California State Capitol building in Sacramento showing CPRA

How CPOs Can Prepare for CPRA Rules and Enforcement

The State of California is raising the stakes on data privacy for companies that handle its residents’ personal information, with new rules going into effect on January 1st based on the recently-passed California Privacy Rights Act (CPRA). CPRA is a follow-up to the current California Consumer Privacy Act (CCPA) that builds on its foundations and extends what’s required of businesses that handle California residents’ sensitive personal information (SPI).

The new CPRA is part of a nationwide trend, in which individual US states have responded to calls from their residents to address the growing issue of data privacy. California has been joined in this privacy push by Connecticut, Colorado, Utah, and Virginia – all of which have adopted laws to regulate the handling of sensitive personal information and protect the data privacy of their residents.

In this article, I’ll review how CPRA extends the definitions and scope of the CCPA, how businesses should think about CPRA enforcement, and what CPOs can do to help their companies ensure effective and frictionless compliance with CPRA.

CPRA in a Nutshell

So, which companies are impacted by CPRA and which types of data does CPRA govern? And, what rights does it grant to California residents (and which residents)?

Companies Impacted by CPRA

CPRA extends and modifies the California Consumer Privacy Act of 2018 in several ways. Both laws have in common that they apply to any company that has revenues of $25m, and that meets either of the following two additional criteria:

  • Annually sell, buy, receive, or share personal information of 100,000 or more California consumers for commercial purposes. This update adds “share” to the language of the previous law and raises the threshold of California residents to 100,000 from 50,000 (exempting smaller businesses).
  • Derive 50% or more of its annual revenue from selling or performing targeted advertising using personal information. This adds “performing targeted advertising” to the language of the previous law.

If these changes were the full extent of CPRA’s updates, assessing whether CPRA affects your business would be simple. But this simple assessment can be misleading without considering two confounding factors: CPRA’s expansion of what personal information is protected, and CPRA’s expansion of protections beyond consumers.

Which Types of Data Does CPRA Protect?

CPRA defines sensitive personal information (SPI) to expand the scope of protected information from the previous law, which defined a category of data called personal information (PI) and set requirements around that information. This means that in addition to protecting more common forms of personal information per current requirements, every company that might be impacted by CPRA needs to assess whether (and how) they handle personal information that relates to any of the following:

  • Driver’s license numbers
  • Social Security Numbers (SSN)
  • State ID numbers
  • Union membership
  • Passport numbers
  • User credentials such as usernames and passwords
  • Biometric data and genetics
  • Ethnic or racial origins
  • Precise geolocations
  • Religious or philosophical beliefs
  • Information about a consumer’s sexual orientation, sex life, or health
  • Contents of a consumer’s text, mail, and email

This list is worth more than a quick review, especially given that while some of these types of data (like geolocation) are likely to be clearly identifiable in the systems and services used by your company, others, like information on philosophical or religious beliefs, could be found inside text fields or unstructured data that you could miss with a cursory review. For CPOs, this means that any tools you use to identify personal information should be reviewed and updated to ensure that they can identify these types of personal information.

Another aspect of CPRA that warrants careful consideration is which California residents are protected by CPRA.

Who Does CPRA Protect?

CPRA amends the California Consumer Privacy Act, which (as the name suggests), governs the data privacy of consumers. But CPRA doesn’t just protect consumers, and it doesn’t only regulate consumer-facing companies.

CPRA protects California residents who are in business relationships with companies impacted by CPRA, ending the previous exemption for B2B and HR data. This means that CPRA governs the collection of employees’ personal information, including HR tools and related data processing policies and procedures. And, it also means that CPRA affects B2B companies that don’t interact with consumers, but who handle consumer data.

So, what rights does CPRA confer to California residents?

Expansion of Rights under CPRA

CPRA expands on the rights granted to California residents by the California Consumer Privacy Act, which grants rights like access to personal information, the right to bar the sale of that information, and the right to equal service and price after asserting these rights.

CPRA adds the following new rights to this list:

  • The right to correct inaccuracies, so that residents can not only access personal information, they can also demand that it is corrected
  • The right to limit how sensitive personal information is used and shared
  • The right to opt out of targeted advertising

Along with these changes, CPRA has a new approach to enforcement, establishing a new agency and a strengthened private right of action.

