Privacy expert Sarah Bruno breaks down how the California Privacy Rights Act will affect the U.S. privacy landscape

“CPRA is this unique kind of beast that has complicated privacy significantly for organizations in the U.S.,” said Sarah Bruno, a partner at the law firm Reed Smith, on the latest Digiday Podcast.

One aspect of the CPRA needing clarification is the difference between the law’s “contractor” and “service provider” labels. “A contractor is a company that you make data available to, and a service provider’s a company that processes the data on your behalf. That’s not super clear, is it? We need more clarity on that,” Bruno said.

The CPRA does clarify some aspects of California’s existing privacy law, the California Consumer Privacy Act (CCPA), which took effect in 2020. It covers the sharing of data for cross-contextual behavioral advertising purposes, which helps to resolve the CCPA’s Rorschach-esque definition of sale that caught Sephora in the crosshairs of California’s attorney general.

The CPRA’s addition of sharing data has “eliminated the question that we had with [the CCPA’s definition of] sale,” said Bruno.

Besides, for as much as the CPRA may mix up the U.S. privacy picture for companies, the more prominent complicating factor remains the absence of a comprehensive federal privacy law. “We’re still going to have these nuances until there’s a federal law that addresses this,” Bruno said.

Here are a few highlights from the conversation, which have been edited for length and clarity.

Enforcement expectations

I do think we’re going to see a lot more enforcement. I’m certainly hoping for a softer start similar to letters being written, opportunity for companies to defend. But I do think we’re going to see a lot more enforcement and more quickly than we did under CCPA. With CCPA, there was a right to cure. There’s no longer a right to cure.

The Sephora repercussions

The Sephora decision was another one that I think allowed a lot of these internal legal departments to suddenly be like, “Look, this is important.” There’s now decisions coming out of California as a result of somebody making a quick decision under CCPA at some point. Now there’s more thoughtful analysis with respect to the data flows and how they’re being used.

A patchwork of state-level privacy laws

Each state has unique requirements. The definition of sensitive personal information is different in the states. So you’ve got to do your data inventory and check the boxes for each state and then consider what compliance measures you have to do. It’s brutal for these companies.

The potential for a U.S. federal privacy law

The political climate obviously dictates this a lot. I think what’s going on with the Dobbs decision [through which the Supreme Court overturned Roe v. Wade], things like that may trigger additional thought with respect to consumer privacy and a need for there to be a more consistent framework across all states and federally. But I have not heard anything to indicate that’s papered at this point.