The CCPA is now the CPRA. Welcome to the ever-evolving world of data privacy laws! With California leading the charge with the California Privacy Rights Act (CPRA), it can feel like the rest of the country is lagging behind. But, as we dive deeper into the complexities of the CPRA, it’s important to remember that other states, such as Virginia, Colorado, Connecticut, and Utah, also have their own privacy laws to consider. Here, we’ll take a closer look at the CPRA and the key differences between it and other state laws, as well as how experience with the GDPR can be instructive. We’ll also discuss how to focus your bandwidth and resources through mid-2023—and where to keep an eye on ongoing rulemaking. Buckle up, and let’s dive in!
CCPA is now the CPRA and in effect: the countdown to compliance begins
The CPRA went into effect on January 1, 2023, and enforcement will start July 1, 2023. While enforcement can go back to the beginning of the year, this gap gives businesses some breathing room as they work to refine their compliance programs and avoid costly enforcement actions. But, with the ongoing delays in regulations, many are wondering if this date will be pushed back even further. While we wait for further guidance, it’s important to continue implementing the CPRA. This includes understanding the impacts to HR and B2B operations, as well as vendor relationships.
Let’s not forget about the other states making moves in the privacy arena. Virginia, Colorado, Connecticut, and Utah all have their own privacy laws that could impact your organization. For example, these states generally require affirmative, opt-in consent for sensitive personal data, the right to opt-out of some profiling, and the right to appeal. Colorado has more enforcers and a universal opt-out. And, while Utah has generally less burdensome requirements, it’s still important to stay on top of.
CPRA compliance 101: the importance of data mapping
One of the key areas to focus on in preparation for the CPRA is data mapping. The act adds an explicit definition for “Sensitive Personal Information” (SPI) and creates a new right for Californians to limit its use. This means that your data mapping may need to be revisited to fully understand where and how SPI is being used within your organization, and to determine how to limit its use. The CPRA also applies to all residents of California, not just customers, so you will also need to include human resources information systems such as payroll, recruitment, benefits & perks, performance, and employee sentiment in your data mapping; you will also need to adapt the procedures you use to respond to rights requests to cover these new groups. California privacy risk assessments will also be required, and while details are sparse until regulations are adopted, it is a best practice to lean on guidance around the analogous Data Protection Impact Assessments under the EU’s General Data Protection Regulation (GDPR).
In addition to data mapping, it’s important to update your privacy policies and relevant employee handbooks. As CCPA is now the CPRA, it brings expanding transparency obligations covering SPI, such as the requirement that you specifically include it in your privacy notice. And, like under the GDPR, workforce members need to understand their employees’ corporate privacy practices. Internal privacy policies and employee handbooks should include updated guidance around HR privacy practices and exercising privacy rights. In particular, it is a best practice to have a separate process for responding to employees’ rights requests; it would be more appropriate to have a team in HR or the legal department handle requests that could contain very sensitive employee data.
CPRA & putting the pieces together
Another important step is to review overlapping laws. Carefully review overlapping state and federal laws, particularly those covering labor, health, nondiscrimination, and financial record integrity. There are carve-outs and exemptions, so it’s important to understand the nuances and impactful differences. HR and B2B data is broadly exempted outside of California.
It’s also important to update service provider agreements. Like under the GDPR, service providers must follow and not exceed specific, written contractual boundaries. Responsibilities, limitations on use, rights support obligations, and liability assignments need to be included in vendor contracts.
Finally, it’s important to keep track of ongoing rulemaking. The first set of updated CCPA/CPRA regulations is likely to be finalized in Q1 2023. But rulemaking covering topics like automated decisioning, privacy risk, and cybersecurity assessments, and HR data handling will take longer. The Colorado Attorney General is also engaged in intensive rulemaking, with a deadline of July 1 to finalize regulations.
Staying ahead of the privacy curve
While California may be the 900 lb gorilla in the room, it’s important to remember that other states are also making moves in the privacy arena. Data mapping is key, as CCPA is now the CPRA and adds an explicit definition for “Sensitive Personal Information,” covers HR data, and creates new rights for Californians. It’s important to stay informed and understand the nuances and impactful differences between state laws, as well as competing state and federal laws. Preparing for the CPRA can be difficult with the uncertainty due to delays in regulations, but it’s important to focus on the core aspects of your data privacy obligations that will be a strong foundation for your privacy program in California and any other states. Keep an eye on ongoing rulemaking as regulatory guidance continues to evolve, too. Remember, it takes time for best practices to develop. So, stay informed, stay compliant and stay positive.
SixFifty can help
SixFifty’s California Privacy toolset helps businesses quickly and easily generate customized documents that comply with the CPRA. All-US Privacy covers all five state privacy laws—including California—and when more states pass data privacy laws, they’ll be added to the platform at no extra cost.
Want more information? Request a demo to see the tool in action.