Lost in the noise of the recent U.S. Presidential election was the fact that California residents passed Ballot Proposition 24, which created the California Privacy Rights and Enforcement Act (CPRA) -- and created a whole lot of potential headaches for any company doing business on the Internet. If you're on a legal team for an organization that deals with online data, you need to get a handle on the CPRA as soon as possible.
If the CPRA sounds familiar, that's because it's a follow-on to the CCPA, the California Consumer Privacy Act which passed just two years ago. The CCPA was passed by California privacy advocates to create online data protections similar to those found in the European Union's General Data Protection Regulation (GDPR).
The CCPA differed from the European law in two main areas: the California law did not create a standalone privacy enforcement authority, but instead charged the state Attorney-General with enforcing the provisions of the act; and the new law allowed any resident of California to ban online companies from selling their personal data.
That second part is the critical feature here, because the CCPA rather broadly defines "selling data" as collecting information about your online users and then giving any part of that data to anyone else in exchange for anything else. You don't have to explicitly hand over usernames in exchange for cash. By some accounts, a user requiring that you not sell their data means you can't show them ads, because all online ads track how many people view them.
The California Attorney-General's has been moving slowly to implement such a wide-ranging law, so the CPRA took that responsibility off the AG and created a new agency, which means enforcement will be swift and constant when the law takes effect on Jan. 1, 2023.
Here's what the CPRA requires of any online data collector:
- If an online user asks for a complete record of what data you've collected on them and who you've shared it with, you have to provide that record.
- If an online user tells you to stop selling their data, you have to stop immediately, and keep records to prove your ongoing compliance.
- If an online user asks you to delete all the data you have on file about them, you have to both delete their information and show proof the data was purged.
- You cannot send an online user's data to any other online providers that don't comply with the CPRA.
All of this will require intricate, real-time data mapping for every online service and application. But, more than that, your legal team will have to show that your legal agreements -- including terms of service and privacy policies, not only match the CPRA, but that they match your data maps.
If you switch from Amazon Web Services to Digital Ocean, you not only need a strict record of when that changeover occurred and which users it affected, but proof your user agreements were updated in lock-step with that change.
To do so, you're going to need sophisticated data-mapping software and real-time contract analysis software. The former will clearly show whose data goes to what systems in which situations. The latter will show that your contracts cover every use case on those data maps, and have been updated for any changes to your data flow.
If you're ready to address the legal half of that problem, LinkSquares is here to help. With our cutting-edge artificial intelligence, we can locate the relevant clauses in each of your legal agreements and help you organize and categorize every contract that is impacted by the CPRA -- at the speed and scale of software.
If you're ready to get a handle on your CPRA liability as quickly and accurately as possible, contact LinkSquares today.
Subscribe to the LinkSquares Blog
Stay up to date on best practices for GCs and legal teams, current events, legal tech, and more.