California’s Data Privacy Acts and Their Impact on Law Firms and Businesses

The California Consumer Privacy Act (CCPA) was signed into law in June 2018 and became effective January 1st, 2020. This was one of the first state data privacy regulation acts in the United States that became enforceable and was often compared to the GDPR, especially when it first came out. The California Privacy Rights Act (CPRA), however, took effect January 1st, 2023, with enforcement starting July 1st, 2023.

The CPRA works hand in hand with the CCPA but adds in a lot more details including its own regulatory body that will take over regulation enforcement from the State Attorney General of California.

Why the CPRA?

The CPRA amends the CCPA, fixing a lot of the “problems” from the first act. Both are ballot initiatives passed by the residents of California. The CPRA takes the CCPA a step further.

The CPRA extends two more rights to California residents. Originally, and like the GDPR, California residents had the right to know how their information was being used, had the right to delete, opt out and opt in. They also had the right to initiate a private cause of action in security breach cases. The CPRA gives them the right to correct data and the right to limit the use and disclosure of sensitive personal data.

What is sensitive personal data?

Sensitive personal data includes your social security number, driver’s license number, log in to your banking account, your geolocation to within a specific distance of your house. It also includes race, ethnic origin, and philosophical beliefs.

Unlike the GDPR, the CCPA and the CPRA have always itemized what sensitive personal data is to a granular level.

Does the CPRA apply to your organization?

These rights vest with California residents as defined by the California tax law. Your company must be a certain size and/or have data from a certain number of people. So, if your company is a large bank operating in multiple states and you have California residents as clients, you must comply with the CPRA. If you’re a single-operation dry cleaner, the new protections probably will not apply to you. You should have all that homework done ahead of time to know where your company falls.

What strategies should companies start discussing and enacting now in their own environment to be prepared?

  1. Make sure your organization has a response plan if there is a data breach, and know which laws would apply, because there are reporting requirements for every state.
  2. Specific to the CPRA, your company’s liabilities lie with your website, with your sales and/or marketing team, or with a data breach. Take time to audit these functions now to discover and close holes in processes where personal information could be exposed.
  3. Know how you are going to respond in a timely manner to a request for information on personal information use. Create a data map so you know where the data lives.
  4. Understand your obligations to your vendors. Check all your contracts to make sure the data sharing sections of those contracts align with the laws.
  5. Make sure your privacy notices on your website are aligned with your data practices.

Is California really enforcing the CPRA?

The short answer is yes. A big case last year that drew headlines was against Sephora, where the California attorney general fined them for failure to implement global protection controls on the company’s website. Consumers must be able to opt out of having a company sell, disseminate, or share their personal information. Some people use an extension on their browser called Global Privacy Control to control the privacy of their personal information across all websites, and Sephora failed to honor those controls.  As a result of the Sephora case, companies will need to add an annual website audit as part of their due diligence.

Enforcement of the new CPRA goes into effect July 1st, 2023, and applies to violations happening on or after that date. Until then, CCPA regulations still apply.

For more information, watch our recent half-hour webinar here.