How can a law that goes into effect Jan. 1, 2023, already be in effect as of this past Jan. 1? When it’s the California Privacy Rights Act (CPRA) and contains a “look-back period.” If you’re handling the personal data of Californians, you should already have a data-management plan in place that keeps you in compliance.
In November 2020, California voters passed the CPRA and substantially increased the number of companies who would be covered by California’s privacy regime.
Previously, the California Consumer Privacy Act (CCPA) was largely focused on businesses that bought and sold consumers’ personal information. The CPRA, however, amended the CCPA to include:
- All businesses doing business in California with $25 million in gross revenues the previous calendar year (previously, it was unclear which time period for the $25 million threshold applied).
- All businesses that buy, sell, or share (importantly, “share” is new here) the personal information of 100,000 California or more consumers
- All businesses that derive 50% or more of their revenue from selling or sharing consumers’ personal information (again, “share” is new here).
Perhaps your organization wasn’t covered previously, but is now. The good news is that you still have a year before the various requirements of the CCPA and CPRA apply to you, such as “data subject access requests,” where consumers can ask for a copy of everything you know about them, or data deletion requests, etc. (go here for a good rundown on CCPA/CPRA if this is all new to you). CPRA’s changes don’t take effect until Jan. 1, 2023.
However, it’s vitally important that you get your data management in excellent working order immediately because of what’s known as the “look-back period” in the CPRA.
Because the CPRA goes into effect on Jan. 1, 2023, on that date consumers have a right to all of the data you have ever collected about them going back to Jan. 1, 2022. That 12 months represents the “look-back period.”
That means if you haven’t started tagging and tracking your data correctly so that you can retrieve the appropriate data on demand on Jan. 1, 2023, there could be serious consequences — including fines of up to $2,500 for each violation (or $7,500 per violation if it can be proven you intentionally were out of compliance).
Your privacy-focused data-management system really needs to be underway.
What does that mean? In all likelihood, you have personal data in many different locations: servers, hard drives, cloud services, etc. Are you able to find everything you have regarding John or Jane Smith and provide it to them within 45 days, making sure that it’s all about that specific individual and not someone else with a similar name?
Can you provide your requestor with a list of the categories of business (social media provider, telecommunications provider, etc.) with which you have shared their information?
If someone were to ask you to delete all of their data on Jan. 1, 2023, will you be able to delete everything you have about them going back to Jan. 1, 2022, and also reach out to everyone you’ve shared that data with and make sure they delete it, too?
If you can’t, you need some way to find the data of individual customers (and employees and former employees) and track everyone who has access to it. If you didn’t put that process or technology in place by Jan. 1, 2022, it will be that much harder to comply as soon as the clock strikes midnight on Jan. 1, 2023. The longer you wait, the more you’ll be playing catch-up and struggling to comply with the look-back period, that’s for sure.
And while enforcement might not begin until July 1, 2023, regulators are unlikely to look kindly on an organization that failed to prepare for the law when there has been a year to do so.
Even if you already feel like you’re complying with the CCPA, you should at least make sure to tweak your metadata to ensure you’re appending data with the categories of business that you share each piece of personal data with (not just buy or sell) and tweak your data retention policies to accommodate the change in the law that moves the amount of data you need to provide to customers and employees from “everything in the last 12 months” to “everything you’ve ever collected back to Jan. 1, 2022.”
If you put technology and process in place now so that everything you are collecting is tagged and tracked appropriately back to intake on Jan. 1, 2022, you’re going to find your anxiety levels greatly reduced on Jan. 1, 2023. The longer you wait, the more work catching up will be.
And if your plan is to figure it out later, you might find yourself with a headache on New Year’s Day 2023 for more reasons than one.
Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.