The California Privacy Rights Act (“CPRA”) compliance deadline is fast approaching. Is your house in order? Don’t let the CPRA’s January 1, 2023, implementation date or the July 1, 2023, enforcement date sneak up on you! If you’re like many of our clients, you’ve heard a lot about the passage of the CPRA. You may have also heard about the CPRA’s new draft regulations approved in June by the new California Privacy Protection Agency (“CPPA”). These regulations are poised to significantly expand and codify privacy rights and procedures for a wide range of businesses that handle the personal data of California consumers.

If you haven’t prepared yet, don’t sweat: there’s still time to get ready. And even though specific compliance requirements under CPRA regulations remain in draft form, you can still take concrete steps today to get ready. There’s no reason to put CPRA compliance on the back burner until the regulations are finalized.

Join Zasio’s Frank Fazzio, CIPP-US / IGP / CRM for a workshop webinar on tackling the most high-priority items on the CPRA compliance checklist so that your organization can avoid a last-minute scramble as the deadlines approach. The presentation will cover:

– Conducting a Personal Information Inventory
– Identifying Sensitive Personal Information
– Setting Personal Information Retention Policies
– Policies, Consumer Notices, Opt-Outs
– Responding to Consumer Requests (Deletion, Correction, Information)
– IT Security Precautions

Take the stress out of CPRA compliance prep with Zasio. We’ll see you there!

CPRA Prep Workshop
Date: August 10, 2022
Time: 1:00 P.M. MT
Cost: Free

 

Register for Workshop

Data privacy regulations have been a hot topic in the ever-changing discussion of consumer privacy. So far in 2021, 27 bills have been proposed in states which seek to implement new or change existing data privacy laws.[1] By comparison, only two state-level bills were introduced in all of 2018.[2]

One of those 2018 bills was the California Consumer Privacy Act (CCPA), a wide-reaching statute designed to enhance online consumer privacy for California residents.[3] On November 3, 2020, just nine months after the CCPA became enforceable,[4] California voters passed Prop 24 (also known as the California Privacy Rights Act or “CPRA”), which contains several significant changes to the CCPA.[5] However, businesses still have some time to study and adapt to these changes. The CPRA will only apply to personal information collected by a business on or after January 1st, 2022, and the CPRA does not become operative law until January 1st, 2023.[6] While not yet effective, there is no doubt the CPRA enhancements to the CCPA will be very impactful. Among other things, the CPRA changes what entities are required to comply with the CCPA and also establishes the California Privacy Protection Agency.[7]

CPRA Changes to Regulated Entities

To be regulated under the CCPA, a “business” as defined under California law must satisfy at least one of the following three conditions: (1) has annual gross revenue above twenty-five million dollars; (2) alone or in combination is involved in the buying, selling, or sharing of personal information of fifty-thousand or more consumers, households, or devices; or (3) derives fifty percent or more of its annual revenue from selling consumer’s personal information.[8]

The CPRA makes three fairly significant changes to these jurisdictional conditions.[9] The first is that the numeric threshold of “fifty thousand or more consumers, households, or devices” will be increased to one hundred thousand.[10] The second is that devices will no longer be considered when calculating the jurisdictional threshold.[11] The third is the addition of the phrase “or sharing” to regulate entities that derive fifty percent or more of their annual revenues from selling or sharing personal information.[12] In other words, entities will no longer be able to avoid compliance by claiming that more than fifty percent of their annual revenue comes from sharing information, and not selling it.

Creation of The California Privacy Protection Agency

Currently, the CCPA only allows individuals and the California Attorney General to bring claims alleging CCPA violations.[13] Despite the California AG having the authority to bring claims, though, that office is only equipped to handle a handful of cases per year.[14] Section 24 of the CPRA creates the California Privacy Protection Agency,[15] which will not only administer and enforce actions involving the CCPA but also promote public awareness of online security and provide guidance to consumers and businesses regarding their rights and duties under the CCPA.[16] The creation of an agency funded with ten million dollars to issue sanctions to companies that violate the CPRA should lessen the burden that is currently placed on the California Attorney General.[17]

Conclusion

The CCPA and CPRA have placed California at the forefront of state online consumer privacy laws. Given the large number of California residents (roughly one in eight U.S. residents live there) and businesses subject to these laws’ reach, the CPRA no doubt will increase the CCPA’s already profound impact on only consumer privacy protection. Time will tell the impact California’s approach will have on how other states create and change their consumer privacy laws. Such legislation likely has the impact to cause a ripple effect of creating guidelines as to what entities are governed as well as the creation of enforcement agencies. Contact Zasio today to see how our innovative products and services can help you remain compliant.

