How Does the CPRA’s Look-Back Provision Work?

iStock-924558574

In November 2020, voters approved the California Privacy Rights Act (CPRA) in a ballot initiative, making major changes to the existing California Consumer Privacy Act (CCPA). The CPRA strengthens enforcement of the data privacy law, clarifies some of its gray areas, and adds new rights for California residents. It also brings the state law more in line with the European Union’s General Data Protection Regulation (GDPR).

Most of the changes in the CPRA do not go into effect until January 1, 2023. This has lulled some businesses into a false sense of security, with many thinking, “We’ll deal with the CPRA in 2023.” This can be problematic for two reasons. First, for businesses that are already supposed to be CCPA compliant but are not, that law is in effect. Enforcement has begun and 30-day cure notices are going out, along with the threat of hefty fines. Second, the CPRA has a 12-month look-back provision that affects businesses’ data privacy practices going back as far as January 1, 2022.

The Look-Back Provision

No law can penalize behavior that took place before the law existed. The CPRA, passed on November 3, 2020, can’t force businesses to have been maintaining consumer data in a certain manner before that date. What it can do is make businesses track their collection, use, and disclosure of personal information up to 12 months before the law’s 2023 effective date.

This is exactly what the CPRA does, in order to accommodate Californians’ right to know what personal information has been collected. This right was included in the original law, though it has been slightly changed by the CPRA and the right to know specific pieces of information is now called the “right to access.” When a consumer submits a request to know, the business must supply all relevant information going back at least 12 months.

The look-back provision seeks to ensure that these consumer rights are fully realized from the very beginning. According to the CPRA, even if a business receives a request to know on January 1, 2023 (the day the law goes into effect), it should be prepared to provide information going back to January 1, 2022. This means businesses must do the work of becoming fully compliant before 2023.

As a side note, the CPRA also contemplates future regulations that will require businesses to provide information beyond the 12-month period upon request, “unless doing so proves impossible or would involve a disproportionate effort.” Even in these cases, however, businesses need not provide information from before January 1, 2022.

How Does It Affect CCPA-Compliant Businesses?

If your business is already CCPA compliant, there is good news. Being ready to comply with the CPRA’s 12-month look-back provision won’t take too much work, as you should already be prepared to provide 12 months’ worth of information to consumers upon request. The only change needed is to include some additional information in requests to know, as required by the CPRA.

Luckily, there is just one type of additional information. In response to a request to know what categories of personal information have been collected, the original CCPA requires businesses to include categories of third parties to whom it discloses personal information. The CPRA expands on this, requiring businesses to also tell consumers the categories of service providers and contractors to whom it discloses information.

The practical impact for CCPA-compliant businesses is that, before the CPRA takes effect, they must categorize all service providers and contractors to whom they have disclosed consumers’ personal information since January 1, 2022.

What About Businesses That Are Not Yet CCPA Compliant?

For businesses that are not yet CCPA compliant, meeting the requirements of the CPRA’s look-back provision will take more work. They must go through the entire process of becoming compliant and retroactively document, starting from January 1, 2022, all required categories and specific pieces of personal information needed to respond to consumers’ privacy requests. Accomplishing this may require a few extra steps at the data mapping stage, depending on how much the business’s practices changed over the period.

That said, if the CPRA will apply to your business in 2023, then the CCPA almost certainly does so already. There is no reason to wait on compliance. First, becoming compliant now makes future compliance much, much easier—there are a few adjustments under the CPRA, but they are relatively easy for compliant businesses to make. Second, with enforcement efforts ramping up under the California Attorney General (and soon the California Privacy Protection Agency), non-compliance is not worth the risk. Receiving a 30-day cure notice can push businesses to make costly mistakes by trying to become compliant in a hurry. If the notices are ignored, businesses can quickly incur hundreds of thousands of dollars in civil penalties.

Next Steps

If your business is already CCPA compliant, making sure you’re ready for the CPRA’s look-back provision should be easy. You have until January 2023 to make the changes, but they are so minor that there is no downside to implementing them ahead of schedule.

If you have been holding off on CCPA compliance, one of the key points to keep in mind is that becoming compliant is not as simple as flipping a switch. It will require a significant amount of effort and likely some changes to the way your business operates on a daily basis. Getting started early will take off some of the pressure and make things go more smoothly.

Hiring a law firm or consultant to handle CCPA compliance can be quite costly and time-consuming. TrueVault Polaris is an attorney-designed software solution that automates the process. It provides a guided experience, all the way through full CCPA compliance, at a fraction of the cost in both time and money. Contact our data privacy experts to learn more.

Schedule Call