Sorry to disappoint anyone who hoped that California’s revised privacy law would make it easier for Americans to comply with privacy laws. This is not the case. Instead, it appears that the California Privacy Rights Act (CPRA), which goes into effect on January 1, would further complicate matters regarding privacy.
According to Sarah Bruno, a lawyer at the law firm Reed Smith, on the most recent Digiday Podcast, “CPRA is this particular kind of beast that has complicated privacy for enterprises in the U.S.
The distinction between the terms “contractor” and “service provider” as used under the CPRA has to be clarified. “A service provider is a business that processes data on your behalf, whereas a contractor is a business to which you submit data. I guess that’s not quite clear. On that, we need further clarification,” Bruno added.
California’s current privacy law, the California Consumer Privacy Act (CCPA), which went into effect in 2020, is clarified in certain ways by the CPRA. It addresses data sharing for cross-contextual behavioral advertising purposes, resolving the CCPA’s Rorschach-like definition of sale that put Sephora in the sights of the attorney general of California.
According to Bruno, the CPRA’s inclusion of data sharing has “eliminated the concern that we had with [the CCPA’s definition of] sale.”
The lack of a comprehensive federal privacy law continues to be the most significant complicating element, even though the CPRA may complicate the U.S. privacy picture for businesses. Bruno stated, “Until there is a federal statute that addresses this, we’re still going to have these complexities.”
Here are some of the conversation’s highlights, which have been condensed and modified for clarity.
Enforcement expectations
I do anticipate seeing a lot more enforcement. I sincerely hope for a more leisurely start, giving businesses the chance to respond as in the case of letters. But I do believe that enforcement will be far more vigorous and swift than it was under the CCPA. There was a right to cure under the CCPA. A cure right no longer exists.
The Sephora repercussions
I believe that the Sephora ruling allowed many internal legal departments to suddenly say, “Look, this is significant.” A rapid decision under the CCPA was made at some point, and as a result, decisions are now flowing out of California. Regarding the data flows and their utilization, there is now a more careful investigation.
A patchwork of state-level privacy laws
There are particular rules for every state. In the states, “sensitive personal information” is defined differently. Therefore, you must complete your data inventory, check the appropriate boxes for each state, and then think about the compliance procedures you must take. It’s difficult for these businesses.
The potential for a U.S. federal privacy law
This is heavily influenced by the political environment. I believe that current events, such as the Dobbs decision [by which the Supreme Court reversed Roe v. Wade], may prompt further consideration of consumer privacy and a requirement for a more uniform framework at the state and federal levels. However, I haven’t heard anything to suggest that’s been papered as of yet.