 

 

 

 

[1] David McCabe and Cecilia Kang, As Congress Dithers, States Step In to Set Rules for the Internet, N.Y. Times (May 14, 2021), https://www.nytimes.com/2021/05/14/technology/state-privacy-internet-laws.html.

[2] Id.

[3] See Daisuke Wakabayashi, California Passes Sweeping Law to Protect Online Privacy, N.Y. Times (June 28, 2018), https://www.nytimes.com/2018/06/28/technology/california-online-privacy-law.html.

[4] Id.

[5] See Cal. Legis. Serv. Proposition 24 (West 2020).

[6] Id.

[7] Id.

[8] See Cal. Civ. Code § 1798.140(c)(1)(A–C) (West 2020).

[9] See Cal. Legis. Serv. Proposition 24 (West 2020).

[10] Id.

[11] Id.

[12] Id.

[13] See Cal. Civ. Code § 1798.150–155 (West 2020).

[14] Greg Bensinger, A Privacy Measure That’s Hard to Like, N.Y. Times (Oct. 28, 2020), https://www.nytimes.com/2020/10/28/opinion/california-prop-24-privacy.html.

[15] Cal. Legis. Serv. Proposition 24 (West 2020).

[16] Cal. Legis. Serv. Proposition 24 (West 2020).

[17] Greg Bensinger, A Privacy Measure That’s Hard to Like, N.Y. Times (Oct. 28, 2020), https://www.nytimes.com/2020/10/28/opinion/california-prop-24-privacy.html.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Privacy may very well be the fastest-growing area of law so far in the 21^st century. While the US, at the federal level, has resisted a broad privacy law similar to the GDPR, momentum is steadily gaining for privacy legislation at the state level. This blog explores US privacy law’s recent developments from a records and information management (RIM) perspective.

I. Recently Enacted Privacy Legislation

The number of new bills introduced in 2020 broadly regulating privacy illustrates the subject’s popularity. In 2020 there were more than 20 privacy bills introduced at the state level in the US.[1] Federally, there were dozens of bills and discussion drafts introduced during the last two sessions of congress.[2] While most of the recent broad privacy bills met their demise in legislative committees, here are some of the ones that survived and became law.

California’s Privacy Rights Act (CPRA)

The biggest development in US privacy law in 2020 was the passage of the CRPA by ballot initiative during the November election. The CPRA amends the California Consumer Privacy Act (CCPA) in major ways. Here is a summary of these changes:

• New Privacy Authority Created: The CPRA creates the California Privacy Protection Agency (CPPA) and grants it the authority to enforce the act by making rules and investigating non-compliance.[3]
• Creates New Sensitive Personal Information Category: The CRPA provides stricter requirements for sensitive PI, with stricter use and disclosure provisions than regular PI, including Consumers’ ability to restrict use and disclosure for some purposes. Examples of sensitive PI include social security numbers, identification numbers from identification cards such as passports and licenses, financial account information, race, ethnic origin, religion, and genetic information, and precise location information, among others.[4]
• Expanded Rights for Consumers: In addition to their ability to restrict the use of sensitive PI, consumers have several new and expanded rights under the CRPA. These include new rights to correct inaccurate PI, expanded rights to delete PI from third parties, and expanded/modified rights to know, opt-out, notice of collection, and request deletion of PI.[5]
• Revised Regulated Party: The CRPA expands regulated business activities to include parties receiving PI. The CCPA only included parties who buy, sell, or share PI. The CPRA also expands regulated business activities by revising the deriving at least 50 percent of income from selling PI threshold to include profits from sharing PI. However, the CPRA excludes many small businesses previously covered under the CCPA by increasing the threshold number of consumers or households from 50,000+ to 100,000+.[6]
• PI Retention Changes: CPRA has some retention changes similar to requirements in the GDPR. Under the CPRA, businesses now are prohibited from keeping PI unless it’s reasonably necessary to meet a disclosed purpose. Further, businesses must specify the criteria used to determine the retention period for PI categories or the retention period itself at the time of collection.[7]

Like the CCPA, there is a window before the CPRA becomes effective, allowing businesses time to implement compliance measures. The CPRA will become effective on January 1, 2023.

