This article shares highlights of the on-demand webinar, “CPRA & the 2023 Alphabet Soup of U.S. Privacy Regulations.View the full webinar here. 

California’s enactment of the California Consumer Privacy Act (“CCPA”) in 2018 signaled a fundamental shift in the U.S. approach to privacy. As of 2023, California has added protections via the California Privacy Rights Act (“CPRA”), and several states have adopted their own state consumer privacy laws.

GDPR principles are coming to the U.S., and it’s important for businesses operating domestically and internationally to learn about the constantly evolving requirements and get familiar with the steps that we need to take for compliance.

We recently hosted a webinar to explore the latest developments in U.S. privacy laws with featured speaker Jenny Sheridan, Principal, JL Sheridan Law. Set in the context of a hypothetical B2B SaaS company analyzing its to-dos for CPRA and other state privacy law compliance, we explored:

  • An Overview of the U.S. privacy law landscape coming into 2023
  • New rights under CPRA (e.g., employee data, sensitive personal information, automated decision-making, etc.)
  • High-level overviews of the other U.S. state privacy laws.

Here are some key highlights from the discussion:

Privacy Compliance in California and Four Additional States

In 2018, California passed the first consumer privacy law of its kind in the U.S. – the California Consumer Privacy Act (“CCPA”). The CCPA took effect in 2020. It has since been amended – pretty significantly – by the California Privacy Rights Act (“CPRA”). The CPRA modifications to the CCPA took effect in January 2023. And four more U.S. states have followed California’s lead passing privacy laws as well: Virginia, Colorado, Connecticut, and Utah.

GDPR Is Coming

One overarching theme is that GDPR principles are coming to the U.S., as seen in the recently passed new state consumer privacy laws. While California opted to create some new terminology, the VA, CO, CT, and UT state laws have incorporated existing GDPR terminology (e.g., data controller, data processor). While California originally took a less restrictive approach, the CPRA amendments and new state laws have begun to incorporate some GDPR principles (e.g., purpose limitation, data minimization, opt-in consent). It’s a new world that we’re seeing in 2023 with this GDPR influence. And whether States’ interpretation and enforcement will follow EU precedent remains to be seen.

What Are The New Consumer Rights Under the CPRA Amendments?

  • The original CCPA moratorium, which provided exemptions for B2B and employee data, expired on January 1, 2023.
    • B2B Customer’s personal information is now covered and treated like any consumer data, requiring the same notices and same rights.
    • Employee information is now covered and treated like any consumer data, requiring the same notices and same rights.
  • The consumer has the right to request that a business correct any inaccurate personal information.
  • The consumer has the right to limit the use and disclosure of their sensitive personal information (“SPI”).
    • SPI categories unique to California: government IDs, consumer log-in, financial accounts, debit/credit # and required security/access code, consumer’s email content unless business intended recipient.
    • Other categories of SPI common to California and the other US state laws includes precise geolocation; racial/ethnic origin, religious, philosophical, union membership; genetic, biometric, and health data/sex life/sex orientation data. Personal data of a known child is included in these other US state laws and not California as SPI.
    • CA has an opt-out right for SPI.
      • In CA, the covered business that is collecting SPI, has to offer the consumer the right to limit the use of the sensitive PI subject to certain exceptions; one important exception is to “perform the services or provide the goods reasonably expected by an average customer.” For example, a company offering genetic testing services could collect the sensitive information necessary to provide the services without offering the right to limit the use of that sensitive information.
      • The other states have followed GDPR’s opt-in approach, where they need to obtain the consumer’s prior consent to process the SPI.
      • This “split” creates questions about harmonization across that states where the most likely approach for processing SPI will be to implement an opt-in approach.
  • Risk Assessments for High-Risk Data Processing.
    • In CA, if you are a business engaging in high-risk data processing, you have to perform a risk assessment. Comparable to the GDPR DPIA requirements. The new California Privacy Protection Agency (“CPPA”) will create rules that will help lawyers understand mechanically the requirements of the risk assessments.
    • VA, CO, CT have risk assessment requirements and get more specific about what is considered high-risk data processing, including such activities as targeted advertising or processing sensitive data.
  • The consumer has the right to request information about and the right to opt out of automated decision-making (“ADM”).
    • CPPA will adopt regulations “governing access and opt-out rights” with respect to businesses’ use of ADM technology.
    • VA, CO, and CT have similar provisions.

Jenny’s Updated Checklist in 2023

Jenny shared the checklist that she uses to address these updates with her clients:

  1. Engage with HR and go through Employee Data for California to provide required notices / update employee manuals.
  2. Revisit the client’s business and confirm understanding of data and use.
  3. Revise the privacy policy to look more like B2C policies for B2B companies in CA.
  4. For B2C companies, consider adding the applicable rights for VA, Colorada, CT and Utah consumers.
  5. Evaluate whether the client needs the “do not sell” and “do not share” buttons.
  6. Evaluate whether the client is processing any SPI? If you are going to assert an exemption, you should document your assessment and analysis.
  7. Evaluate whether there is High-Risk Data Processing. Do you need to do a risk assessment?
  8. Evaluate whether the client is using ADM and be prepared to respond to requests about the ADM.

Tips for Staying Up To Date

Need additional support in this area of your business? Contact us today for project support with our flexible legal talent solutions. And be sure to follow Paragon Legal on LinkedIn, and feel free to reach out to us with questions.

This article shares highlights of the on-demand webinar, “CPRA & the 2023 Alphabet Soup of U.S. Privacy Regulations.View the full webinar here.