2023 is set to be a big year for data privacy. Not only will it be when several new and long awaited state laws on the matter are finally rolled out – including The Utah Consumer Privacy Act (UCPA), The Connecticut Data Privacy Act (CTDPA) and The Colorado Privacy Act (CPA) – but it will also see the evolution of one of the country’s most prominent pieces of consumer privacy legislation, the CCPA, into a new form.
The CCPA and CPRA
After setting a precedent for the government’s role in protecting users’ data back in June 2018, the state of California has decided to move forward with an update to its Consumer Privacy Act (CCPA) that will see it reworked and renamed under a new title – CPRA, or California Privacy Rights Act.
The new change is aimed at enhancing the nearly five-year-old piece of legislation to better meet the needs of today’s technology and risks, and was officially approved in 2020.
The CCPA’s cousin, the California Privacy Rights Act (CPRA), will go into effect on January 1, 2023, and with it will come a number of new changes for businesses – one of which is a do away with the 30 day cure period businesses currently have to fix any violations.
The Cure Period?
Those familiar with the CCPA will know that under the current law, businesses are given a 30 day window to fix any violations before they can be fined. This ‘cure period’, as it has come to be known, was originally baked into the CCPA’s legislation to allow businesses time to adjust to the new law and get their houses in order.
Now, with the CPRA on the horizon, that cure period is set to be scrapped, with any grace periods being at the whim of the California AG and newly created Consumer Privacy Protection Agency. This agency will have the power to bring actions against businesses for statutory damages, and with no default cure period in place, that could mean some hefty fines for businesses that don’t take the necessary steps to comply with the law.
Existing Circumstances Spell Trouble for Future Compliance: Sephora’s Recent Third-party Cookie Case
While the changes the CPRA is set to bring to the CCPA are important, the question of businesses’ ability to comply with them remains up in the air. After all, there are several prominent examples you could point to of companies failing to meet current guidelines – adhering to newer and more stringent ones? That might be a challenge.
The latest reminder of this issue has come with Sephora’s recent CCPA settlement. The beauty company just ended a months-long endeavor of tussling with the Attorney General’s office over a claim it had violated several provisions of the law, including the requirements to disclose the sale of personal information, the presence of a “Do Not Sell My Personal Information” button, and honoring Global Privacy Control (GPC) signals.
Under current law, companies are given a 30 day window to fix any violations before they can be fined. Sephora was afforded this luxury, however failed to take adequate steps to remediate the situation. On August 24th of this year, the California AG’s office announced a $1.2 million action against the company – one that could have been avoided had they taken action sooner.
What makes Sephora’s settlement so notable isn’t just the fact that it’s massive, or that it’s the first public fine for a violation of the CCPA. No, what’s most important here is that it serves as a reminder of businesses’ current ability – or lack thereof – to comply with consumer privacy regulations. Even after 30 days of grace, the beauty giant couldn’t get its compliance together, and was ultimately forced to pay out a hefty fine as a result.
Sephora Isn’t Alone
Sephora isn’t the only major company to get into hot water over a lack of compliance with data privacy regulations.
Snap Inc. recently settled a class action lawsuit, agreeing to pay litigants $35 million for collecting, possessing, and disclosing users’ biometric data when they activated the lens and filter features on the Snapchat app.
The UK’s Information Commissioner’s Office (ICO) has also issued TikTok a notice of intent, signaling that it plans on potentially levying a £27 million fine against the super platform for illegally processing the data of children under the age of 13 without parental consent.
What this points to is a worrying trend: even when given the time to get their compliance houses in order, some of the world’s largest companies are still failing to meet the guidelines set out by data privacy regulations.
Now, imagine if the CPRA’s stricter guidelines were already in effect. If Sephora – a company with seemingly endless resources – couldn’t get it together to meet the CCPA’s standards, how many other businesses will struggle to meet the CPRA’s?
The answer, unfortunately, is probably quite a few. And with no cure period in place, the potential fines they could face as a result could be crippling.
Sephora is a Reminder for Everyone
The Sephora settlement is a reminder for businesses of all sizes that they need to take consumer privacy seriously – and that includes making sure they’re compliant with all relevant regulations.
The CCPA is currently the biggest data privacy law in effect in the United States. But, come January 1st, 2023, that’s all going to change. The California Privacy Rights Act (CPRA) will go into effect, and with it, a renewed responsibility for businesses to stay on top of their data privacy.
What Can Businesses Do?
To say that the future of CCPA compliance is uncertain would be an understatement. But that doesn’t mean businesses should throw their hands up in defeat and do nothing.
There are still steps companies can and should take to get ahead of the curve and prepare for the CPRA’s arrival. Here are a few suggestions:
- Review the changes the CPRA is set to bring and determine which areas of your business will be most affected.
- Take a close look at your current compliance efforts and assess where you might need to make changes.
- Begin training employees on the new law and what it will mean for the way you do business.
- Update your privacy policies and notices to reflect the new requirements.
- Put systems in place to help you track and manage consumer requests.
Doing all of this won’t guarantee that you’ll be compliant when the CPRA goes into effect. But it will put you in a much better position to meet the law’s requirements and avoid any potential fines.
The Sephora settlement should serve as a wake-up call to businesses of all sizes that consumer privacy is an important issue that needs to be taken seriously. Failing to do so could result in some very costly consequences. Laying the groundwork for future compliance now is key to ensuring your business is prepared for whatever the future may hold.