State Privacy Law, What's Coming in California CPRA for 2022

What's new with State Privacy Laws? 

CPRA applies to all data collected as of Jan 1, 2022. 

In 2018 California became the first US state to give consumers new tools and rights under the California Consumer Privacy Act (CCPA). In the November 2020 election, voters approved Prop 24, the California Privacy Rights Act (CPRA), which created the California Privacy Protection Agency and goes into effect in 2023.  

California CPRA, What to expect in 2022 

Many new consumer privacy legislation has emerged over the last few years. All fifty states now have at least some form of consumer privacy legislation, with California, Colorado, Virginia and New York having the most active and comprehensive laws thus far. Given voters' and legislators' growing privacy concerns, changes in state privacy laws will likely continue to evolve rapidly. 

In the fall of 2020, ~55% of California voters approved Proposition 24, the California Privacy Rights Act (CPRA), as an expansion of the California Consumer Privacy Act (CCPA). The law becomes operative on January 1, 2023, and covered organizations need to prepare for a couple of critical changes in CCPA compliance for 2022.  Notably, when CPRA goes into full effect on JAN 1, 2023, it will apply to all data collected as of JAN 1, 2022. 

Effectively, the CPRA brings the CCPA up to par with GDPR and beyond with the consumers' privacy-right-of-action provision. To maintain compliance, organizations should conduct a privacy risk analysis considering new and existing requirements. Based on assessment results, draft or update security controls, privacy policies, protocols, procedures and training appropriately.  

Most organizations do not have the internal bandwidth or expertise to develop and manage privacy operations independently.  A good consultant can save time and streamline the process by tailoring the privacy scope to fit your organization.  

Truvantis has the experience to examine privacy policies, protocols and procedures the same way regulators and class action attorneys do. Our experienced and accredited team has the competence and expertise to drive effective privacy management in your organization.  

We have helped hundreds of organizations build robust cybersecurity programs to address the challenges of conveying complex security and privacy concepts with clear policies, procedures, training and outward-facing documentation. Ready to get started? Contact Truvantis to schedule a privacy workshop customized for your organization.  

What's new in CPRA for 2022 – 23? 

Effective January 1, 2023, the fast-approaching California data privacy law, CPRA, is the latest California state law intended to strengthen consumer privacy rights while considering the operational interests of businesses. The Act's intent establishes that consumers have a right to know, control and protect their personal information.  Central to the law are terms that allow legislators to strengthen privacy rights over time while prohibiting any amendments that weaken California's consumer privacy. 

• CPRA terminates the existing CCPA regulations on Employer-Employee exemption  
• Consumers should have the tools necessary to limit the marketing use of their PI. 
• Increases fines for breaches of children's data threefold. 
• Expands breach liability beyond breaches of unencrypted data to disclosures of credentials (like an email address or password) that could lead to access to a consumers' account.  
• Limits the duration of time a company may retain a consumers' information to only what's necessary and "proportionate" to the reason it was collected in the first place.  
• Requires companies using third-party vendors to mandate contractually that those third parties exercise the same level of privacy protection to data shared with them as the first party.  
• Deletion Expansion -  Upon a consumer request to delete, organizations must be able to tell other third party organizations they've shared PI with also to delete that information  
• Chain of custody – data transferees must offer the same levels of privacy protection 
• Establishes the California Privacy Protection Agency (CPPA) will be empowered to fine transgressors, hold hearings and clarify privacy guidelines effective July 1, 2023. 
• Expands the Private Right of Action provision in the case of PI security breaches 
• Requires Annual cybersecurity audits and risk assessments for high-risk data processors 

CPRA – Personal Information and Security Breaches and Consumer Private-Right-of-Action  

In the event of a data breach where an organization is found to violate its duty to maintain reasonable security and privacy procedures and practices, any consumer whose PI or email and password were stolen may institute a civil action to: 

• Recover damages of $750 per consumer per incident or actual damages, whichever is higher 
• Injunctive or declaratory relief or 
• Any other relief the court deems appropriate 

CPRA Summary of Consumer Rights Regarding PI. 

