When the California Attorney General introduced the California Consumer Privacy Act (CCPA), a new era of consumer data regulation had dawned in the US. To meet the CCPA compliance date of January 1, 2020, many organizations (including W. Capra) took the position that California would be the first of many states to introduce data privacy regulation, and that federal-level regulation would follow. Organizations will be put to the test as they work to integrate new privacy laws into their existing programs with the introduction of two new state-level privacy laws: the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (CDPA).
Breaking down the CPRA and the CDPA
There are many online resources available to help parse through the intricacies of the regulations themselves— while the intent of this writing is to help guide organizations through the operational gauntlet of compliance, rather than to explicate the finer points of the regulations themselves, here are some key points of differentiation between the forthcoming data regulations:
|CPRA (California)||CDPA (Virginia)|
|When does it go into effect?||January 1, 2023||January 1, 2023|
|Is there a lookback period?||Yes, the CPRA looks back to January 1, 2022||None that we know of|
|Is business / employee data in scope?||Exemption is extended until January 1, 2023||Consumer data only; B2B and employee data is out of scope|
|How do I know if this regulation applies to my organization?||If CCPA applied to your organization, CPRA likely applies||If your business controls or processes the proposal data of at least 100,000 VA consumers, derives more than 50% of its gross revenue from the sale of personal data or processes the personal data of at least 25,000 VA consumers, the CDPA likely applies to your business.|
If you do believe your organization is exempt from either the CPRA or the CDPA, W. Capra recommends confirming with inside or outside counsel that these regulations do not apply to your specific business model.
For those that are already compliant with the CCPA, there are likely additional actions required to become compliant with the CPRA— at the very least, an assessment should be conducted to ensure the full scope of changes required for implementation.
While the regulation does not go into effect until January 1, 2023, W. Capra recommends acting now to address the lookback period that begins January 1, 2022. This lookback period dictates that any data collected in 2022 will be subject to the new CPRA regulations when the law becomes enacted on January 1, 2023. Danny Omiliak, who heads W. Capra’s Data Privacy Services stressed, “Organizations will want to avoid the last second scrambles that may have been part of their CCPA compliance efforts. While January 1, 2023 sounds like it’s eons away, from a project planning and assessment timeline perspective, it’s quite soon. When you add in the CPRA lookback period of January 1, 2022, and associated fines and penalties that will hit in 2023, planning takes on even greater importance.”
In addition to accepting Right to Know and Right to Delete requests, organizations will need to update intake processing to account for the new consumer right to rectification. Organizations will also need to update their existing data maps to account for new categories of sensitive personal information. Perhaps most importantly, the CPRA demands organizations to conduct annual privacy risk assessments and cyber security assessments, beginning in 2022. Danny added, “This item seemed like a toss-in within the CPRA, but is just as important for organizations to consider as they move forward in a climate in which our mindset regarding consumer privacy shows no signs of slowing.”
For further discussion on how to proceed with compliance or how to conduct your CPRA-mandated assessments in 2022, contact Danny at [email protected].