The California Consumer Privacy Act (CCPA) has been in effect since 2018, but starting on January 1, 2023, it’s getting a major update. Passed by voters in 2020, the California Privacy Rights Act (CPRA) adds a lot to the existing privacy law.
Here are the five biggest changes going into effect in 2023.
The CPRA has added two new privacy rights for consumers, and along with them come two new privacy requests that businesses must respond to.
Responding to these requests within the allowed time limit will take prior planning, especially in the case of requests to limit.
Global Privacy Control (GPC) is a browser signal that indicates a website visitor’s privacy preferences, in particular their desire to opt out of targeted advertising.
It is not a new concept introduced by the CPRA. The basic idea hearkens back to the failed Do Not Track standard that was developed in 2009 but never widely adopted. The term global privacy control actually comes from the original CCPA, which discusses the possibility that such a signal could exist in the future. In response to this, a consortium of tech companies developed the GPC standard, and it has already been implemented on many major websites.
What the CPRA has done is make it mandatory that businesses respond to the GPC signal from consumers’ browsers (and any other similar technology that may be developed in the future), and treat it as a valid request to opt out. There was some initial confusion about this, but the California Privacy Protection Agency has since clarified that respecting the GPC signal is not optional.
One of the changes in the CPRA that may have the farthest reaching consequences is the creation of the California Privacy Protection Agency (CPPA). As a first-of-its-kind government office in the United States, the CPPA is dedicated exclusively to CCPA enforcement.
With the power to impose administrative fines and create new regulations, the CPPA will have great influence over the privacy landscape. Once it fully takes over duties from the California Attorney General’s Office in July 2023, there is every reason to believe that CCPA enforcement will increase significantly.
Contract review will be a major component of CCPA compliance going forward. The law already required that contracts with service providers contain certain limitations on the use of personal information; the CPRA introduces contract requirements for all disclosures to third parties, contractors, and service providers.
Contracts must state that personal information is being disclosed for limited purposes, require the recipient to comply with all legal obligations under the CCPA, and give the business authority to verify the recipient’s compliance. Any disclosure not made pursuant to such a contract is unlawful.
An often-overlooked change included in the CPRA is the new purpose-limitation rule. Businesses must restrict their processing of consumers’ personal data to what is necessary and proportionate to achieve the purpose for which it was collected. If the business uses the data for another purpose, it must be compatible with the context in which it was originally collected.
For example, if a business collects personal information in order to provide cloud storage for photos, further using that data to develop facial recognition software would not be compatible with the original purpose, unless it was made very clear to consumers in advance.
Privacy compliance is a moving target for businesses. Every year, laws are amended and new laws are passed, and trying to thread a needle through all of the requirements becomes increasingly complicated. This is especially true for small and medium-sized businesses that don’t have an in-house legal team or tens of thousands of dollars to spend on attorneys.
TrueVault US simplifies privacy compliance across multiple jurisdictions. From a single dashboard, businesses can guide themselves to compliance—even if they are starting from scratch—and stay compliant with minimal effort.
Contact our team to learn more and schedule a demo.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo201 Mission Street, 12th Floor
San Francisco, CA 94105
Email: hello@truevault.com
2024 © All Rights Reserved. Privacy Policy | Terms of Use | Supplemental Terms | California Privacy Notice