Privacy expert Sarah Bruno breaks down how the California Privacy Rights Act will affect the U.S. privacy landscape
To anyone hoping that California’s updated privacy law would help to simplify privacy compliance in the U.S., sorry. That doesn’t seem to be the case. Instead, the California Privacy Rights Act (CPRA), which takes effect on Jan. 1, seems set to muddy the privacy landscape even more.
“CPRA is this unique kind of beast that has complicated privacy significantly for organizations in the U.S.,” said Sarah Bruno, a partner at the law firm Reed Smith, on the latest Digiday Podcast.
One aspect of the CPRA needing clarification is the difference between the law’s “contractor” and “service provider” labels. “A contractor is a company that you make data available to, and a service provider’s a company that processes the data on your behalf. That’s not super clear, is it? We need more clarity on that,” Bruno said.
The CPRA does clarify some aspects of California’s existing privacy law, the California Consumer Privacy Act (CCPA), which took effect in 2020. It covers the sharing of data for cross-contextual behavioral advertising purposes, which helps to resolve the CCPA’s Rorschach-esque definition of sale that caught Sephora in the crosshairs of California’s attorney general.
The CPRA’s addition of sharing data has “eliminated the question that we had with [the CCPA’s definition of] sale,” said Bruno.
Besides, for as much as the CPRA may mix up the U.S. privacy picture for companies, the more prominent complicating factor remains the absence of a comprehensive federal privacy law. “We’re still going to have these nuances until there’s a federal law that addresses this,” Bruno said.