Subscribe to: Apple Podcasts • Stitcher • Spotify
For anyone hoping that the updated California Privacy Act would help simplify privacy compliance in the US, I’m sorry. That doesn’t seem to be the case. Instead, the California Privacy Rights Act (CPRA), which goes into effect on January 1, appears to be clouding the privacy landscape even more.
“CPRA is this unique breed of beast that has made data protection significantly more difficult for organizations across the United States,” Sarah Bruno, a partner at law firm Reed Smith, said in the latest Digiday podcast.
One aspect of the CPRA that requires clarification is the difference between the legal terms “contractor” and “service provider”. “A contractor is a company to which you provide data and a service provider is a company that processes the data on your behalf. That’s not entirely clear, is it? We need more clarity on that,” said Bruno.
The CPRA is clarifying some aspects of California’s existing privacy law, the California Consumer Privacy Act (CCPA), which went into effect in 2020. It covers data-sharing for cross-context behavioral advertising purposes, which helps resolve the CCPA’s Rorschach aesthetic definition of sale that put Sephora in the crosshairs of the California Attorney General.
The CPRA’s addition of data sharing has “eliminated the issue we had with [the CCPA’s definition of] sale,” said Bruno.
That being said, as much as the CPRA may mess up the picture of US corporate privacy, the more important complicating factor remains the lack of a comprehensive federal privacy law. “We’re still going to have those nuances until there’s federal law that addresses that,” Bruno said.
Here are some highlights from the interview, edited for length and clarity.
I think we’re going to see a lot more enforcement. I’m definitely hoping for a softer start, similar to letter writing, a way for companies to defend themselves. But I think we’re going to see a lot more enforcement and faster than under CCPA. With CCPA there was a right to a cure. There is no longer a right to healing.
The Sephora Impact
The Sephora decision was another one that I think allowed a lot of those in-house legal departments to suddenly say, “Look, this is important.” There are decisions out of California now because someone at some point made a quick decision under CCPA. Now there is a more thoughtful analysis in terms of the data flows and how they are used.
A patchwork of state-level privacy laws
Each state has unique requirements. The definition of sensitive personal information varies across states. So you need to inventory your data and tick the boxes for each state and then consider what compliance measures you need to take. It’s brutal for these companies.
The potential for a US federal privacy law
The political climate obviously dictates this strongly. I think what’s going on with the Dobbs decision [through which the Supreme Court overturned Roe v. Wade], things like this can prompt additional considerations related to consumer privacy and the need for a more consistent framework across states and federal states. But I haven’t heard anything to suggest that this is going to be put on paper at this point.