How to comply with the California Privacy Rights Act 'look-back' provision

Like most things in privacy, California’s privacy law can seem like a letter-salad: CCPA, CPRA — what’s the difference? 

There isn’t one. The California Privacy Rights Act (CPRA) was merely the name of the bill passed to amend the California Consumer Privacy Act (CCPA) to align it better with the EU’s General Data Protection Regulation (GDPR). The new version of the CCPA, the CPRA, adds a few more rights to citizens, but it also helps companies looking for some relief in streamlining compliance. And it appeases consumers who weren’t entirely satisfied with how the regulations ended up. 

Because of the CPRA, however, there are some upcoming dates you need to pay attention to.

On Jan. 1, 2023, the new CPRA regulations will come into effect. The most significant changes affect which organizations must comply with the CCPA and the type of information those organizations will need to collect. Specifically (though not exclusively):

• Even companies who simply “share” data will be covered, not just those who sell it. 
• You now have to tell consumers the categories of service providers and third parties you share their data with, not just those you sell to. 
• Employee data is no longer exempt. 
• Consumers can not only ask you to delete their data; you have to extend that deletion to anyone you’ve shared their data with. 
• There are new principles around data minimization and retention that basically say: You have to demonstrate why you deserve to still have a customer’s data. 
  
  

“But that’s 2023!” you’re thinking. “That seems like an eternity from now!”

That’s why the so-called “look back” provision is a sneaky provision of the law that can bite you if you’re not paying attention now. 

The CPRA says that consumers need to be able to access all of the data you’ve ever collected about them — everything! Including those categories of vendors and service providers you’ve shared data with — starting on Jan. 1, 2023, and that you need to be able to produce everything going back to Jan. 1, 2022, on day one.

That means you need to start collecting data in the right way on Jan. 1, 2022, even if the CCPA doesn’t apply to your business until 2023.

As of that 2023 date, too, you’re going to need to start changing your data retention policies and probably your meta-tagging if you’ve got a sophisticated data governance system at all. While the CCPA originally mandated you be able to produce data you’ve collected over the last 12 months, as of that date, you’ll have to show everything you’ve got starting from that date.

So, even if someone asks for their data in 2035, you’ll have to be able to produce anything you’ve collected going back to Jan. 1, 2022. 

Make sense? 

If you’re already complying with the CCPA, this really shouldn’t be much of a problem. Essentially, you have the next couple of months to make the following substantial changes, to go live on Jan. 1, 2022:

• Create a list of service providers and contractors with which you share data, categorize them and add them to the list of third parties and businesses with which you were selling data. The law does not say which categories third parties, vendors, and service providers might fall into. You get to come up with the names. A quick Google search will turn up what a variety of privacy consultants and tech vendors have come up with. Cobble something together. As long as it has some logic to it, you’ll be fine. 
• Theoretically, you’ve already done this for third parties and businesses you sell data to; this just expands the universe to vendors and service providers with which you share data. For example, you might already sell data to “data brokers” and “social networks,” but you’ll need to add a category for “mail house” now because you share data with them when you do mass mailings. 
• For every customer and employee file, begin creating a field for “categories of vendors and service providers data is shared with” or something similar.
• Change your data retention policies so that “keep everything for 12 months” is changed to “keep everything going back forever as long as you’re still using it.” 
• The law doesn’t actually require you to keep data for any length of time. You can delete it immediately if you want to, and it’s not serving any other purpose. But if you’re still using it for something, or you just still have it lying around somewhere, you need to provide it to the data subject who’s asking for you to produce it. 
  
  

Suppose you’re newly covered by the CPRA. After all, the umbrella is expanded to any company that shares the data of 100,000 Californians, not just those who buy or sell, or which does 50% of its revenue via the sharing of personal data of Californians. If so, you’re going to have a more difficult row to hoe on Jan. 1, 2022, because that’s when you’re going to need to start your regimented data collection and mapping program. 

At that point, you’ll have to implement the operational capacity to quickly organize all of the data you hold about a specific individual and be able to produce it, delete it, etc. — within 30 days. And you’ll need to be able to track where that data went and who currently has it in their possession. 

While the consumer can’t make the request that you produce their data until Jan. 1, 2023, remember that request will cover all of the data going back to Jan. 1, 2022. While you may be able to create a system in the middle of 2022 that will retroactively wrangle up everything back to Jan. 1, it’s likely to be much easier if you’ve already started tagging and categorizing the data when the look-back period begins. 

And you’ll be really happy on Jan. 1, 2023, because much of the heavy lifting for being able to comply with the CCPA — with the new CPRA provisions — will already have been done.