When both the GDPR and CCPA came out, they were a major force in the industry for making companies rethink how they handled data privacy. They’ve already had significant impacts in the industry, as discussed above. Despite how powerful the CCPA was compared to existing data privacy laws in the United States, a new law might be coming to California to make the CCPA even more powerful.
The new law is called the California Privacy Rights and Enforcement Act of 2020 (CPRA). It hasn’t gone into effect yet, and it still needs to pass in November on the California ballot, though some experts, like Dan Clarke, president of products and solutions at technology services company IntraEdge, believe that it’s likely to pass.
RELATED CONTENT: GDPR, CCPA, and CPRA – Oh my!
According to Clarke, CPRA will bring the California privacy laws closer to the GDPR. He said that a lot of people are actually referring to CPRA as “CCPA 2.0” as it is the next evolution of that privacy law.
According to Jerry Ray, COO of data security company SecureAge, CCPA has a number of weaknesses. One is that users might have a hard time understanding what they’re opting into when the data is more technical and less attributable, like IP geolocation data, rather than something like a social security number. “Individuals will be hard-pressed to make a decision to opt out that reflects a full understanding of the potential utility and value of that data,” Ray said.
Another weakness is that it’s not easy to guess which companies actually need to comply with the CCPA, said Ray. The CCPA has a number of requirements that make a business eligible. Companies must meet one of the following criteria in order to be subject to the CCPA:
- An annual revenue of $25 million or more
- Collect data from 50,000 California consumers
- Derive 50% or more of revenue from the sale of personal information
“What appears to be a small office for mortgage refinancing may be over the 50,000 user records sold threshold with many statewide outlets under different names,” said Ray. “And that leads to the darker side, all of those companies that don’t meet the requirements to be subject to CCPA but collect and trade data as a normal course of business, from boutique job recruitment sites to payday loan offices. Billions of electronic records are independently generated by small and medium-sized enterprises that contribute to millions of personal data repositories that can be breached without any of the sanctions or remedies within CCPA being available to the victims.”
CPRA expands upon the CCPA and adds new rights that allow consumers to stop businesses from using sensitive information, safeguards children’s privacy by tripling fines, extends the exemption for employment data, and establishes the California Privacy Protection Agency, Clarke explained.
Jean-Michel Franco, director of product marketing for Talend, believes that the two major news things that it adds are:
- More ability for the consumer to control their data and have specific rights on what they can do with their data
- Extends the scope of CCPA, not only to consumers, but also to customers and employees.
According to Franco, the CCPA was heavily focused on protection for data monetization, but missed some things like the right to correct data or opt-out for processing. “So CPRA gets closer to GDPR with respect to the rights that the consumer has on the data that the company has captured from him,” said Franco.
Clarke believes that the most significant part of the law is the forming of a separate agency that is responsible for writing operating rules and levying fines. “I think this is most significant because of the budget that’s attached to it,” said Clarke. “There’s not a specific budget attached to it. But one of our attorneys who’s an expert in California law says that by creating an agency you have kind of a minimum threshold of budget, which is north of $10 million.”
According to Clarke, the attorney general’s office currently has a budget of $1.5 million to enforce the CCPA. He explained that this is enough money to pursue about three large-scale lawsuits with roughly five attorneys working on them. With a separate agency, there could be around 25 attorneys whose main job is just to enforce the CPRA. “I think this is very, very significant in terms of the potential impact of the CPRA,” said Clarke.
Clarke believes the reason that CPRA is a new law and not just an addition to CCPA is that the CCPA itself is fragmented and difficult to read due to its length. The CPRA condenses that by taking the CCPA, its amendments, and its operating rules, and combining them together. The end result is something that is much simpler to read and process, he explained.