California’s new privacy agency means a fresh set of regulatory headaches for tech companies and other businesses operating in California that are already grappling with the state’s landmark 2018 law.
The new regulator was established with the passage of the Proposition 24 ballot measure on Tuesday to police California’s broad data privacy laws. Companies need to be more diligent about their data retention and sharing practices or risk hefty fines of as much as $2,500 per violation or $7,500 per intentional violation.
“The law is chock full of new things,” said Kristen Mathews, a privacy and data security partner at Morrison & Foerster LLP in New York. “Most of the provisions require extra compliance, and it’s a big lift for businesses.”
How hard the agency clamps down depends on whether it gets enough funding and how quickly it can get up and running.
The agency will receive $5 million its first fiscal year and $10 million in each subsequent fiscal year from the state’s general fund. Ireland’s Data Protection Commission, by contrast, had a 2020 budget of about $20 million, according to a commission spokeswoman.
Who staffs the new agency’s five-member board and what role it plays in day-to-day operations could also impact the tone of enforcement, said Cathie Meyer, a cybersecurity and privacy attorney at Pillsbury Winthrop Shaw Pittman LLP in Los Angeles.
Under the ballot initiative, companies must publish the retention periods for various kinds of personal data that they capture, Mathews said. That may be a big hurdle, given the complexity of business’ systems and the way data flows through their infrastructures, she said.
The measure also gives consumers the right to opt out of their data being shared for “cross-context behavioral advertising,” or targeted advertising, even if it’s not being explicitly sold, Mathews said.
That’s likely to impact companies in the ad tech industry, which consists of advertisers and the businesses that run those platforms, such as
Outside of additional requirements for businesses, the new law eliminates a 30-day “cure period” that existed under the California Consumer Privacy Act. That window gave businesses the leeway to confer with the attorney general and remedy any poor data practices before an enforcement action.
The lack of the cure period “heightens the legal risk around compliance,” said Ashley Shively, a privacy partner at Holland & Knight LLP in San Francisco. “An action could be filed without any warning.”
The new agency will also issue regulations requiring risk assessments for businesses whose processing of consumer data “presents significant risk” to their privacy or security.
Silicon Valley giants and financial technology companies could find themselves saddled with annual cybersecurity audits as a result, said Jerel Pacis Agatep, an associate at Jackson Lewis P.C. in San Francisco.
The new law doesn’t take effect until Jan. 1, 2023, but personal information collected by businesses starting Jan. 1, 2022, would be largely fair game. Businesses should take advantage of the time between now and then to make sure they’re not missing anything, Mathews said.
“Companies are going to have to sit down and figure out what the delta is between the CCPA and the CPRA,” she said. “That involves revising privacy policies and changing back-end practices.”
While the California privacy law is the toughest in the U.S., companies could face even stronger enforcement if federal legislation is crafted or if a law similar to the European Union’s General Data Protection Regulation passes, Agatep said.
“I don’t think this law is going to be the end of it,” he said. “I truly think California is inching toward a more GDPR-like law.”