Data privacy regulation is steadily becoming the rule and not the exception around the globe. The European Union enacted the General Data Protection Regulation (GDPR) in 2018 to protect data privacy for users originating from the EU and the United Kingdom’s Data Protection Act which was created the same year.
The United States has yet to create a universal framework for data protection. However, multiple states have joined the movement and are creating legislation to enforce penalties for entities that infringe on consumer data privacy rights in their state.
California is the leader in this endeavor, with arguably the strongest plan for data privacy enforcement in the United States. Their method began as the California Consumer Privacy Act (CCPA), and has evolved into the more robust California Privacy Rights Act (CPRA), which will be enforced starting January 1st, 2023.
To help companies and consumers better understand what to expect from this upcoming legislation, we spoke with Rick Arney, board member of Californians for Consumer Privacy (CCP), and co-author of both CCPA and CPRA. We sought to gain some clarity on how the CPRA will affect consumer data privacy.
Q: What caused the change from CCPA to CPRA in 2021?
Rick: In our journey to give consumers more power, we had a great market test of CCPA. We learned where any potential loopholes were and where stronger rights could be given to consumers. Rarely in legislation do you get to pass something, “market test” it, get feedback, and then directly improve upon open issues like we have done with CPRA.
Q: What do you think will change the most in regards to data privacy in 2022/2023?
Rick: There will be a greater awareness towards enforcement as the privacy commission gets up and running. I think companies that are subject to CPRA penalties will start getting more focused on the potential consequences of non-compliance. The privacy commission of California will have audit and subpoena power allowing it to find and sanction violations. As a result, many companies will have to rethink their approach to consumer privacy.
Q: What industries are being affected the most?
Rick: In terms of enforcement, my belief is companies that violate children’s privacy are probably going to be some of the initial targets. Any company buying or selling minors’ information should be focused very closely on how they are collecting and using such sensitive data.
With CPRA coming into effect starting January 1, 2022 (enforcement begins January 1, 2023), there needs to be a solution for companies that ensures compliance with these regulations to prevent potential monetary and legal consequences that can result from violating CPRA. Thankfully, comprehensive software is currently being developed to meet the needs of CPRA and benefit everyone involved: businesses, consumers, and CPRA regulators. Boltive Privacy Guard diagnoses and mitigates risks related to cross-context behavioral advertising so companies can confidently comply with CCPA, CPRA, and GDPR.
Check our blog soon for the 2nd half of this interview, where Rick shares how companies can best prepare for CPRA’s implementation and gives his personal take on the situation.