Like most things in privacy, California’s privacy law can seem like a letter-salad: CCPA, CPRA — what’s the difference?
There isn’t one. The California Privacy Rights Act (CPRA) was merely the name of the bill passed to amend the California Consumer Privacy Act (CCPA) to align it better with the EU’s General Data Protection Regulation (GDPR). The new version of the CCPA, the CPRA, adds a few more rights to citizens, but it also helps companies looking for some relief in streamlining compliance. And it appeases consumers who weren’t entirely satisfied with how the regulations ended up.
Because of the CPRA, however, there are some upcoming dates you need to pay attention to.
On Jan. 1, 2023, the new CPRA regulations will come into effect. The most significant changes affect which organizations must comply with the CCPA and the type of information those organizations will need to collect. Specifically (though not exclusively):
“But that’s 2023!” you’re thinking. “That seems like an eternity from now!”
That’s why the so-called “look back” provision is a sneaky provision of the law that can bite you if you’re not paying attention now.
The CPRA says that consumers need to be able to access all of the data you’ve ever collected about them — everything! Including those categories of vendors and service providers you’ve shared data with — starting on Jan. 1, 2023, and that you need to be able to produce everything going back to Jan. 1, 2022, on day one.
That means you need to start collecting data in the right way on Jan. 1, 2022, even if the CCPA doesn’t apply to your business until 2023.
As of that 2023 date, too, you’re going to need to start changing your data retention policies and probably your meta-tagging if you’ve got a sophisticated data governance system at all. While the CCPA originally mandated you be able to produce data you’ve collected over the last 12 months, as of that date, you’ll have to show everything you’ve got starting from that date.
So, even if someone asks for their data in 2035, you’ll have to be able to produce anything you’ve collected going back to Jan. 1, 2022.
Make sense?
If you’re already complying with the CCPA, this really shouldn’t be much of a problem. Essentially, you have the next couple of months to make the following substantial changes, to go live on Jan. 1, 2022:
Suppose you’re newly covered by the CPRA. After all, the umbrella is expanded to any company that shares the data of 100,000 Californians, not just those who buy or sell, or which does 50% of its revenue via the sharing of personal data of Californians. If so, you’re going to have a more difficult row to hoe on Jan. 1, 2022, because that’s when you’re going to need to start your regimented data collection and mapping program.
At that point, you’ll have to implement the operational capacity to quickly organize all of the data you hold about a specific individual and be able to produce it, delete it, etc. — within 30 days. And you’ll need to be able to track where that data went and who currently has it in their possession.
While the consumer can’t make the request that you produce their data until Jan. 1, 2023, remember that request will cover all of the data going back to Jan. 1, 2022. While you may be able to create a system in the middle of 2022 that will retroactively wrangle up everything back to Jan. 1, it’s likely to be much easier if you’ve already started tagging and categorizing the data when the look-back period begins.
And you’ll be really happy on Jan. 1, 2023, because much of the heavy lifting for being able to comply with the CCPA — with the new CPRA provisions — will already have been done.