By Ben Brook
December 9, 2020âą5 min read
Californiaâs Proposition 24 has now passed, bringing amendments to Californiaâs landmark California Consumer Privacy Act (CCPA) in the form of the California Privacy Rights Act (CPRA). Below we break down the biggest areas that can impact the privacy engineering projects at your company, and how you handle personal data.
You can use this cheatsheet in the review of your future strategy, but itâs worth noting thereâs still a fair amount to be worked out on the legislative front ahead of a January 2023 enforcement timeline.
Many are also watching to see what pressure CPRA could exert on a push for federal U.S. legislation in 2021 and beyond.
Read on if youâre responsible for privacy engineering at a company with more than $25M in revenue or sells, buys or shares the data of more than 100,000 California residents or derives at least 50% of annual revenue from sharing or selling California data (and even if this doesnât describe you, a lot of other states are looking at CA as a model, so itâs worth getting up to speed on the kinds of changes that may be on the horizon for every US company).
The CPRA calls for more robust and nuanced data rights controls for consumers, which will have downstream effects on what your internal privacy infrastructure and schemas will be required to handle. Specifically, companies will need more precise inventory and classification of all data in every datastore â and the ability to restrict access and use by specific internal systems.
Of note, the CPRA includes an expanded list of the type of information consumers are able to limit for commercial use (e.g. you canât use that information), including âgovernment identification numbers (e.g., Social Security numbers, driverâs license numbers, and passport numbers); debit card and credit card numbers in combination with required security or access codes, passwords, or credentials; a consumerâs precise geolocation, religious beliefs, racial or ethnic origin, biometric information, sex life or sexual orientation information; and contents of a consumerâs mail, email, or text messages unless that business is the intended recipient.â
Note that precise geolocation information is now included in the data that consumers can limit. ââPrecise geolocationâ means any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of one thousand, eight hundred and fifty (1,850) feet, except as prescribed by regulations.â
Precise geolocation data (equal or less than 1,850 feet radius) is now included in the data that consumers can limit under CPRA. (Image via mapdevelopers.com, Map data Copyright Google 2020)
Additionally, CPRA extends the current 12-month window that California consumers are able to request access to all categories of personal information collected by companies to a time period of âindefinitelyâ (beginning January 1, 2022). This timeframe change requires that businesses provide access to all categories of personal information collected âunless doing so proves impossible or would involve a disproportionate effort.â
With CPRA, users will now be able to opt-out of the âsale or sharing of their personal information.â A couple of implications here: (1) The obvious is that your frontend opt-out features will need to now include the expanded language. (2) On the backend, this likely means youâll have to build more opt-out suppression logic. (3) Additionally, you may have to include more of your third party SaaS vendors in the scope of your user data suppression logic.
On point three, letâs look at an example. Your company may currently operate with the guideline that user data shared with a SaaS vendor for âcross-context behavioral advertisingâ (think Google or Facebook ads) does not meet the current requirements of a âsaleâ under CCPA (this is a common legal interpretation that dictates engineering structures). Thus, it is not a scenario that youâve had to configure suppression logic for to date.
Looking forward, under CPRA and the expanded definition of âshare,â your input guidelines may change and youâll likely need to create individual opt-out flows for any vendor that you share user data with for behavioural advertising reasons (Facebook, Snap, Google Ads, etc).
Perhaps the most impactful on your companyâs privacy infrastructure is the requirement under CPRA that consumers be able to âcorrectâ certain personal information that businesses have about themâfrom gender to government-issued identifiers. If your data privacy flows include accessing and deleting data, be prepared to consider the engineering systems and features necessary for giving users the ability to âcorrectâ data in your datastores. This will likely take significant time and resources to build, so start now to secure the staff and technical investments youâll need.
If your organization holds user data on minors, which is defined by CPRA as individuals under 16 years of age, thereâs a tripling of the penalties for intentional childrenâs privacy violations, with a fine of $7,500. Expect increased requests from your legal colleagues on making sure that the data of minor users are handled appropriately and ready for access, deletion, opt-out or correct requests across your tech stack, including internal data stores and in all of your SaaS vendor systems. This is another area where accurate and complete data inventory and labeling are critical.
There will now be a dedicated privacy enforcement agency, the California Privacy Protection Agency, to implement and enforce the new legislation. The new enforcement agency is likely to increase scrutiny of data privacy processes and overall adherence to UX and process requirements. The agency is expected to include technical experts to help with enforcement, which marks a difference in oversight knowledge of the enforcers when compared to the current legislationâs reliance on the Attorney Generalâs office for prosecution.
If your team oversees website optimization, thereâs an increased push on transparency and user experience in the CPRA.
Specifically, companies will need to update the display of a âdo not sell or share my dataâ button prominently on the website homepage. Youâll also need to review or enhance signals to honor a userâs web browser setting (or other mechanisms) that expresses an opt-out preference. Youâll also need to add paths for allowing consumers to âLimit the Use of My Sensitive Personal Information.â
Additionally, if your company currently uses website âcookie bannersâ that have misleading or dark patterns to encourage a web visitor to click âaccept,â youâll need to build a new UX that is more transparent.
In addition to the six elements noted above there are a number of other impacts to the engineering department, including increased audit and security requirements, as well as various UX and process components.
Transcend is known for our third party data privacy integrations and advanced data privacy infrastructure. Letâs talk if you are scoping out the internal engineering resources required to build download or deletion logic, vendor deletion processes, or consent logic to ensure coverage.
By Ben Brook