The CPRA is law—now what?

It’s a new year, which means it’s time for some new rules—specifically concerning the management of your data. The California Privacy Rights Act (CPRA) became law on January 1, 2023, which means IT teams will need to be prepared for unique challenges around what’s primed to become the country’s most expansive and restrictive privacy regulation.

In December, IT Brew caught up with Ajay Bhatia, general manager and global VP at software company Veritas, to discuss how the law will affect both consumers and the companies managing their data.

This conversation has been edited for length and clarity.

Can you explain what the CPRA is and where it came from?

The CPRA is an extension of the CCPA, which is the California Consumer Privacy Act. That’s been around for a while. The CCPA protects consumers from mismanagement of their data. That act imparts the right to know, the right to delete, the right to opt-out, and the right to…non-discrimination.

Those are the…areas where the CCPA was established. It kind of took a lot of flak, because there was an inadequacy felt in the way the data was being managed—[if] I’m a consumer, I’m looking at a website, it says “manage all cookies,” I gotta go into settings to change things. There was a lot of more effort on the consumer side to be able to try and help the protection of their own data.

Having the CPRA, which is the privacy and regulations act, it takes those elements of the CCPA, but then it empowers the consumer, the individual, with the right to be able to go correct their personal information that is being held by the businesses and the right to limit the use and disclosure of that sensitive information. So, there’s a little bit more of a bend towards what businesses are doing with my data as a consumer.

How does this differ from the European Union regulation, the General Data Protection Regulation (GDPR)?

If you look at the GDPR, the level of fines, the level of punitive damages that were implemented, are way, way, way higher than what they are [with] the CPRA.

The CPRA will range between $2,500 to maybe about $7,500 per violation, whereas the GDPR says it’s going to be 2% of your entire annual revenue across the globe, if it’s a minor violation. It’s going to be 4% of your revenue across the globe, if it’s a major violation. One of the largest cloud service providers got fined close to 900 [million] euros…a major US firm. They weren’t able to demonstrate compliance for the way they handled European Union data compliant to GDPR.

That’s a major difference in fines. Do you think we’ll see a similar shift toward coordination and enforcement in the US?

The cost of not complying to a regulation is quite astronomical for companies choosing to do business in the GDPR zones, whereas that’s not true for the US. This is why I say the US needs to up the ante. California is certainly leading that charge.

But again, it’s more about data sovereignty for what you do with data of California citizens. That reciprocity, for lack of a better word, is starting to gain momentum. Then again, there are always loopholes—this is not a US federal law, and [there] are three or four or five different states that are trying to do this on their own, whether it’s Colorado, Utah, Virginia, or others.

That’s the point I’m trying to make, which is the unified standard across multiple different countries in the European Union means that businesses that are incorporated there, that handle sensitive data for EU citizens, they actually mold that entire regulation into their strategy, into their daily operations for most companies, which is not the case with where we are. Where we need to be is at that level, and the CPRA tries to get us a little bit closer there.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].