CPRA hints at the future of cybersecurity and privacy

One of the most notable ballot propositions impacting the privacy and cybersecurity world during the US 2020 election was the passage of the California Privacy Rights Act (CPRA).

Predominantly considered an updated version of 2018’s California Consumer Privacy Act (CCPA), the CPRA incorporates several changes other than the highly touted establishment of the California Privacy Protection Agency (CPPA).

Not only does the CPRA incorporate several changes that might place a burden on small retailers, it also focuses more specifically on cybersecurity, hinting at the future of privacy and security legislation.

What new duties does the CPRA impose?

The new iteration of the California law specifically incorporates data security and integrity requirements in several places. The changes filter across CPRA’s fifty-three pages. When brought together, they show a shift towards making the CPRA a hybrid privacy-security regulation.

The first mention occurs in section 100, which requires that businesses collecting personal information “shall implement reasonable security procedures and practices.” This new language highlights the deeply intertwined relationship between security and privacy. The CCPA hinted at security controls, but the CPRA outright requires them.

This new mandate aligns with the following addition of “security and integrity” in the definitions section:

• the ability: (1) of a network or an information system to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information; (2) to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions, and to help prosecute those responsible for such actions; and (3) a business to ensure the physical safety of natural persons.

This definition reinforces proactive cybersecurity monitoring and threat detection as important to ensuring privacy. Specifically, the “to help prosecute those responsible” indicates that organizations who must comply with CPRA need to have appropriate forensic documentation that will give them the ability to work with law enforcement.

How does the CPRA change the definition of data collection?

From a purely academic position, the new definitions of consent, dark patterns, and cross-context behavioral advertising indicate that the CPRA looks to the future of data collection technologies.

The definition of consent specifically states:

• acceptance of a general or broad term of use or similar document that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.

The use of “general or broad terms of use […] along with other unrelated information does not constitute consent” appears to call out both the “GDPR cookie notification” and the forms that use “by clicking this box I acknowledge having read and understood the company’s Privacy Statement.”

Both of these notifications could be considered broad terms and conditions. Additionally, both contain personal information processing along with “other, unrelated information” such as the marketing assets the user wants to download.

However, the CPRA goes further in the definitions section to include marketing technologies that gather user intent data. Many websites use “heatmaps” that collect information on where users click, what videos they watch or pause, and what areas they hover over. For example, tools such as Decibel and Hotjar are behavior analytics tools that give insight into what content users click through to, whether they get distracted by non-clickable elements, and whether they respond to opt-ins. The CPRA’s language indicates that businesses will need to obtain consent before collecting this information.

The CPRA goes yet another step further, defining “dark patterns” as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by the regulation.” Dark patterns are marketing ploys that try to leverage users’ emotions against them, such as email request boxes with buttons that say, “No thanks, I don’t want a discount today.” Under the CPRA, these would be considered non-compliant tactics.

Finally, the CPRA covers all its privacy bases by including the following definition of cross-context behavioral advertising:

• targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.

In other words, if a consumer looks to buy something from the Gap, the Gap cannot use that information to target advertising for the Banana Republic’s clothing.

Consumer businesses will need to specifically delineate their consumer data collection repositories and be more proactive about the way in which they position their digital marketing strategies.

How the CPRA impacts the data supply chain

CPRA also tackles the data supply chain, giving specific directions on what and how service providers and contractors fit into the privacy puzzle. Sections 105, 121, and 130 all reference these third-party data organizations that, when aggregated, create a series of contractual requirements across the data supply chain.

First, under Section 105, “Consumers’ Right to Delete Personal Information,” the CPRA clarifies that service providers are only beholden to business with whom they contracted, not consumers. Second, the clause creates a waterfall approach for deleting personal data. Businesses need to tell their service providers and contractors who in turn need to contact their service providers and contractors. Presumably, this waterfall continues down the data supply stream until no more additional contracted parties remain.

Second, CPRA established section 121, a new provision not in the CCPA. This section gives consumers the right to limit how businesses use their data and requires businesses to push those limitations downstream as well. Fundamentally, this provision means that consumers can now create accounts for services, such as purchasing through a business owned application, but limit the way that data is used to that single case.

Finally, under section 130, the CPRA clarifies service provider and contractor responsibilities focusing on contractual obligations. Service providers and contractors need to respond only to requests as provided by the businesses with whom they contract. This section reinforces the distance between consumers and a business’s service providers and contractors.

What can we hypothesize about the direction CPRA takes data privacy and security?

Fundamentally, CPRA gives a lot of insight into the way that data security and privacy increasingly intertwine. The CPRA no longer hints at the interconnection but specifically speaks to data security best practices. It additionally goes further than other regulations by requiring businesses to provide data security event information that helps track cybercriminals after an incident occurs.

More importantly, CPRA’s clarifications create a morass of requirements that make data retrieval difficult. These requirements enforce data minimization by placing undue burdens on businesses and the data supply chain when responding to consumer requests. For example, Section 130(3)(B)(ii) now requires businesses to provide consumers, upon request, with “the specific pieces of personal information obtained.”

Originally, under CCPA, businesses needed to share the categories of information. By requiring them to supply the specific pieces of personal information, businesses that need to respond to consumers now need to think more carefully about the data they collect. If the “pieces of data” collected come from website heatmaps, then businesses need to be able to segregate that data out if a consumer requests it.

In short, many of these new requirements force businesses to think more carefully about the information they collect. If a business needs to furnish data upon customer request, it needs to know the specific pieces of information it collects, not just the categories. Since this will increase the operational costs associated with responding to these requests, the CPRA fundamentally gives businesses two options. Collect all the data but pay the operational costs when responding to consumer requests or limit data collection as much as possible to reduce the operational costs of responding to consumer requests.

By January 2020, at least three states had prepared new privacy legislation based on the CCPA. As data privacy and security professionals look to the future of privacy regulations, the CPRA creates new fundamental requirements that states, and the US federal government may use to strengthen consumer data rights.