Maine Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301)

Maine passed a privacy act in 2019, restricting the collection, retention, use, disclosure, sale, or access to customer PI by broadband internet access services. This act provides exceptions, including consent, providing services related to the purpose for collection, direct advertising, and several others.  It also includes requirements for security and protection of consumer PI lawfully collected.[8]

Nevada Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A)

Nevada revised its PI security law by enhancing requirements for state government controls in the “collection, dissemination and maintenance” of PI.[9]

II. U.S. Privacy Law Trends Leading Into 2020

The year 2020 highlighted an ongoing trend in U.S. privacy laws. For reference, the following includes a summary of additional privacy laws generally applicable to businesses and employers that impact PI retention:

Illinois Biometric Information Privacy Act (740 ILCS 14/)

Section 15 of this law on “Retention; collection; disclosure; destruction” requires private entities possessing biometric identifiers to have a retention schedule specifying disposition “when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.”[10]

Maryland: COMAR 09.12.22.01

This law from Maryland requires employers to retain PI medical information “only for the time needed to accomplish the purpose for access.”[11]

New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act): NY CLS Gen Bus 899-aa and 899-bb

The SHEILD Act requires businesses owning or licensing computerized data containing PI to dispose of the PI “within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”[12]

Texas: Tex. Bus. & Com. Code 503.001

This Texas legislation requires persons possessing biometric identifiers of individuals collected for a commercial purpose to “destroy it within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires.”[13]

Utah: Utah Code Ann. 34-46-203

Utah’s latest enacted privacy legislation requires employers to destroy information collected during a hiring process within “two years after the day on which the applicant provides the information to the employer if the employer does not hire the applicant.”[14]

Washington: Rev. Code Wash. 19.375.020

This recent Washington law requires that possessors of biometric identifiers collected for commercial purposes retain them for “no longer than is reasonably necessary to… provide the services for which the biometric identifier was enrolled.”[15]

Federal Children’s Online Privacy Protection Rule: 16 CFR 312.10)

This rule by the US Federal Trade Commissions requires operators of websites or online services to retain PI collected from children for “only as long as is reasonably necessary to fulfill the purpose for which the information was collected.”[16]

Conclusion

The above is just a sampling of privacy laws and many other US privacy laws generally regulate businesses and specific industries. If you need help strategizing how privacy requirements impact your RIM program, Zasio Consulting is here to help, contact Zasio.[17]

 

[1] Arizona (SB1614, HB2729), California (CPRA passed), Hawaii (HB 963), Illinois (SB2263, SB2330, HB5603), Maryland (HB0249, HB0784, HB1656), Minnesota (HF 3936), Nebraska (LB746), New Hampshire HB1236), New Jersey (A2188, A3255), New York (S224, S5642), South Carolina (H4812), Virginia (HB473), Washington (SB6281), Wisconsin (AB870, AB871, AB872).

[2] DATA Privacy Act (H.R.8749), Privacy Office Enhancement Act (H.R.5678), Consumer Online Privacy Rights Act (S.2968), Privacy Score Act of 2020 (H.R.6227), Social Media Privacy Protection and Consumer Rights Act of 2019 (S.189), Privacy Bill of Rights Act (S.1214), Protecting Education Privacy Act (H.R.2724), Moving Americans Privacy Protection Act (S.1302), Passenger Privacy Protection Act of 2019 (S.1206), Genetic Information Privacy Act of 2019 (H.R.2155), Secure Data and Privacy for Contact Tracing Act of 2020 (H.R.7472), Consumer Data Privacy and Security Act of 2020 (S.3456), Online Privacy Act of 2019 (H.R.4978) to name a select few.

[3] The California Privacy Rights Act (CPRA) Section 24. https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf

[4] ID at sections 10 and 13.

[5] ID at sections 3A, 5-12.

[6] ID at section 14

[7] ID at sections 4, 12(7)

[8] Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301). https://www.mainelegislature.org/legis/bills/getPDF.asp?paper=SP0275&item=9&snum=129

[9] Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A) Section 210.  https://www.leg.state.nv.us/NRS/NRS-603A.html#NRS603ASec210

[10] Illinois Biometric Information Privacy Act (740 ILCS 14/) Sec. 15 (a).  https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

[11] COMAR 09.12.22.01 (C).  http://www.dsd.state.md.us/comar/comarhtml/09/09.12.22.01.htm

[12] NY CLS Gen Bus 899-bb (2)(b)(ii)(C)(4). https://www.nysenate.gov/legislation/laws/GBS/899-BB

[13] Tex. Bus. & Com. Code 503.001 (c)(3),(c-1). https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm

[14] Utah Code Ann. 34-46-203 (2). https://le.utah.gov/xcode/Title34/Chapter46/34-46-S203.html?v=C34-46-S203_1800010118000101

[15] Rev. Code Wash. 19.375.020 (4)(b). https://app.leg.wa.gov/RCW/default.aspx?cite=19.375.020#:~:text=RCW%2019.375.020-,Enrollment%2C%20disclosure%2C%20and%20retention%20of%20biometric%20identifiers.,identifier%20for%20a%20commercial%20purpose.

[16] 16 CFR 312.10. https://www.ecfr.gov/cgi-bin/text-idx?SID=d2d4616077fe505e154978fae9519ff3&mc=true&node=pt16.1.312&rgn=div5#se16.1.312_110

[17] https://www.zasio.com/consulting-services/