CCPA: It Ain't Over Till It's Over (And When It's Over, It Starts Again)

By Jodi Daniels

Yogi Berra’s 1973 New York Mets roster was full of stars like Hall of Famer Willie Mays, Cy Young Award winner Tom Seaver, and 1972 Rookie of the Year Jon Matlock. Fans and team owners alike expected a dominant season, but after a bad run of injuries and poor play, the Mets were last in the National League East with a month left in the regular season.

But Berra knew his team had the potential and the experience to win, hence one of his most famous Yogi-isms: “It ain’t over until it’s over.” With healthy players and a refusal to quit, the Mets ended up taking the National League pennant with the lowest winning percentage in history.

The maxim still applies. Like the Mets’ 1973 season, data privacy compliance isn’t ever over, even if it looks like it is.

In 2018, California passed the United States’ first comprehensive data privacy law, the California Consumer Privacy Act or CCPA. It was based on principles found in the European Union’s General Data Protection Regulation (GDPR) and fundamentally changed the way many U.S. businesses collect and process consumer data.

When the CCPA went into effect in 2020, it became apparent that regulatory gaps in the legislation prevented it from having its desired impact. Taking to heart the saying “If at first you don’t succeed, try, try again,” voters in CA passed an amendment in 2020 that closed some loopholes in the CCPA.

The 2020 amendment, known as the California Privacy Rights Act (CPRA), establishes new consumer rights, business obligations, and enforcement mechanisms designed to give individuals expansive control over the way their personal information is collected, used, and processed online.

CPRA becomes effective in January 2023, which means a lot of companies are focused on getting ready for it. But with only 11% of companies currently meeting all CCPA requirements, focusing wholly on CPRA won’t cover all your bases.

Like déjà vu all over again: CCPA vs. CPRA

In 1961, when Mickey Mantle and Roger Maris hit back-to-back home runs during their race to meet Babe Ruth’s single-season home run record, Yogi Berra declared: “It’s déjà vu all over again.”

CCPA and CPRA were passed so close together and are so similar that even privacy professionals get confused. Are they separate laws? Does CPRA replace CCPA? Which rules are different? If I’m CCPA compliant, am I also CPRA compliant?

Here’s the skinny: CPRA is an amendment to CCPA. Many of the consumer rights and business obligations are the same, but there are a few critical updates.

CPRA UPDATES

NEW CONSUMER RIGHTS

Right to correct inaccurate personal information

Right to delete personal information entirely

Right to opt out of automated decision-making technology (loan decisions, etc.)

Right to opt out of having personal data sold or shared with third parties (including for cross-contextual or behavioral advertising)

Limits the use and disclosure of sensitive personal information (SSN, precise geolocation, religious or philosophical beliefs, ethnicity, medical history, biometrics, gender, sexual orientation, etc.)

Broadens the ability to request information about data (what types of data are collected as well as where, why, and how it was collected)

NEW BUSINESS OBLIGATIONS

Expands notification requirements both at the time of collection and in privacy notices (length of retention periods, types of sensitive data being collected, added consent for consumers under 16)

Increases regulations for data subject access requests (two methods of contact, accurate identity verification processes, etc.)

Ensures that contractors and third parties are compliant and operations are governed by a contract

Mandates annual cybersecurity audits and regular risk assessments (especially when sensitive personal information is involved)

Treats the sale and sharing of personal data as virtually synonymous (money doesn’t have to change hands for data to be considered “sold”)

Adds principles (data minimization, purpose and storage limitations, etc.)

NEW ENFORCEMENT MECHANISMS

Creates the California Privacy Protection Agency

Expands private right of action (now includes email addresses with passwords or answers to security questions)

Increases the threshold for compliance from 50,000 to 100,000 records

CPRA has enough requirements to seem overwhelming, so it’s understandable that businesses who have been dragging their feet on data privacy might panic and hit CPRA hard. But if you build a privacy program based on the CCPA, getting CPRA compliant will be much easier.

