CPRA Goes Into Effect Soon

Hi! Happy holidays! I’ve been watching very corny Netflix holiday movies, like “Christmas with a Prince.” I refuse to apologize. It’s just that time of year, even after a terrible year globally, that things start to feel nostalgic and cozy. It’s not that I enjoy the movies; it’s just that they put me in the mood for wildly long hours with awkward relatives and snuggling with my mom back in Maine. And that’s where I’m headed tomorrow!

Anyway: This week, I hosted a chat among three privacy experts on the new California law. We had a healthy crowd, but I know some of you would have liked to hear about the California Privacy Rights Act but couldn’t attend. Here are some of the main points:

Remember, the CPRA comes into effect (in full) on Jan. 1, 2023. It applies to companies that bring in a gross annual revenue of more than $25 million in the previous year. Or, companies that buy, receive or sell the personal information of at least 100,000 California residents or households or devices. 

Does CPRA change the legal compliance landscape significantly? 

Yes. Companies now need to take a deep dive into their data and figure out what information they collect, where it’s stored and how it’s used. It’s also imperative to look at third parties with whom you might share that data and ensure they have the right contracts in place to keep your user data secure. If you’ve done GDPR compliance, you should have most of the basics down. But if privacy hasn’t been a priority for your company yet, you’re going to need to allocate resources and start moving. 

Biggest changes in the landscape? 

The CPRA creates:

• New rules around targeted advertising
• New contractual requirements between a company and its contractors
• And new data minimization and retention schedules. This requires a lot of cross-team effort. 
  
  

Look-back provision

The look-back provision requires that companies must provide the personal information they’ve collected on or after Jan. 1, 2022. So even though the CPRA doesn’t come into effect until 2023, this part of the law actually “looks back” at the year prior. If a consumer makes an access request, meaning they want to know what data you’ve collected about them, you have to be able to show them the data you’ve collected about them since Jan. 1, 2022. 

How does the CPRA change user rights? 

The CPRA implements several expanded user rights. For example, users have the right to opt-out of cross-contextual advertising, users’ rights to data deletion have been expanded, and the right to data portability has been expanded. Users now have the following rights under CPRA.

• Right to correct their data.
• Right to limited use of sensitive data (so that it’s used only as is necessary to perform the good or service.
• The right to sue after a data breach if a breach involves additional categories of personal information, like an email address in combination with a password that would permit access.
  
  

What should I do first? 

Start data mapping. And not with an excel spreadsheet, if you can help it! Use an automated tool to figure out what data you have, where it is, with whom you share it. Once you have a picture of what’s happening with the data your company collects, you can make smart decisions about handling it according to the law’s mandate. 

For now, enjoy this roundup of the big privacy news since I last wrote you, and I’ll see you next time. 

This week's top privacy news

Government’s ‘listening sessions’ on privacy and civil rights revive efforts for federal law

As we reported in last week’s Privacy Insider, the U.S. National Telecommunications and Information Administration has announced it will host a series of “listening sessions” on how data collection impacts equity and civil rights. Former FTC director Jessica Rich writes for JD Supra and states that the announcement is significant because the NTIA is “the President’s principal advisor on information policy issues,” and its focus “affirms that the link between privacy and civil rights is now a widely accepted policy position.” 
Read Story

Cyberattacks and ransomware dominated 2021

CNET reports on the cyberattacks that dominated headlines throughout 2021, disrupting governments, major companies and supply chains. There was the January attack against SolarWinds, which the FBI and NSA suggested Russia backed. Then there was the Colonial Pipeline ransomware case, among others. According to the Department of Treasury, suspected ransomware payments totaled $590M for the first six months of this year, surpassing the $416M payments in all of 2020. 
Read Story

How to leverage Apple’s iOS update to gain competitive advantage

Apple’s recent iPhone update has impacted millions of users and brands trying to get in front of their eyeballs. The iOS15 changes put restrictions on marketing and data tracking, and many brands have reported losses as a result. The Drum reports on ways brands can leverage the changes to improve strategy and gain a competitive advantage. 
Read Story

Defense bill draft excludes provisions on mandatory cyberattack reporting

In the US, negotiations on a “must-pass defense bill” have excluded provisions that would have mandated many companies to report major cyberattacks and ransomware payments to federal officials, CyberScoop reports. “It’s a big setback for backers of the reporting mandates, as attaching provisions (of the agreement) has been the path for a number of monumental cyber ideas to become law,” the report states. 
Read Story

Canadian commissioner: Gov’t must make privacy reform a priority 

Canada’s privacy commissioner said the government “must make privacy reform a priority,” in his annual report to Parliament this week. “There is no doubt that the modern economy will increasingly depend on the value of data,” Commissioner Daniel Therrien said. “The new Parliament must legislate to enable responsible innovation, but this should be done within a rights-based framework that recognizes the fundamental right to privacy.”
Read Story

Jamaica appoints its first data protection commissioner 

Jamaica’s first data protection commissioner, Celia Barclay, took office effective Dec. 1. The commissioner was appointed under Jamaica’s Data Protection Act, which passed in 2020. Barclay will be responsible for ensuring compliance with the law, advising the government on data privacy issues and spreading public awareness, reports the Jamaica Gleaner.
Read Story