[BreachExchange] CPRA explained: New California privacy law ramps up restrictions on data use

[Audrey McNeil]

https://www.csoonline.com/article/3601123/cpra-explained-new-california-privacy-law-ramps-up-restrictions-on-data-use.html

In November, Californians approved a ballot measure, Proposition 24, a.k.a.
the California Privacy Rights Act (CPRA), to create a new consumer data
privacy agency. It puts California yet another step ahead of other states
in terms of privacy productions for consumers—and data security
requirements for enterprises. California already had a privacy law in
place, the California Consumer Privacy Act (CCPA), adopted in 2018. It went
into effect in January 2020, and enforcement officially began this past
July.

The CCPA was supposed to help keep California from passing a more stringent
privacy initiative via ballot. "CCPA is probably one of the leading privacy
laws in the US that protects consumers today," says Christophe Bertrand,
analyst at Enterprise Strategy Group, but it was originally supposed to be
more restrictive. "It was the product of many political negotiations that
weakened the final product."

That's not going to happen with the new law. Once passed, it can only be
strengthened, not weakened. It did pass. The CPRA was approved by voters
56% to 44%.

Surprisingly, there wasn't a lot of lobbying against the ballot initiative
by the big tech companies. "I think part of it is the dumpster fire of 2020
and the pandemic and the runup to the election," says Jessica Lee, partner
at Loeb & Loeb and co-chair of the firm's privacy and security practice. "A
lot of things were happening at the same time. Also, over the past couple
of years we've had a backlash against the big tech companies and a lot of
privacy scandals. So, for a tech company to come out against a privacy
bill, there are probably some PR and brand considerations."

In addition, the largest companies already must comply with Europe's
General Data Protection Regulation (GDPR). "It's not like it's a
business-crushing proposition for a lot of the big companies," she says.

CPRA toughens some requirements, reduces risk elsewhere

The CPRA toughens some requirements, brings California more in line with
the GDPR, and creates a new state agency—the California Privacy Protection
Agency. Previously, the state's attorney general dealt with consumer
privacy issues on top of all their other responsibilities. Data privacy now
gets a dedicated agency with a $10 million basic budget, plus it will also
get part of the fines and settlements it collects from companies that break
the law.

The law goes into effect on January 1, 2023, Lee says, and enforcement will
begin six months later. "Companies essentially have two years to prepare,"
she says.

Those two years might bring changes that result in additional scrutiny,
penalties and enforcement activities, says Orson Lucas, principal in
cybersecurity services at KPMG. That could be a result of evolution in the
technology and business landscape or other developments. "For example, if
there are a series of substantial breaches between now and January 2023,"
he says.

A couple of aspects of CPRA will reduce companies' potential risks and
liabilities. First, the CCPA applies to companies serving at least 50,000
California residents, households, or devices.  The CPRA raises this to
100,000 and removes "devices" from that list, says Catherine Lyle, head of
claims at Coalition, a cyberinsurance company. Businesses won't be held
responsible for CPRA violations committed by third parties if certain
agreements are in place and the business partner themselves is in
compliance with CPRA, she says. "It could reduce your potential liability."

CPRA impact minimal for prepared companies

For companies that are already in compliance with 2018's CCPA—and
especially with Europe's GDPR—the changes will be minor. That's the case
for Branch Metrics a, global online marketing company that counts Airbnb,
Target and Yelp among its thousands of business customers. The company
processes billions of consumer records, putting in squarely in the law's
crosshairs.

"One thing that is nice about CPRA is that, in some ways, it more closely
aligns with GDPR than CCPA does," says Branch Metrics CEO Alex Austin. "So,
it's less of a heavy lift if your company has prepared for GDPR." That
means that the incremental changes it will have to make to comply with the
CPRA will be "relatively minor," he says. "It also helps that we have a lot
of time to make any required changes," he adds. "The law doesn't come into
force until 2023, and generally only affects data reaching back to 2022,
which means more than a year to get your house in order."

In general, Austin says, the more harmonization among the various privacy
laws springing up around the world, the better. "For companies operating
globally like Branch, any such closer alignment is a good thing."

New data minimization requirements

For some companies, the changes between the CCPA and the CPRA will be
significant, says Dan Frank, US privacy and data protection leader at
Deloitte. For example, take data minimization. The new rules prohibit
businesses from retaining personal information "longer than absolutely
necessary," he says. That's a problem, since when it comes to deleting
data, companies avoid it like the plague, he says. "Some data is good, more
data is better, all data is best." Data can be analyzed by machine learning
and AI systems and can help companies develop new products, services, and
applications.

Deleting data is a thorny issue. First, there are legal holds and other
regulatory and compliance requirements to retain data. Then there's the
technical side. "You've got all these interdependencies that exist across
systems that make deleting data scary," he says. "We don't want to break
anything."

What most organizations plan to do is to anonymize expired data, Frank
says. That way, it can still be used to train AI systems and may create
fewer dependency issues. "We'll see how that plays out in the long term,"
he says. "If that data can in any way be attributed back to an individual
-- directly or by inference -- then it's no longer anonymized. It's
challenging."

