and businesses will not need to provide personal information collected on consumers prior to January 1, 2022. By extending the look-back time frame, the CPRA is expecting businesses to adopt a more aggressive records retention program to protect consumer information.
Sensitive Personal Information
In contrast with the CCPA, the CPRA broadly includes the subcategory of sensitive personal information within its definition of personal information. This includes a consumer's social security number, driver's license, financial information, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, or genetic data. The CPRA does include the CCPA's exemption of information collected from job applicants, employees controlling owners, directors, officers, medical staff members and independent contractors; however, this only impacts the CPRA’s look-back requirements in 2022, as this exemption will sunset on January 1, 2023. With the addition of sensitive personal information, businesses must now also inventory and ensure the proper processes and notices are in place to collect this type of data.
Service Provider and Contractor Obligations
Expanded upon in the CPRA are the obligations the law places on service providers and contractors. Under the CCPA, businesses are required to disclose the categories of third parties to whom it sells personal information. The CPRA expands this right to also include the categories of services providers and contractors to whom it discloses personal information. A service provider or contractor must also cooperate with and assist businesses in providing personal information in response to verifiable consumer requests to know.
Preparing for the CPRA Look-Back Provision
With time running out until the end of 2021, organizations in scope of the CPRA will need to start preparing now to be ready for the law's modified and expanded look-back provision. Not only will this entail understanding where consumer personal information resides and flows through the organization and how to retrieve such information, but also creating the necessary mechanisms to allow consumers to make such requests.
Businesses already compliant with the CCPA should have an easier time transitioning to the requirements of the CPRA's look-back provision. For businesses at the start of their compliance journey, meeting the requirements of the CPRA's look-back provision will be more of an undertaking. In either case, businesses would do well to start taking the proactive steps now towards implementing the necessary data collection procedures:
- Regularly conduct a data mapping exercise to identify and document what personal information and sensitive personal information is being collect, and understand what information falls under the scope of the CPRA.
- Classify personal information and identify sensitive personal information to accurately retrieve and/or remove when necessary.
- Update data collection processes and privacy notices to align with the changes made in the CPRA.
- Perform annual cybersecurity audits and risk assessments and submit these to the newly appointed CPPA if the processing of personal information presents a significant risk to consumers’ privacy or security.
- Review current data sharing practices and inform third parties, service providers, and contractors of the new CPRA compliance requirements.
- Ensure the proper mechanisms are in place for consumers to submit requests for their personal information by January 1, 2023.
- Test current request processes to ensure they are working optimally, and forecast the number of requests expected to ensure there are sufficient resources available.
- Implement the necessary internal processes and workflows and create templates and playbooks to handle the influx of consumer requests in 2023. Many chief audit executives (CAEs) are now expected to have a roadmap for addressing privacy risk, and these workflows are key to executing these.
- Update existing training and auditing programs to ensure employees understand how to maintain CPRA compliance, and address compliance gaps moving forward.
While enforcement of the CPRA does not begin until July 1, 2023, with the look-back period starting January 1, 2022, any personal information collected from that date will be liable for compliance. In order to avoid costly enforcement actions, businesses should be reviewing their data collection processes for compliance with the CPRA and take the necessary steps to handle and respond to such requests. And, until January 1, 2023, the CCPA is still in effect, so businesses cannot forget their obligations to both laws until then.
Don’t look-back at the end of the year wishing you had started your compliance efforts for the CPRA sooner. Let Focal Point help you maintain compliance with both laws and seamlessly navigate the transition from the CCPA to the CPRA.
Want more insights into the latest privacy news?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.