California’s CPRA bolsters its landmark data privacy law, the CCPA. Set to take effect in two years’ time, the update contains important clarifications on various definitions, minors’ data and the collection and use of personal information.
California’s new Consumer Privacy Rights Act of 2020 (CPRA) is here. The law is an expansion of the California Consumer Privacy Act (CCPA), which is designed to strengthen data privacy protections and more closely match Europe’s stringent General Data Protection Regulation (GDPR).
These tighter policies, the majority of which go into effect January 1, 2023, add to an already complex regulatory landscape. With data protection regulations only expected to grow in size and scope in the coming years, you’ll want to fine-tune your approach now to stay on top of evolving mandates.
What Is the CPRA?
The CPRA is designed to strengthen and clarify the privacy requirements of last year’s CCPA. Some of the most noteworthy provisions of the CPRA include:
- A new “sensitive personal information” category. This covers race and ethnicity, driver’s licenses, social security numbers, login credentials, biometric information, precise geolocation data and more.
- Consumers’ right to rectification of data. This limits disclosure of sensitive personal information. It complements protections instituted by the CCPA, such as the right to know, access, delete and opt out of data collection, along with the right to nondiscrimination.
- Automatic fines of $7,500 for violations involving minors. This separates out violations involving the personal information of children under the age of 16 from other types of violations and imposes the maximum fine – whether or not the violation was intentional.
- New rules on data collection and usage. This means that companies can only collect data they reasonably need to provide goods and services.
- A new mandate for annual audits and risk assessments. This is required if data processing presents risk to consumer privacy or security.
- Expanded definition of “sell.” The term sell has been broadened to include “sell or share.” The new definition includes a business sharing data with a third party for the benefit of the business with or without the exchange of money.
The CPRA also adds muscle to the CCPA by creating a new government agency – the California Privacy Protection Agency – dedicated to handling enforcement and compliance with the new regulations. Moving enforcement away from the attorney general means there will likely be even greater scrutiny. The CPRA also eliminates the CCPA’s 30-day period to cure violations, so it’s even more important to get it right the first time.
How to Become CPRA Compliant
Your roadmap to CPRA compliance depends on the specific information you’re collecting, your processing methods and the security and privacy procedures already in place. If you have taken steps to comply with the CCPA, you’re off to a good start with CPRA compliance, but there are still several considerations, regardless of where you are in your journey:
- Take a close look at existing privacy practices and policies. Assess your current procedures and safeguards, especially if you haven’t yet complied with the CCPA. If you did make changes to comply with the CCPA, make sure sensitive personal information has been considered. Also, determine if any changes need to be made to how you’re obtaining consent for processing sensitive data. Do you need to incorporate any additional opt-out functionality?
- Create a centralized repository of all data within scope. Inventory all the information your organization possesses that could be within the scope of the CPRA. Why is it being collected, and which consumer profiles, vendors, third parties and service providers are involved? Having this data all in one place makes it easier to classify and take subsequent steps for compliance.
- Don’t forget about your vendors. Third parties also have obligations under the CPRA. Your compliance depends on their compliance. Review your existing contracts and templates to ensure the terms reflect vendor obligations under the legislation.
- Train your team. Everyone within the company should understand what they need to do to maintain CPRA compliance. Also understand how people within the organization are addressing their specific obligations, what data they’re processing and how they’re handling the information.
- Make your activities reportable. If a regulator comes knocking, you want to be confident about what your organization is doing to adhere to CPRA mandates. Record, track and centralize all privacy activities so the information necessary to prove your compliance is right at your fingertips.
- Streamline with technology. The right tools can help risk and compliance teams simultaneously manage and enforce many mandates – CCPA, HIPAA, GDPR as well as the CPRA. In addition to performing risk and readiness assessments, using technology to develop questionnaires for data privacy impact analysis (DPIA) speeds up the process and shows you which processes are important for compliance.
The Data Privacy Movement
Privacy laws are picking up steam across the U.S. In 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which created more data security requirements for companies that collect information on New York residents. Washington has proposed the Washington Privacy Act, which would grant consumers the right to access, transfer, correct and delete the data companies hold on them. Meantime, the prospect of federal legislation is increasing.
If this activity is any indication, we’re likely to see much more in the way of data privacy regulations. Take steps now to put the policies, processes and technology in place to comply with the CPRA – and provide a solid foundation to keep up with any future requirements in this rapidly changing world of data privacy. The right tools, mindset, best practices and processes will ensure your organization is set up for long-term success.