With California playing host to the IAPP's Privacy. Security. Risk. 2021, it was only fitting that the California Privacy Rights Act took center stage from the get-go. Attendees were treated Wednesday to a CPRA Comprehensive workshop, a full-day event dedicated to providing information and advice on what to expect when the law takes effect Jan. 1, 2023, and how to best prepare for compliance in the leadup to the day.
The workshop's panel sessions covered some of the most obvious and pressing questions the CPRA is forcing companies to think long and hard about. The first half of the day focused on better understanding definitions and requirements for data access rights while the latter portion of the workshop went deep on more targeted aspects of the law, including an all-important look at potential CPRA enforcement.
Much has been made about the formation of the California Privacy Protection Agency, which will oversee CPRA rulemaking and enforcement, leaving many to forget the California attorney general's office is still in a position of power in coordination with the CPPA. California Supervising Deputy Attorney General Stacey Schesser, CIPP/US, made sure attendees understood the attorney general's role during her panel appearance Wednesday with Perkins Coie Partner Dominique Shelton Leipzig, CIPP/US, and Workday Chief Privacy Officer Barbara Cosgrove.
"This is a return to what we had typically done before CCPA, which is looking for cases that have significant impact on the California consumer population," said Schesser, who will join Leipzig and CPPA Board member Lydia de la Torre on one of P.S.R.'s opening session keynote panels Thursday to further expand on the state of California privacy law. "We go back to initiating civil actions, meaning it would go back to us initiating an investigation, sending out subpoenas and building our case. If there's a determination that we've proven our case that the law has been violated, we file a lawsuit."
The dawn of CPRA removes some attorney general responsibilities like CCPA cure notices, which will no longer be used under CPRA. Schesser noted there is "unusual language" in the CPRA creating a hierarchy of sorts between the attorney general's office and the CPPA that she said allows the attorney general to supersede the agency on matters it's involved in. Despite the ability to trump the CPPA, Schesser expects her office to "look at things in terms of affirmative litigation and broad impact."
Schesser also indicated the dual enforcement scheme will have no bearing on the allocation of staff or funding the attorney general's office has maintained, noting "a whole list" of California privacy laws that continues to grow. Regardless of who is bringing the enforcement, the panel outlined the very clear message that enforcement is on the way and preparations should be in progress.
"With any regulation, the key is making sure you have a strong compliance program so in the event of an enforcement action you can argue for the opportunity to cure by showing there's a lack of intent to commit a violation," Cosgrove said. "You shouldn't build a program out of fear of enforcement, but because you're trying to do the right thing with data. You're trying to gain consumers' trust around the data. That being said, you want to be able to demonstrate you comply with regulations. Just making sure you filled out internal processes while having policies and procedures in place."
Cosgrove stressed the importance of establishing a process for noncompliance notices and ensuring they get re-routed "quickly, as in immediately" to the responsible party within a company. That type of communication and process facilitation likely calls for executives to be in the loop and leading the charge, which Cosgrove said should be the case with privacy matters anyways in order to line up proper resourcing and avoid enforcement nightmares.
"You have to have that tone and understanding from the top," Cosgrove said. "We do regular updates for our executive team and put a full report out to our board of directors annually on privacy in terms of where we are, but also where we see the landscape going. It starts with the board and the executive team before embedding privacy champions throughout the company. That means when a decision is to be made, everybody knows the issues and it turns into a well-informed discussion."
Global Privacy Control considerations
Much has been made about CPRA provisions around the exchange of data, which now has two separate definitions with "sale" and "share," but it's the mechanisms for opting out of those exchanges that is causing headaches for companies. More specifically the Global Privacy Control, a signal delivered through a browser extension that automatically allows users to exercise their rights to opt out of the sale of their personal information, is creating a stir.
In July, California Attorney General Rob Bonta updated the CCPA's FAQ page to include a requirement to honor GPC signals as a valid consumer request for halting the sale of personal data. This move generated mixed reviews, with the negative buzz focusing on how the added language for GPC did not match with the CCPA's "Do Not Sell" text.
The topic came up Wednesday in conversation between DLA Piper Partner Jim Halpert, IPG Kinesso Senior Vice President Sheila Colclasure, CIPP/US, and TripleLift General Counsel and CPO Julia Shullman. All three speakers were hopeful CPRA rulemaking would address the GPC dilemma, noting current adoption issues related to a mechanism perceived to be unproven.
"I just talked with someone at the (World Wide Web Consortium) and the standard has been introduced to one of their working groups there. My understanding is it's kind of languishing," Shullman said. "There's a lot of history with (Do Not Track) right now and it sounds like people are a little worried to take it up and spend the time on it given how burned they were by DNT."
The CPPA is expected to address GPC, an initiative co-led by CPPA Executive Director Ashkan Soltani, but the extent won't be known until July 2022 when the CPRA regulations are published. Colclasure said she'll begin her plan of action on GPC in January, noting advertisers and publishers should do the same.
"There's really two buckets of risk in my view here with procedural and impact risks," Colclasure said. "I'm thinking about procedural risks because they're really dangerous to us all. We don't know what's going to happen, what regulations are going to look like or how some of this is going to be interpreted. So my teaching point is to get ready for impact and begin engineering a process flow and resources while undertaking a very nuanced, rigorous and methodical walkthrough of each of these requirements, looking at the conservative stance and the looser stance."
Halpert ended up pressing Schesser on the attorney general's current views on GPC, to which Schesser simply referred back to the CCPA's text.
"You have to remember our focus is always about whether the law has been violated. If there is a signal that satisfies that portion of the regulation then we are looking at determining if a business complies with the law," Schesser said. "My understanding is the GPC satisfies it and now we are looking at enforcing with an eye on how companies are implementing the mechanism. I don't see this issue going away overall. There should be efforts to comply here in California though, first and foremost."
California Privacy Law, Fourth Edition
California Privacy Law, now in its newly updated fourth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.