One of the biggest motivators to finally taking California’s privacy laws seriously is the new, fully-funded California Privacy Protection Agency. It’s anticipated that adverse findings, fines, and injunctive actions will dramatically increase thanks to the creation of an agency solely dedicated to CCPA/CPRA enforcement.

You don’t have to swing hard to hit a home run—if you got the timing, it’ll go

Berra’s quote about hitting fundamentals also applies when it comes to getting CCPA compliant. It’s more about mastering the basics than executing showy but empty gestures.

Here are six data privacy best practices that will help you establish compliance:

Create a cross-functional, multidisciplinary privacy team
Map your data
Develop transparent processes for disclosure and individual rights requests
Create opt-out processes for the sale or sharing of personal information
Establish and strengthen security measures
Update your privacy notices

Create a cross-functional, multidisciplinary privacy team

Every department plays an important role in building a culture of privacy, which means that you need input from everyone from customer service to marketing to accounting if you want your privacy compliance efforts to be both successful and agile. A cross-functional team is more likely to develop processes that work efficiently for everyone and reduce friction between teams.

Map your data

A data inventory, also known as a data map, will show you:

What types of data you’re collecting
Where you’re collecting it from
Where, how, and how long you’re storing it
How data is being used
Who has access to it

If you don’t know the information listed above, it will be almost impossible to effectively update your privacy notice, create functional processes for handling individual rights requests or data subject access requests (DSARs), and meet security requirements.

Develop transparent processes for disclosure and individual rights requests

Once you understand how consumer data interacts with your processes and flows through your operations, you can develop the processes necessary for managing your users’ individual rights within statutory timelines.

If you can’t respond to those requests in a timely and thorough way, your teams will waste time and energy handling them, and you'll probably find yourself on the wrong side of the CPPA eventually.

Create opt-out processes for the sale or sharing of personal information

The CCPA requires that consumers be given the ability to opt-out of having their personal information sold for the purpose of targeted or behavioral marketing.

The CPRA ups the ante by mandating users be given additional options for keeping their sensitive personal information out of advertising and automated decision-making processes. It also stipulates that they be given the ability to opt-out of having their data shared with third parties, not just sold to them.

If this feels like a future worry for businesses, it’s not. The first CCPA enforcement action recently took place—a $1.2 million fine to Sephora for failing to disclose information about the sale of personal information, as well as failing to provide a “Do Not Sell My Personal Information” button and for not implementing Global Privacy Control (GPC).

The time, my friends, to take care of privacy is now.

It will be much harder to meet the increased CPRA requirements if you haven’t created the basic opt-out processes required by the CCPA.

Establish and strengthen security measures

Privacy teams aren’t necessarily responsible for cybersecurity, but that doesn’t mean they are entirely off the hook when it comes to data security.

While cybersecurity tools are critical for maintaining data privacy, there are a lot of process protocols that go a long way towards keeping your data secure. For example, strict password requirements and the principle of least privilege keep access limited to people with the proper authorization. Guidelines governing public WiFi use and the use of work devices for personal business (or vice versa) can prevent bad actors from gaining entry into your systems.

Implementing these practices alongside your cybersecurity program creates redundancies that build layers of protection around your customers’ data.

Update your privacy notices

Your privacy notice should accurately describe the full scope of your data management program, which is pretty easy to do if you’ve mapped your data and dialed in your processes. You also need to make sure they are deploying before any data is collected and use the appropriate opt-out/opt-in mechanisms.

When you come to a fork in the road, take it

When MLB catcher Joe Garagiola needed directions from New York to Berra’s house in Montclair, Berra told him, “When you come to a fork in the road, take it.”

While not quite as helpful as Google Maps, Berra’s advice works well for building a privacy program. Instead of worrying endlessly about doing everything right from the very beginning, just start. Even if you make mistakes, you’ll accomplish more by trying than by spinning your wheels.
Jodi Daniels is a Certified Informational Privacy Professional with more than 20 years of experience helping businesses from solopreneurs to multi-national companies in privacy, marketing, strategy, and finance roles.

Market News and Data brought to you by Benzinga APIs