California’s New Privacy Agency: Is Your Company Ready?

California has been setting the pace on consumer privacy protections for nearly two decades, passing laws that regulate how businesses like Amazon, Google and Facebook can collect, store and use consumer data.

This includes the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), which takes effect in 2023. To take things further, the state is also forming the country’s first privacy agency, called the California Privacy Protection Agency (CPPA)

“The basic framework of the agency is about ensuring consumers’ rights, requiring businesses to honor those rights, and offering more transparency overall,” says Bubba Nunnery, ZoomInfo’s senior director of privacy and public policy. “That’s the foundation of all new and emerging privacy laws.”

The new agency will enforce the CPRA, which applies to for-profit businesses that operate in California, collect California residents’ personal information, and meet one or more of the following thresholds:

  • Gross annual revenue of more than $25 million
  • Buy, sell, or share personal info of 100,000 or more consumers or households
  • Derive 50% or more of revenue from selling or sharing consumers’ personal information

In the following Q&A, Nunnery shares his thoughts on the potential impact the agency could have on businesses and what they can do to prepare for its enforcement activities, which begin on July 1, 2023. 

Q: How can businesses remain compliant under the new agency? 

The new regulations being developed are intended to give clear guidance on how companies can meet the requirements of the law. That said, it’s worth noting that even though the agency is new, it’s merely a benchmark in what has been nearly a four-year process.  

The best thing that we’ve done — the best thing that any company can do — is to be prepared. We built our California program years ago and have stayed engaged to ensure that we’re ready for any potential changes. 

What will always be a best practice is having a flexible compliance framework that can both keep track of what types of data you deal with, how you process that information, and what your obligations are under the law. 

That can be a daunting and complicated task, but there’s a whole cottage industry that can help companies both assess their responsibilities under the law and build automated compliance programs.

Q: Do you think other states will create privacy regulatory agencies? 

It’s hard to say. 

California has been a pacesetter in a thousand different ways. They have the highest GDP of any state in the U.S. They have the most people. They enacted the first data-breach laws ever 20 years ago, and now all 50 states have them. But when it comes to setting up a third-party enforcement agency — that’s no small task. It’s expensive, it’s complicated, it’s political. As of now, there aren’t a lot of states looking to set up something similar. We’ll see how it plays out.

How are the California regulations similar to the EU’s General Data Protection Regulation (GDPR)?

There are a lot of similarities that are more conceptual than anything. For example, in both places, you can only collect data that’s relevant to your purpose for processing. Meaning you can only use the data you collect for the purposes that you say you’re going to use it for.

They also both have something about data retention, where you can only store data for the amount of time that you need it to perform the actual stated purpose. 

Another similarity is a risk assessment for processing sensitive information. You have to actually go through your own audit to see if your processing is safe.

And different?

Well, the GDPR is the strictest data protection law in the world that applies to any businesses that use or collect data related to EU citizens.

California only applies to for-profit businesses that meet certain requirements, whereas GDPR applies to anyone who’s processing information about residents of the EU. There are also some differences in how or if you can process data related to minors. 

As for enforcement, that’s different as well because the GDPR spans across EU countries versus just one state. Each EU member state is required to have a Data Protection Authority (DPA) that is responsible for monitoring and enforcing the law. 

Should people be worried about how ZoomInfo uses their data? 

No. At ZoomInfo our goal is to help businesses who market and sell to other businesses be more efficient. We provide data and insights that help our customers connect with prospects and the decision-makers within those companies. 

The information we gather, enhance, and make available is perhaps the least sensitive information out there. It’s information people regularly share while conducting business, such as company, title, work email address, work phone and other similar information used only in a professional context.

Generally speaking, people are worried about having their personal information harvested without their knowledge or consent. They don’t like the idea of companies creating algorithms off their data to try and influence their behavior, without ever having a say in whether they want to be a part of it. 

We get that. We appreciate that. We support that. We don’t do that. 

The CCPA has created an exemption for B2B companies. Can you explain what that means? 

The exemption means that companies that exchange data with other companies to do business aren’t covered in this law for a period of time. As of now, businesses should be prepared to treat professional information the same as other personal information on January 1, 2023. That said, this is somewhat of a fluid topic; the exemption has been extended already, and there are a couple of bills out there right now that seek to extend them again, one permanently. 

The purpose isn’t to regulate the B2B economy. However, without distinctions between personal and professional information, there may be implications beyond simply giving more protections to sensitive consumer data.

Read More: B2B Guide to GDPR Compliance

What is ZoomInfo doing to remain compliant in California?

We are very proactive on this front.

We’ve been engaged in California since the CCPA began being debated in 2018. We pay close attention to how privacy conversations are developing. We engage with lawmakers and give input when it’s requested from the industry, including engaging proactively in the CPRA rule-making process. 

As the first state to launch a comprehensive privacy law, California has been instrumental in ZoomInfo’s development of a robust compliance framework and privacy team — not just within the country, but globally as well. Our privacy and compliance team includes lawyers, policy experts, and techies, so when new requirements are being considered or enacted, we can assess them on multiple levels. 

We also use a third party to run yearly CPRA-specific audits. They look at how we operate in California and validate that our practices meet or exceed what’s required by law. In addition, we’ve automated our process for sending privacy notices and processing opt-outs to make sure we are updating our database in real time. 

How have you seen the privacy space change over time? 

It’s fascinating to think back just two years ago. In 2020, there were probably 15 or 16 privacy bills across the country. And one, maybe two, that had a realistic chance of passing in Washington state. Then COVID hit and nothing happened — legislatures went out of session, or they focused on COVID-related legislation and budget. But even though no security legislation was passing, a lot was happening in the world of security, because the year was enormously complicated. It was an election year. The murder of George Floyd happened. You had protests happening across the country. All of a sudden facial recognition in law enforcement was a thing. You had contact tracing occurring all around you. So privacy — which was already a complicated topic — got exponentially more complicated during 2020, and we’re seeing regulations evolve to address this added complexity.