On November 4, 2020, the YES on Prop 24 campaign announced the passage of the California Privacy Rights Act (CPRA), with a decisive majority of Californians (56% according to the Secretary of State's web site) supporting the measure to strengthen consumer privacy rights. The new law is expected to give Californians the strongest online privacy rights in the world, including protecting sensitive personal information, tripling fines against companies that violate kids' data, establishing an enforcement arm for consumers, and making it harder to weaken privacy laws in the future.
Here, we talk to Heather Federman, Vice President of Privacy & Policy at BigID, about this sweeping privacy law that will set the bar for privacy rights for the rest of the nation.
Security Magazine: At a high-level, what is your background?
Federman: I'm the Vice President of Privacy & Policy at BigID, where I manage and lead initiatives related to privacy evangelism, product innovation, internal compliance and industry collaboration. Prior to BigID, I served as the Director of Privacy & Data Risk at Macy’s Inc. and the Senior Privacy Manager at AMEX. I also previously worked for the Future of Privacy Forum (FPF) and the Online Trust Alliance (OTA), working to further FPF’s mission in advancing responsible data practices and OTA’s mission in establishing trust in the online ecosystem.
Security Magazine: What are the clauses of the CPRA?
Federman: The CPRA creates a new definition called "sensitive personal information" (SPI) with significant obligations enterprises must follow. The definition is pretty broad, even broader than the "special categories of personal data" definition under the GDPR. Consumers would be enabled to "limit the use and disclosure" of SPI via a hyperlink or opt out preference signal on the enterprises' homepage - in which a consumer could tell the business to only use that data for necessary purposes of performing the business function. Any additional uses would require subsequent authorization and approval from the consumer. This means that enterprises will need to make sure anything considered "SPI" under the CPRA will have to have that data appropriately classified, tagged and labelled within their systems.
The CPRA creates the first agency in the U.S. dedicated solely to privacy - the California Privacy Protection Agency. While this is helpful from an enforcement standpoint (the California AG has been pretty clear that due to time/budget constraints they could probably enforce only a few cases per year), it could definitely up the ante for enterprises who had previously buried their head in the sand. At the same time, enterprises are concerned about what additional requirements the new Agency could push out as a result of their new rulemaking authority. Could this reach a point where California was engendering privacy regulations that the rest of the country had no choice but to follow?
Impact on targeted advertising. The CPRA modifies the CCPA's "sale" provisions, in which the opt-out of sale is expanded to include "Opt-Out of Sale and sharing" where "sharing includes the transferring or making available personal information to a third party for cross-context behavioral advertising, regardless of whether consideration is exchanged." So while some may have been able to argue that CCPA does not require an opt out of targeted advertising, CPRA effectively shuts the door on that debate - the drafters of CPRA made sure there was no getting around that. Between CPRA and the efforts that have been made by major browsers (and the iOS14 privacy updates) to do away with 3rd party cookies, I will be very interested to see how this impacts the ad tech community - they will need to evolve with these regulations, otherwise their business models will become obsolete.
Security Magazine: What impact do you think CPRA will have on enterprises and consumers?
Federman: One of the main practical challenges for enterprises is ensuring their ability to know their consumer's data. Traditional approaches to data discovery (e.g. surveys and manual inventories) are not always great at consistently identifying all of the data that's in scope, especially with the newly defined SPI and the targeted advertising provisions. One thing the proposed amendment has made clear is that the definitions of what data is important is constantly in flux. Regardless, understanding what data is in scope at a given time and being able to act on it will become even more imperative, especially with the dedicated privacy agency that has the ability to levy administrative fines for $2500 or up to $7500 for intentional fines.
From the consumer POV, the changes are not so significant compared to what the CCPA has already put out. Consumers will still be able to request certain data rights, which now have expanded to include the right to correct inaccurate data. The "right to cure" ability for enterprises has been removed, which some have considered a get out of jail free card. There are also increased transparency requirements placed upon enterprises that enterprises must provide within their privacy statements. And they now have a dedicated agency with which they can lodge complaints about businesses to and receive direct feedback. However, the CPRA does little to lessen the challenges around "privacy self-management" - there are too many enterprises collecting and using data to make it feasible for consumers to manage their privacy separately with each entity. Rather than assess privacy at the individual level, data protection should have a more holistic and cumulative approach.
Security Magazine: How could the ballot measure influence the broader privacy landscape (including eventual federal privacy legislation)?
Federman: It's unclear what impact CPRA could have from a broader privacy landscape. We already have CCPA on the books, which was a big impetus for other states to draft their own privacy bills, and has pushed Congress to act. While the pandemic has put a halt in the progress of much state activity, we will likely see a resurgence of bills in 2021, regardless of whether Prop 24 is passed.
The other key factor is that California's legislative system is different than that of other states. CCPA has a very unique history which led to its enforcement and CPRA will go through the voter ballot process - compare this to other states in which their own Houses & Senates will need to review these privacy bills and provide commentary. What I'm keeping a close eye on is the Washington Privacy Act bill, which has now surfaced for the third time - the Washington legislative process is a bit more "common" and the bill borrows elements from both CCPA and GDPR. If this version ends up surviving the legislature and passing, that would likely end up being the main model for a state data protection law (in terms of process and content) we see happening across the country.