Ask the Experts: Are You Ready for the CPRA?
You’ve got questions about the California Privacy Rights Act (CPRA), and we’ve called in top-notch legal experts to answer them. Our picks? Demeka Fields, New Balance’s Global Sports Marketing and Data Privacy Counsel, currently residing in Minnesota, and Debbie Reynolds, “The Data Diva,” hailing from Chicago. The two recently joined the Ironclad community for a virtual Q&A on preparing for the CPRA. Here’s what they discussed.
What is the CPRA, and how is it different from the CCPA?
The California Privacy Rights Act (CPRA) is a new consumer data privacy law passed in California that goes into effect in January 2023. The CPRA is a set of rules that clarifies and augments the California Consumer Privacy Act (CCPA) that went into effect in January 2020.
Some significant features of the CPRA include:
- Creating a California Privacy Protection Agency (CPPA)
- The new right for individuals to request correction of data
- A new definition for sensitive data that is derived from multiple data points
The CCPA is a foundational law that lays out comprehensive data privacy rights for individuals and the responsibilities of businesses to protect the data of California consumers and give transparency and have consumers be able to have the sale of their data stopped.
Both the CCPA and the CPRA work together to form a robust consumer-based set of regulations.
How does CPRA impact B2B vs. B2C?
Both B2B and B2C organizations will be impacted as a result of CPRA. Businesses who work directly with consumers are affected more by CPRA because they have more responsibility for how customer data is collected and handled.
However, business-to-business organizations are often indirectly impacted due to third-party data transfers or agreements. For example, primary businesses may require contracts that third-party companies must align with CPRA to do business with them. This may include special arrangements about data flows and data management.
With Silicon Valley being in California, it will be very influential in designing products that help businesses comply with the transparency requirements of CPRA and other data privacy regulations. As a result, laws like CPRA will have a significant impact on all kinds of companies.
Why should you start preparing for CPRA now?
Two new features of CPRA that businesses need to prepare for now are the consumer right to correction and the removal of a 30-day “cure” period for businesses.
The CPRA added the right for consumers to correct their information that enterprises have about them. Although this may seem like a minor change, it is major because previously in the CCPA, businesses could give individuals categories of data they may hold about them and allow those individuals to request deletion. With the new CPRA right to correct the data, businesses will have to develop processes and procedures and be even more transparent about the data they hold on individuals. The act of correcting data will force businesses to operate with data in new ways they may have never done before.
The new California Privacy Protection Agency (CPPA) that will be created due to CPRA will manage privacy in California instead of these issues being handled by the California Attorney General. With an agency dedicated to this and enforcing both the CCPA and the CPRA, by the time this agency is established in 2023, businesses should be well aware and prepared to comply with these privacy laws. As a result, the 30-day cure period under CCPA will be eliminated under CPRA in 2023.
How is privacy a business advantage?
Privacy is a business advantage because consumers are getting more savvy about their data rights, and they are wanting more transparency and control over their data. Consumers will share more data with fewer companies because currently, consumers have trust issues with many companies.
Consumers will spend money with companies they trust, and companies that consumers trust will make a lot more revenue. We have recently seen Apple have their highest-earning 4th quarter ever in 2020, partially because of their iOS14 update that brought more control and transparency for how businesses use consumer data.
What can you start doing?
The best way to start getting ready for CPRA is to understand which parts of the law apply to your business, because not every part of the law will apply to all businesses.
It is also essential to understand how your company will respond to the data subject access request or notice from regulators about data practices. It is vital that companies try to minimize using consumer data if it is not necessary for business purposes.
How does sharing data with public entities subject to open records laws impact an organization’s ability to comply with CPRA?
The significant issues with public entities and open records laws related to CPRA and other types of privacy laws are that these laws all have very different definitions of private information. As a result, some things like maybe an email address and someone’s account number together may be deemed as personal information under some of these privacy laws.
The problem with this is that there may be many data capture fields used in open records that may not have been deemed private before but may now be considered private, personal, or sensitive. It is essential for organizations that have to do anything with open records to review the personal or sensitive data definitions of CPRA and adjust disclosure accordingly.
What are the top CPRA takeaways?
The top CPRA takeaways are focused on transparency, process and procedures, and vigilance.
First, businesses need to be transparent with their customers. If businesses are not transparent with their customers, the customers will not trust them and will move on to other companies they trust. Also, transparency will help enterprises serve the customer better and have the data needed if asked to provide it to regulators in California.
Second, businesses need to have a process and procedures in place to handle data requests and also to be able to take action on data if required. For example, this means that businesses need to have a process and procedure in place for individuals to make data subject access requests. Also, companies need to have a strategy for correcting data per the customer requests.
Third, businesses must stay vigilant as they grow and they may end up subject to CPRA. For example, suppose your business changes how they collect data, increase California customers, or increase revenue. In that case, they may become subject to CPRA if they had not been previously subject to this law initially.
Ironclad is the #1 contract lifecycle management platform for innovative companies. L’Oréal, Staples, Mastercard, and other leading innovators use Ironclad to collaborate and negotiate on contracts, accelerate contracting while maintaining compliance, and turn contracts into critical carriers of operational business intelligence. It’s the only platform flexible enough to handle every type of contract workflow, whether a sales agreement, an HR agreement or a complex NDA. The company was named one of the 20 Rising Stars on the Forbes 2019 Cloud 100 list, and is backed by leading investors like Accel, Y Combinator, Sequoia, and BOND. For more information, visit www.ironcladapp.com or follow us on LinkedIn and Twitter.
More stories from our team.