1. Right to Delete Personal Information 
2. Right to Correct Inaccurate Personal Information 
3. Right to Know What Personal Information is Being Collected and Right to Access 
4. Right to Know What Personal Information is Being Shared and to Whom 
5. Right to Opt-out of Sale or Sharing of Personal Information 
6. Right to Limit the Use and Disclosure of Sensitive Personal Information 
7. Right of No Retaliation Following Opt-out or Exercise of Other Right
   • Businesses should not penalize consumers for exercising rights

CPRA effectively gives consumers the right to opt out of cross-context behavioral advertising. You know the event where you buy something or click on something, and suddenly you are bombarded with items related to your information characteristics.  

Summary of Business Obligations Under CPRA 

• Transparent Privacy Notifications 
• Businesses should clearly inform consumers how what and why they collect PI and how consumers can exercise their CPRA rights  
• Purpose Limitation and Data Minimization 
• Only collect and process the information necessary for the clearly stated business purposes 
• Method for servicing legitimate consumer requests 
• Consumers should have the ability to exercise their rights without undue burden 
• Security and Privacy-by-Design 
• Obligations regarding vendors and third-party processor agreements 
• Chain of custody – vendors and service providers must offer the same levels of privacy protection. Update vendor agreements and service contracts accordingly. 
• Automated decision-making requirements 
• Businesses must publish meaningful information and opt-out rights on the use of automated decision-making technology used for profiling. They must include information on the logic involved as well as the probable outcome to the user. 
• The legal environment regarding cookies and tracking in apps and devices is rapidly changing, as reflected in this provision 
• What businesses must do: 
• Cookie audit – how does your site use cookies? 
• Tell visitors how you use cookies 
• Obtain their consent 
• Privacy risk assessments, gap analysis and remediation 
• Employee Training 

What Should Organizations do for CPRA in 2022? 

CPRA applies to PI data collected on and after January 1, 2022. The first thing an organization should do is determine what PI they plan to collect, store or process, which is subject to the new law. Next, conduct an internal privacy assessment and update privacy policies, protocols and procedures as needed. Changes in the law must be included in the collecting and processing all PI as of Jan 1, 2022. 

CPRA has an expanded definition of "Personal Definition" which includes: 

• Name, address or unique personal identifier, IP address, email, account names, legal document numbers and login credentials 
• Anything predefined PI in the US or CA law 
• Consumer information, including property records and purchasing history 
• Biometric information 
• Internet activity, including browsing/search history and information regarding interactions with websites or online advertisements 
• Geolocation data 
• Audio, electronic, visual, thermal and olfactory information 
• Professional or employment-related information 
• Educational information (except that which is publicly available) 
• Inferences are drawn using PI, including:  
  • Consumer preferences  
  • Psychological trends 
  • Predispositions, behavior, attitudes 
  • Intelligence, abilities and aptitudes 
• Sensitive personal information 
  • Official document and account numbers and related login information 
  • Precise geolocation – equal to or less than the area of a circle with a radius of 1,850 ft 
  • Contents of emails and text messages 
  • Genetic data 
  • Processing of biometric information 
  • Personal health information 
  • Sex or sexual orientation

Unique Personal Identifier 

Any persistent identifier which can be linked to a consumer or family over time and across different services, including but not limited to: 

• A device identifier  
• IP address 
• Cookies, beacons, pixel tags, mobile ad identifiers or similar technologies 
• Unique customer numbers, unique pseudonym or alias 
• Telephone number or other probabilistic identifiers 

CPRA Timeline 2021, 2022, 2023 

• March 16, 2021 – Governor Newsom, Attorney General Becerra, Senate President Pro Tempore Atkins, and Assembly Speaker Rendon announced the five California Privacy Protection Agency board members: 
  • • Jennifer M. Urban – Professor of Law, University of California, Berkeley School of Law 
    • John Christopher Thompson – SVP of Government Relations at LA 
    • Angela Sierra – Former Chief Assistant Attorney General of the Public Rights Division
    • Lydia de la Torre – Professor, Santa Clara University Law School 
    • Vinhcent Le – Technology Equity Attorney at the Greenlining Institute 

