To anyone hoping that California’s updated privacy law would help simplify privacy compliance in the United States, sorry. This does not seem to be the case. Instead, California’s Privacy Rights Act (CPRA), which takes effect January 1, looks set to blur the privacy landscape even further.
“CPRA is this unique type of beast that has made privacy significantly more complicated for organizations in the United States,” said Sarah Bruno, partner at law firm Reed Smith, on the latest Digiday podcast.
One aspect of the CPRA that needs to be clarified is the difference between the statute’s “contractor” and “service provider” labels. “A processor is a company to which you make data available, and a service provider is a company that processes data on your behalf. It’s not super clear, is it? We need more clarity on this,” Bruno said.
The CPRA clarifies certain aspects of California’s privacy law, the California Consumer Privacy Act (CCPA), which came into effect in 2020. It covers data sharing for the purposes of cross-context behavioral advertising, which helps solve the Rorschach-esque CCPA. definition of the sale that caught Sephora in the crosshairs of the California attorney general.
CPRA’s addition of data sharing has “removed the issue we had with [the CCPA’s definition of] sale,” Bruno said.
Further, as much as the CPRA can disrupt the image of privacy in the United States for businesses, the most significant complicating factor remains the lack of a comprehensive federal privacy law. “We’re still going to have those nuances until there’s a federal law that deals with that,” Bruno said.
Here are some highlights from the conversation, which have been edited for length and clarity.
I think we’re going to see a lot more application. I certainly hope for a softer start, similar to letters being written, an opportunity for businesses to fight back. But I think we’re going to see a lot more application and faster than we did under the CCPA. With the CCPA, there was a right to heal. There is no longer any right to cure.
The repercussions of Sephora
The Sephora decision was another one that I think caused a lot of those in-house legal departments to suddenly say to themselves, “Listen, this is important.” There are now decisions coming out of California because someone made a quick decision under the CCPA at some point. There is now a more thoughtful analysis of data streams and how they are used.
A patchwork of state-level privacy laws
Each state has unique requirements. The definition of sensitive personal information is different in the states. So you need to take your data inventory and tick the boxes for each state, then think about the compliance measures you need to take. It’s brutal for these companies.
The potential for a US federal privacy law
The political climate obviously dictates a lot. I think what’s going on with the Dobbs decision [through which the Supreme Court overturned Roe v. Wade], things like this can trigger additional thinking when it comes to consumer privacy and the need for a more consistent framework across all states and at the federal level. But I haven’t heard anything to indicate that it’s documented at this point.