The State of California approved the California Privacy Rights Act (CPRA) on November 3, 2020, which amends the key provisions of CCPA to substantially enhance the rights of individuals and obligations of the businesses that handle personal data. This act mainly aims to protect the constitutional right of privacy of California citizens and provides additional rights to consumers with extra obligations for businesses. CPRA tries to create a balance between data protection and flexibility in the development of technology. This act is scheduled to be operative in 2023, but companies should quickly begin assessing their compliance obligations in light of CPRA’s newly introduced consumer rights.
Let’s walk through some of the most impactful and significant additions in the CPRA, with some suggestions regarding how to prepare:
INCLUSION OF “SENSITIVE PERSONAL INFORMATION”:
The CPRA introduces a new definition of “ sensitive personal information,” which requires businesses to protect this data with higher standards than other personal information.
As per CPRA, sensitive personal information is broadly divided into two categories: direct identifiers and highly private data.The first category includes data like government IDs and financial information, while the second category includes data like precise geo-location, religion, and the analysis of any emails and texts not sent from the consumer directly to the organization. Providing users with greater power to limit how businesses use their information, CPRA will mandate a new opt-out requirement: businesses must have a link available on their websites titled “ Limit the Use of my Sensitive Personal Information.”
Note: This will be a distinct link from the one already on most websites, which says “Do not Sell my Personal Data.”
INTRODUCING THE “RIGHT OF CORRECTION”:
Deriving from the GDPR “Right to rectification”, the CPRA also introduces the right for users to correct any inaccurate personal Information businesses have about them. Businesses should notify users regarding these new rights, and must handle any requests with all commercially reasonable efforts.
AMENDED “RIGHT TO ACCESS”:
Unlike CCPA, the CPRA has removed the 12-month limit, and now businesses need to provide information beyond the 12 preceding months from when the request was initiated. It is high time that businesses assess and examine their data retention periods, and formulate policies to fulfill consumers’ rights in the light of upcoming changes.
EXPANDED LIABILITY FOR DATA BREACHES:
The CPRA stipulates the accountability of businesses towards consumers for data security breaches, and requires businesses to notify consumers when their sensitive information has been compromised.
CPRA will set financial penalties up to $2500 per violation and will form a new California Privacy Protection Agency to enforce these fines.
STRINGENT RESTRICTIONS FOR DATA RETENTION:
Similar to GDPR, the CPRA requires businesses to retain the personal information of the consumers only as long as that data is necessary to achieve the disclosed purposes.
In addition, if consumers initiate deletion requests, businesses must comply and transfer these requests to their service providers, who in turn should notify their own service providers, and so on, to create a shared obligation of data deletion.
EXTENDING SCOPE TO “SHARING” DATA:
CPRA has taken a step ahead in eliminating the loopholes in the CCPA that companies exploit for their own purposes. The CPRA provides a broad definition of “Selling,” which now includes both “Selling” and “Sharing”.
This new concept of “sharing” information is defined as the disclosure of personal information to third parties for the purpose of “cross-contextual behavioral advertising”. Businesses are required to assess if any disclosure is considered as sharing, and if so, an adequate opt-out option needs to be implemented for customers soon.
HOW TO PREPARE FOR CPRA
1. FORMULATE DATA DELETION POLICIES:
A stringent data deletion policy is a need of the hour for businesses which process personal information. The more businesses keep unwanted data, the more chance there is to have it lost in a breach. Hence, the tightening of data deletion policies is a must now
2. EXAMINE YOUR AGREEMENT WITH THIRD PARTIES:
It is essential for businesses to be mindful about the data privacy and cybersecurity levels of all third parties, including the contractors with whom they share personal data. The third party(s) MUST BE restrained from sharing, selling, or using data for any purpose not mentioned in their written contracts.
3. IMPLEMENT TECHNICAL OR OPERATIONAL CHANGES:
To fulfill the CPRA requirements, businesses need to have technical or organizational-level changes. This would include updating response policies and procedures, having a robust framework to deal with new consumer requests, and so on.
4. AUDIT AND RISK ASSESSMENT:
Revisiting all the policies and doing data mapping is an integral part of the data privacy regime. Businesses must conduct an internal audit and assess all the procedures which pose a significant risk to personal data.
The CPRA also borrows provisions relating to data-minimization, data retention, risk assessment, and purpose limitation from GDPR.
CPRA BEYOND OTHER PRIVACY LAWS
The CPRA has grounded certain principles from GDPR, but it also has its own unique features to distinguish itself from other privacy and data protection laws around the world. In terms of technological advancements, the CPRA is more explicit, including definitions regarding “sensitive personal information”, “security and integrity” and “unique identifier”. Another unique feature is allowing companies to offer incentives to consumers in exchange for collecting and retaining their personal data.
ARE YOU LOOKING FOR WAYS TO ACHIEVE CPRA COMPLIANCE?
42Gears understands how important it is for you to adhere to global privacy regulations on the rise. To have the right security controls in place and to avoid hefty penalties and data breaches, you can use SureMDM, a comprehensive unified endpoint management solution.
Fully Complying with CPRA requires a variety of solutions, processes, people, and technologies. The methods/solutions mentioned above are some of the ways in which CPRA’S requirements could be achieved. The material is provided for informational purposes only and should not be considered as legal advice for CPRA compliance. 42Gears makes no warranties, express, implied, or statutory, as to the information in this material.