• July 1, 2021 – July 1, 2022, Rule-making regarding enforcement regulations 
• September 22, 2021 – Agency invitation for public comment on rules as part of their preliminary rule-making activities 
• January 1, 2022 – Data collected beyond this date is subject to CPRA rules 
• July 1, 2022 – The regulations for implementing CPRA must be adopted by this date 
• January 1, 2023 
  • • All remaining provisions of CPRA become operative 
    • The CCPA Employer-Employee exemption goes away
• July 1, 2023 – Civil and administrative enforcement begins 

CPPA Rulemaking Process – Request for Public Comment SEP 22 – NOV 8 2021 

Last month on September 22, the CPPA announced its invitation for public comment as part of its preliminary activities in the rule-making process. The deadline for comments is Monday, November 8, 2021. While the committee welcomes comments on any CCPA/CPRA rules or the rule-making process itself, they specifically ask for commentary on potentially controversial new concepts in the law. Here are a few of the more interesting topics: 

1. When does PI processing present a significant risk to Consumer Privacy? 
2. What should be the details of required risk assessments and CPPA privacy audits? 
3. What activities or machine logic should be deemed "automated decision-making technology" and "consumer profiling"? 
4. What rules should be regarding customers' right to delete or correct PI records, and what steps are necessary to prevent fraud? 
5. What technical specifications and mechanisms will be required to support customers opt-out and do-not-sell options? 
6. What is sensitive information, and when can sensitive information be collected without inferring consumer characteristics?  
7. When is it appropriate for organizations, vendors and service providers to share and/or combine consumers' personal information? 

Read the full-text https://cppa.ca.gov/regulations/pdf/invitation_for_comments.pdf  

The rule-making process is in progress for CPRA. Details still need to be worked out on some of the finer technical details before the due date of July 1, 2022. Following California, Colorado, and Virginia also have active consumer privacy laws. There are active bills in play in Massachusetts, Minnesota, New York, North Carolina, Ohio and Pennsylvania. Much is likely to change on the legal privacy landscape in the coming year. They are all based on the same basic consumer rights principles, each with nuances and exceptions. Other states are sure to follow their proposals. 

CPRA new rules apply to the relevant data processing as of JAN 2022. How can your organization prepare?  With so many other recent laws emerging, how can an organization effectively address them all at once? 

Don't try privacy compliance one regulation at a time. Instead, build a risk-based central privacy program capable of supporting the entire matrix of international, federal and rapidly changing state laws and regulations to which businesses may be subjected. Truvantis can help simplify the problem and tailor your privacy management to only what you need for the scope of your business operations. 

Why choose Truvantis? World-class competence, expertise and experience. 

Truvantis has the experience to examine privacy policies, protocols and procedures the same way regulators and class action attorneys do. Our experienced and accredited team has the competence and expertise to drive effective privacy management in your organization. We have helped hundreds of organizations address the challenges of conveying complex privacy concepts with clear outward-facing documentation.   

We have the expertise to examine from both a technical and legal compliance lens and manage any projects required to fill any gaps. Our team is good at what they do, but they are also recognized leaders in the industry. 

We do everything. 

Unlike so-called boxed solutions, which only give you checklists, templates, basic instructions and video training, then leave you with the work. Truvantis can also do the hard work for you and simplify nuances of interpreting regulations contextualized for your environment and assessing privacy controls' effectiveness. 

We work with your vendors, third-party service providers, stakeholders from IT, information governance, compliance, security, legal and discovery departments. We do everything for you from training, risk assessment, data-flow mapping, document preparation, technology integration to guiding compliance audits. 

The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. We can help build a solid central privacy program capable of supporting the entire matrix of international, federal and rapidly changing state laws and regulations to which businesses may be subjected. 

Contact Truvantis for more information and to start your pre-audit consultation.