California’s latest privacy law will require companies to establish data retention schedules, renegotiate agreements with third-party vendors, and create new procedures for managing sensitive personal information.
Though most of the California Privacy Rights Act’s provisions take effect Jan. 1, 2023, attorneys say companies that don’t gear up now to put them in place may find themselves scrambling at the eleventh hour to implement a slew of changes that require extensive collaboration between their business and legal departments.
Changes to be implemented with the passage of the CPRA are certain to cause a headache for businesses, many of whom have just gotten a solid grip around the California Consumer Privacy Act, said Kristen Mathews, a privacy and data security partner at Morrison & Foerster LLP in New York.
The CPRA passed by ballot measure in November. It updates the CCPA, which was signed into law in 2018 and took effect Jan. 1, 2020.
“From the in-house counsel perspective, they’re already exhausted from having to implement back-end and front-end changes to comply with the CCPA, which they were doing throughout last year,” Mathews said. “To have to pick up the pen again and rework what they did is really frustrating.”
Although some changes, such as amending privacy policies, may take relatively little time, others—such as establishing retention schedules for different types of data—are more onerous to implement and require different departments within businesses to work together, Mathews said.
The law requires companies to disclose the length of time it intends to retain consumer data, which can be a heavy lift for companies without clear plans in place already. Creating or revising retention policies is “going to take some time for in-house lawyers” to make deals with business and logistics stakeholders within the company, Mathews said.
The CPRA also expands the obligation of data controllers—companies—to audit their vendors. Though contracts may have provided for audits, companies will be more eager to perform them with an audit provision in law, said Brian Kint, a technology, privacy, and data security attorney at Cozen O’Connor in Philadelphia.
“There are steps that companies can take upfront to say, ‘If we get audited, this is what the process could look like,’” Kint said. Having the right documentation helps ensure that “once these audit rights start popping up, companies are ready rather than scrambling to try to throw together audit compliance,” he said.
And those businesses that may not have been affected by the CCPA—due to its definition of “sell” as it relates to data—may find themselves looped into CPRA obligations with its expanded “share” definition, Kint said.
Plus, exemptions to business-to-business data and employee data are set to expire Jan. 1, 2023 and aren’t likely to be extended, said Gretchen Ramos, co-chair of Greenberg Traurig LLP’s data, privacy, and cybersecurity practice in San Francisco.
Many companies that “back-burnered” those processes due to the exemption now need to understand how data is flowing in those two areas to ensure CPRA compliance, Ramos said.’
While companies can and should get started on compliance now, the new privacy agency established under the CPRA hasn’t yet begun to issue regulations that will sway certain business and legal decisions necessary to comply with the new law.
But that doesn’t mean businesses should wait until summer 2021, when the agency is expected to begin rulemaking, to gear up for compliance, said Jeff Dennis, head of Newmeyer & Dillion’s privacy and data security practice.
“Sit down with your stakeholders and counsel and come up with a cohesive compliance plan,” Dennis said. “Even if you don’t know all the specifics, you know what dates you need to hit, where you’re going, who’s going to be involved and in what aspects.”
Companies need to conduct or refresh their data maps to understand where data is moving and how, said Ashley Shively, a privacy attorney and class action litigator at Holland & Knight LLP in San Francisco.
“To the extent that your mapping in 2019 and 2020 wasn’t comprehensive, you’re going to need that information come 2023, so starting that map and getting your arms around that now is important,” she said.
In-house counsel also should spend time this year better understanding what data is shared with third-party vendors, Shively said. They should categorize vendors in terms of risk to prioritize time and resources, she said.
Some businesses, too, may have dozens or hundreds of contracts with vendors and should start working to refresh those now, Ramos said.
“You don’t need to put 100% of your team on this right now, especially if you’ve already done good work for CCPA compliance,” Ramos said. “But 2023 will be here before we know it.”