Update to California's Data Privacy Laws Could Have Wide Reach

It may not have been the most notable news to come out of last week’s U.S. elections, but the passage of an amendment strengthening existing rules about data privacy is a clear sign of consumer concern about how their data is being gathered, stored and used.

On Nov. 3, a majority of California voters marked their ballots in support of the California Privacy Rights Act (CPRA), which will replace the existing California Consumer Protection Act (CCPA) and expand its regulations.

“Prop 24 is the first step in allowing consumers to control where and how their data is used,” said Fleming Shi, CTO of IT security company Barracuda Networks. “Although we’ve seen the privacy versus data use argument play out through the years, this shows that California is willing to put a larger stake in the ground.”

Changes to CCPA

Under the CPRA, fines against companies that break data privacy rules will be increased. California will also create an agency that will work with its justice department to enforce the laws. Consumers will be able to request that a company not share their personal data, and to request corrections to any incorrect data being stored or used.

The CCPA, which came into effect at the beginning of the year, faced significant opposition from tech companies based in or operating in California. Data collection, analysis and use are a significant part of the business model for many tech giants, and will only become more important as investment in machine learning continues to grow.

“The good news about Prop 24 is it doesn't go into effect until January 2023, so companies have time to update their privacy practices to comply with the new requirements,” said Ruth Carter, an Arizona lawyer who focuses on internet law. The creation of a dedicated agency is of note because it could create more bandwidth to go after those in violation of the act, Carter said.

But while there is time, companies shouldn’t sit back and wait for the act to go into effect, said Max Pruger, the general manager of compliance at Kaseya.

“Organizations should create a forward-thinking compliance strategy and seek out integrated, automated solutions that allow them to easily document necessary information and due diligence on an ongoing basis,” Pruger said. Waiting to get compliant until it’s absolutely necessary will leave companies behind the curve, he said.

There are also implications for cybersecurity, Shi said. To stay ahead on those aspects, companies should address security needs in all three states of data (at-rest, in-transit, in-use), understand who can access data, give employees ethics training on using data sets and encourage software developers to pay better attention to data handling.

Wider Implications

The new rules also hold the potential to have an impact well beyond California. Microsoft already pledged to follow the CCPA regulations in its operations across the country, and other jurisdictions will watch where California goes next.

“If other states pass their own privacy laws, hopefully they will be similar enough to the existing laws so that they won't be in conflict with each other,” Carter said.

With a vice president from California about to enter the White House, and some appetite for national action on data privacy, it could influence the conversation in Washington, D.C.

“CCPA and Proposition 24 are just two examples of how states are addressing privacy rules, and it’s only a matter of time before the federal government passes an equivalent to GDPR [the EU's General Data Protection Regulation],” Pruger said.