On November 3, 2020, Californians passed a ballot initiative to enact the California Privacy Rights Act (CPRA) of 2020. The CPRA amends and expands the California Consumer Privacy Act, known as CCPA. The CPRA’s obligations imposed on businesses become operative on January 1, 2023, and enforcement can begin on July 1, 2023. With the exception of consumer access requests, which may cover personal information collected under a longer look-back period, the new provisions of the CPRA will apply to personal information collected on or after January 1, 2022.
Virginia also signed the Consumer Data Protection Act (CDPA) on March 2, 2021, which is making Virginia the second state in the U.S. to pass a comprehensive data privacy law. This law will go into effect in 2023, on January 1. As expected, other states are also considering proposals, potentially creating a kind of privacy patchwork, as regulation standards and enforcement practices might vary from each other.
Enforcement of the Virginia CDPA falls solely to the attorney general. As for the future steps, the bill has been directed to the Joint Commission on Technology and Science to establish a work group to review the provisions of this act and issues related to its implementation. Findings of this working group will be reported by November 1, 2021. We are monitoring those updates and will revise our processes accordingly.
Like the CCPA, the CPRA protects the privacy rights and interests of consumers, which it defines as all California residents. Broadly speaking, the CPRA expands the scope and applicability of the CCPA. The CPRA slightly alters the scope of covered businesses. While the CPRA maintains the CCPA’s existing monetary threshold for application of annual gross revenue over $25 million dollars in the preceding calendar year, it changes some of the other thresholds.
The CPRA changes and expands consumers’ rights to control the collection, use, and disclosure of their personal information in a number of ways, including: Expanding the Right to Know and Modifying the Right to Delete.
The CPRA also creates new consumer rights:
CPRA establishes a new enforcement body, the California Privacy Protection Agency and requires additional rulemaking on a number of issues. The Agency will take over the responsibility from the Attorney and will start issuing regulations under CPRA. The CPRA sets a July 1, 2022 deadline for issuing final regulations.
As mentioned above, the Virginia Privacy Act and CPRA create new standards of data protection, including updates for data subject access requests (DSAR). To avoid non-compliance issues, companies need to recognize the importance of data subject rights and they need to be prepared to ensure secure execution of request rights. To exercise DSAR, there is a need for data subject identification. As these requests contain personal data, in order to avoid non-compliance,companies need to have safe methods for identification. This is where Veriff can play a pivotal role. To determine whether the identity of the person making the request is the same as the data subject rather than a third-party acting in malicious intent, Veriff helps companies conduct identity verification in a fast and secure way.