The California Privacy Rights Act (CPRA), a major overhaul of the existing California Consumer Privacy Act (CCPA), passed as a ballot measure on November 3rd, winning 56% approval. While the measure received a fragmented mix of support and opposition from privacy advocates and consumer-rights organizations, Abine publicly supported the CPRA and thinks it’s passage is a positive development for citizens of California and the state of consumer privacy more broadly.
Over the longer term, the law is likely to have a major impact on how U.S. businesses handle consumer personal data. Not only will businesses need to build processes that may soon come to affect non-California residents, but changing consumer expectations may put pressure on the Federal Government to provide its own, national regulations which standardize CPRA-type rules.
Enforcement of the law is staggered over a period of the next 2 years. Many rules would not be enforced until January 2023, and in the meantime, CCPA remains the predominant regulatory structure.
But what are the parts of the law that might begin to affect consumers and businesses sooner?
The major provisions of the law
Give Californians the right to require companies to limit their use of sensitive personal information
- What this means in the near term is that consumers may be provided with more-detailed “Opt-Out” options on websites and businesses they transact with. Because of limited threat of enforcement, however, it may take some time before you see uniform standards in how companies provide these options, and there will be some experimentation with methods on how best to communicate consumer requirements. (e.g. like the “Global Privacy Control” standard for browsers we endorse)
Creates a new agency to handle privacy law enforcement
- The law creates a California Privacy Protection Agency which will have an independent budget to pursue enforcement actions. While initial budget constraints will limit the range of action they can take, it is likely they will choose fewer, high-profile targets, in order to help signal to smaller organizations what areas of current CCPA compliance they will prioritize.
Increase liability risk for data-breaches
- Its possible companies will respond to this in the short term by implementing more data-encryption methods when collecting/transferring information; this could potentially result to some slower processing times in transactions
Creates new complexity in how the digital advertising marketplace will work
- ‘Sensitive’ personal data – which includes things like geolocation, spending information, IP address, and other data used to create profiles for advertisers – will be governed by complex new notification rules. This may reduce the amount of personalized ads for California consumers until processes are established for better transparency.
Many provisions of the law will take time to implement, and aren’t likely to result in rapid change in people’s online experience.
Other aspects affecting how businesses treat internal data, or employee data, are likely to be given the greatest latitude before enforcement begins 2 years from now.
At Abine, we think that the CPRA provides a welcome first step in the direction of better online privacy, and will continue to try to help inform consumers on how these new rules play out in the real world.