Ever since the General Data Protection Regulation (GDPR) came into effect in May 2018, US state privacy laws have been passed in Virginia, Colorado, Connecticut, Utah and, most pressing of them all, California. The California Privacy Rights Act (CPRA) went into effect on January 1, 2023, amending the former California Consumer Privacy Act (CCPA). To make things more complicated, enforcement of CPRA is not effective until July 1, 2023, and the final regulation has not yet been approved. The newly formed California Privacy Protection Agency hopes to release the final rules in April 2023. Even with the final rule pending, it is recommended to review these changes to ensure your company is in compliance.
CPRA applies to for-profit companies that perform business in the state of California and collect personal information from California customers. The threshold requirements companies must meet have changed from the CCPA. Requirements apply to companies that exceed $25 million in gross revenue for the previous year, buy/sell/share personal information of 100,000 customers or households and gather 50% or more of annual revenue from selling or sharing of personal information.
Among the other changes that come with this amended act are the right to opt out of certain uses and disclosures of sensitive personal information, rights against the use of automated decision-making technology, stronger child privacy provisions and expanded notification requirements. One interesting new requirement is to pass on data deletion requests to service providers, contractors and third parties where data has been sold or shared. This requires vendor management reviews to ensure these third parties are identified, monitored and held accountable for their controls and requirements. Increased auditing requirements are best practice including cybersecurity audits and risk assessments.
Even though CPRA is on most minds, the Virginia law (the Consumer Data Protection Act) should not be overlooked. The law, passed in 2021, became effective in January 2023 and applies to B2C but not employees and B2B. Colorado’s privacy law is effective July 2023; a law similar to the Virginia law. In addition, privacy laws have been introduced in Michigan, Ohio, Pennsylvania and New Jersey.
If you are required to comply with CPRA, do not wait to begin your diligence. Compliance with this law requires numerous data identification, security and risk activities that should not be ignored.
Gina Gondron, CIA, CISA, CDPSE, is a Partner in Frazier & Deeter’s Process, Risk and Governance Practice. Gina oversees third party assurance compliance activities for companies of various size and across a variety of industries, with an emphasis in healthcare and technology. Contact Gina at gina.gondron@frazierdeeter.com