The law's use of the word "reasonable" is also a red flag. Who decides
what's reasonable? A strong data governance system can also help companies
address another aspect of the new law -- allowing consumers to correct
inaccurate data about themselves.

"This is a challenge if a company has not really streamlined its master
data management and doesn't have a gold record of that data," says Angela
Saverice-Rohan, Americas privacy leader at Ernst & Young. "If you change
certain data in one system, how will that impact all of your other
processes?"

New data sharing requirements

Companies will now also need to ensure that any business partners they
share data with also comply with the CPRA. Since part of the law involves
having reasonable cybersecurity measures in place, CISOs may need to get
involved, says Saverice-Rohan. "This is work that usually happens during
security risk assessments," she says.

Another big change has to do with how consumers allow their information to
be shared. Under the earlier CCPA, companies had to offer California
customers the opportunity to opt out of having their data sold to third
parties. Now, that includes all kinds of sharing, not just sales, says
Deloitte's Frank. “Consumers need to be able to opt out of particular uses
of personal information," he says. "If they do that, you have to be able to
stop using it which, if you think about it, is a pretty arduous task. It
makes data governance so critical. It's going to require fine-grained
consent management."

More liability exposure for data breaches

Another difference is that companies will have additional worries about
data breaches, says Frank. For example, breach liability now covers email
addresses when used in combination with a security question. If a data
breach involves information about minors, the fines can be tripled. "You
better know what information you have about children and apply enhanced
data protections in case of compromise," he says.

Both the original CCPA law and the new CPRA allow individual consumers to
sue companies after a data breach. Now people will have more potential
reasons to file these lawsuits, he says. "Maybe you collected more
information than I allowed you to," he says.

The CPRA also expands the potential for breach-related lawsuits in another
way, according to Alan Friel, a partner at the BakerHostetler law firm.
Under the CCPA, companies had a window of opportunity to fix problems after
consumers filed a complaint, he says. The law was a little confusing in
exactly what kinds of problems could be "cured" in this way.

Now, the CPRA clarifies that the right to cure does not include the ability
to avoid penalties by plugging security holes after a breach has occurred.
"If you fail to maintain adequate security, and you have a breach, and then
you remediate what caused that breach, you're still subject to private
right of action and statutory damages," Friel says. "That is definitely
going to be something that's welcomed by the plaintiffs’ bar."

Another change is that consumers no longer must show that they were harmed
by a breach. "You could sue previously, but you had to show harm," Friel
says.

BakerHostetler is currently defending companies against several
privacy-related lawsuits in California. "We were much more successful in
knocking off the lawsuits where there was a harm standard," Friel says.
"Most consumers can't show actual monetary harm from a data breach, which
is why they get free credit monitoring. It's the banks and the retailers
that end up having the out-of-pocket costs -- consumers, generally, not so
much. The game changer here is that the mere fact that the breach has
occurred is sufficient harm for standing to bring a lawsuit."

Expect more privacy-related lawsuits

Companies have already started seeing privacy-related lawsuits. Last month,
children's clothing retailer Hanna Andersson agreed to a $400,000
settlement in response to a class-action lawsuit stemming from a 2019 data
breach. Other companies that have already been sued under CCPA include
Salesforce, Walmart, online stationery retailer Minted, the Sunshine
Behavioral Health Group, TikTok, Zoom, and Houseparty.

It's not just consumers and their lawyers that companies will have to
defend themselves against, says Ernst & Young's Saverice-Rohan. Even though
the CPRA itself won't be enforced until 2023, the new agency is expected to
go to work right away, enforcing existing laws. "In January, the new agency
will have the ability to enforce the existing CCPA," she says. "And they'll
be looking for actions. Enforcement isn't just likely. It's imminent -- and
it's happening in 2021."

Mid-sized companies are going to be particularly hard hit, predicts
Benjamin Wright, US attorney and senior instructor at the SANS Institute.
For companies with less than $25 million in annual reviews, the
requirements are less onerous, he says. "Giant companies can throw armies
of lawyers and compliance professionals at disputes." Middle-tier companies
don't have the kinds of economies of scale that would allow them to hire
armies of lawyers, he says.

Plus, depending on how much support the new agency gets from California's
other officials and legislators, it might not have the resources or talent
to go after the biggest targets. This is already happening in Europe under
GDPR, Wright says, with regulators often more likely to bring actions
against smaller and medium-sized companies.

"The giant companies can fight for years in court, whether it be in Europe
or in California," Wright says. "For regulators, it is very draining and
expensive to fight lawsuits for years. A weak agency that fights a lawsuit
for years against a powerful adversary can suffer a lot of staff turnover."

Opportunities for companies the comply with CPRA

CPRA isn't all bad for companies. "Expect smart companies to try to
leverage this as an opportunity to demonstrate their compliance and support
for privacy," says Steve Durbin, managing director at the Information
Security Forum.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20201221/c3b60b4b/attachment.html>