Written by Domenic Lewis
In 2018, the California Consumer Privacy Act (CCPA), which is one of the most comprehensive data privacy protection policies, was signed into law. It came into effect in January 2020, enforced by the California Office of the Attorney General. [1] In 2020, the California Privacy Rights Act (CPRA), a more comprehensive version of the CCPA that expanded consumers’ rights and shifted enforcement responsibility, was approved by a ballot measure.[2] The CPRA took effect in January 2021.[3]
The CCPA established six new privacy rights for consumers, including the Right to Know, the Right to Delete, the Right to Opt-Out, the Right to Opt-In for the Use of Sensitive Information, the Right to Non-Discriminatory Treatment after Exercising Data Privacy Rights, and the Right to Initiate a Private Cause of Action.[4] The CPRA added two more consumer rights, the Right to Correct and the Right to Limit Use and Disclosure.[5] CPRA also established the California Privacy Protection Agency (CPPA), a five-member committee appointed by the governor, consisting of legal data privacy professionals tasked with further rulemaking, enforcement, and public education about personal data rights and business responsibilities.[6]
The CCPA and CPRA regulate the use of consumer data by businesses that meet one of the three criteria: having a gross annual income of over $25 million, utilizing or distributing the data of more than 100,000 persons, or receiving over half of their income from data collection or use. Nonprofit organizations and government entities are exempt from these policies.[7]
Education of consumers regarding data privacy is a critical policy concern that requires the attention of policymakers.[8] Although the CPPA is responsible for addressing this issue, consumers still need clarification on privacy notices and opt-in/out buttons, as evidenced by cases like People v. Sephora, which resulted in a $1.2 million settlement after a data breach occurred.[9] Despite the CPPA’s efforts, many notices use legal jargon that the average internet user may find difficult to understand.[10]
The CPPA has recognized this challenge and has implemented mailing lists and a well-written website to educate consumers about their data privacy rights.[11] However, these efforts are sometimes insufficient to address the complexity of data privacy policies. Simplifying the opt-out mechanism and improving education are essential to creating a safer, more manageable, and transparent digital environment.
Small and mid-sized companies face challenges in conforming with standards such as the CPRA, CCPA, the European Union’s GDPR, and new legislation in other states such as New York, Virginia, Colorado, Maine, and Nevada.[12] The diverse nature of these regulations makes it burdensome and expensive for businesses to comply with them, possibly hindering innovation and disadvantaging companies with limited capital.[13] A more uniform structure for data collection restrictions could ease the burden on businesses and ensure more consistent rights for consumers
The CPPA is focused on improving cybersecurity and protecting data privacy for Californians in the future.[14] With approval from the Office of Administrative Law, the CPPA aims to implement annual cybersecurity audits, risk assessments on data processing practices, and regulation of automated systems that could lead to algorithmic discrimination.[15] These measures are outlined in their rulemaking responsibilities in California Civil Code §1798.185.[16]
You can participate in this process by providing valuable feedback during public comment periods.[17] Data breaches and cyberattacks can have severe financial and emotional consequences. Your input can help update and make new regulations that will ultimately protect your personal data and privacy. Stay informed and involved in the rulemaking process by signing up for the CPPA newsletter listed in the footnotes.[18]
[1] CCPA vs CPRA: What’s the Difference?, Bloomberg Law (Jan. 23, 2023), https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-consumer-privacy-act-ccpa/.
[2] Id.
[3] Id.
[4] Frequently Asked Questions (FAQs), Cal. Privacy Protection Agency, https://cppa.ca.gov/faq.html [hereinafter FAQs].
[5] Id.
[6] About CPPA, Cal. Privacy Protection Agency, https://cppa.ca.gov/about_us/.
[7] Cal. Civ. Code § 1798.140(d) (2018).
[8] Memorandum from Philip Laird, General Counsel, California Privacy Protection Agency Board, to California Privacy Protection Agency Board (Feb. 22, 2023) (on file with the California Privacy Protection Agency)
[9] People v. Sephora, No. CGC-22-601380, 2022 Cal. Super. LEXIS 79250 (Cal. Super. Ct. Aug, 24, 2022).
[10] Mary Madden & Lee Rainie, Americans’ Attitudes About Privacy, Security and Surveillance, Pew Research Center (May 20, 2015), https://www.pewresearch.org/internet/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/.
[11] FAQs, supra note 4
[12] Chitresh Kumar et al., Understanding the Interrelationship of Barriers Towards Business Model Re-engineering Under the Evolving Privacy Laws: An Interpretive Structure Modelling Approach, 36 Int’l Rev of L., Comput & Tech. 382, 383 (2022).
[13] Id.
[14] Joseph Duball, Proposed CPRA Regulations Finalized; CPPA Targets April Effective Date, Int’l Ass’n of Privacy Pros. (Feb. 6, 2023), https://iapp.org/news/a/proposed-cpra-regulations-finalized-cppa-targets-april-effective-date/.
[15] Id.
[16] Cal. Civ. Code § 1798.185 (2018).
[17] California Consumer Privacy Act Regulations, Cal. Privacy Protection Agency, https://cppa.ca.gov/regulations/consumer_privacy_act.html.
[18] Subscribe to our Email Lists, Cal. Privacy Protection Agency, https://cppa.ca.gov/webapplications/apps/subscribe/.