CPRA Enforcement

CPRA’s predecessor was enforced by the Office of the California Attorney General, but CPRA takes a new approach with the establishment of a rulemaking and enforcement agency and an expansion of the private right of action:

  • Enforcement by the California Privacy Protection Agency (CPPA): Previously, the office of the California Attorney General was responsible for enforcement actions relating to violations of privacy rights. With the passage of CPRA, a new enforcement agency was created, the CPPA. Along with taking action to remediate violations of privacy rights, the CPPA is also tasked with educating the public and clarifying how it will interpret CPRA for purposes of enforcement. The existence of this new agency means that CPOs and other privacy leaders should bookmark the CPPA website and check it frequently.
  • Enforcement through Private Right of Action: The California Consumer Privacy Act allowed for a private right of action in the event of a data breach involving unencrypted personal information. CCPA expands this private right of action to include any breach involving a user name (often taking the form of an email address) combined with a password or answers to security questions. The intent of this change is to reduce the frequency of data breaches that can lead to user accounts being compromised and misused.

How CPOs Can Lead Towards Data Privacy and CPRA Compliance

Here’s my list of actionable steps to help your organization become more proactive about protecting personal information, so that you’re ready when the CPPA begins CPRA enforcement, and also ready to handle any new data privacy laws or regulations that other states – or other regulators, like the US federal government – might create:

  • Follow Data Minimization Principles: At the most basic level, data minimization starts with ensuring that you actually need a given type of personal information or sensitive personal information before collecting it. Then, you should conduct a sensitive data inventory to assess what types of personal information you collect. After completing your data inventory, revisit why you’re collecting this data, where it’s being stored (by database and country), who has access to it, and how long the data will be retained.  You can implement data minimization controls using privacy-enhancing techniques like masking, tokenization, polymorphic encryption, and de-identification.
  • Implement and Follow Data Retention Principles: Once you’ve identified what personal information you are collecting, you should identify how long you need to retain this data and then build a formal data retention program and policy to ensure that you aren’t retaining personal information for longer than is necessary.
  • Strengthen and Periodically Review Security Safeguards:  You can’t have data privacy without security, so keeping your encryption, authentication, and other controls up-to-date is critical to protect the sensitive data entrusted to you by your customers, keeping it safe from theft or unauthorized use.
  • Implement Effective Data Governance: Implementing data governance starts with a data mapping and inventory to identify what types of personal information you collect, categorize the individual datasets, and understand where this data is stored, who it’s shared with, and why. If applicable, consider classifying this data as personal information, sensitive personal information, etc. And don’t forget to include data handled by your vendors. Then, having assessed the status of your organization’s sensitive data, it’s time to implement or strengthen account-based or role-based access controls so you can ensure that sensitive data is only accessed for authorized workflows on a need-to-know basis.
  • Prepare for Data Subject Requests: Data subject requests were first introduced by GDPR but are also present in CPRA. Such requests generally fall into two categories: data subject access requests (DSARs) that let individuals or other entities request a copy of data about themselves, and right-to-be-forgotten requests (RTBFs) that let individuals or other entities request discovery and deletion of all data about themselves. CPRA extends this by adding the right for consumers and other entities to correct data about themselves. My guideline here? If you need to support this process for customers in California and the EU, you should get ahead of the curve and treat all of your customers like residents of California and the EU. That way, you aren’t caught flat-footed when a new law or regulation includes DSAR or RTBF provisions. And don’t forget about supporting DSARs from your California-based employees, because they are now in scope.
  • Assess and Reduce Data Privacy Risks: You should ask yourself and your organization questions about the safeguards and controls you have in place to protect sensitive customer data. Questions like: Where does our sensitive data reside, and could it be more centralized to prevent data sprawl? Who has access to this data, how much, and for which purposes? Then, take action to implement safeguards to address any issues that you uncover. By taking a global approach to answering these questions and addressing any gaps that you discover, you can help to reduce the risk of a data breach.
  • Adopt a Global Privacy Framework: The privacy industry has developed some industry standard privacy frameworks. To get started, I recommend reviewing the privacy framework from the NIST. You can find similar frameworks from other cybersecurity and privacy standards bodies.
  • Review FTC Privacy Consent Decrees and State Privacy Law Enforcement Actions: Closely reading FTC privacy consent decrees and state privacy enforcement actions is a great way to learn how you can avoid costly and embarrassing privacy missteps. Existing FTC consent decrees provide guidance on the practices that companies must avoid to steer clear of FTC enforcement actions. And as cosmetics maker Sephora recently discovered when they settled for $1.2 million, disclosing the sharing of customers’ personal information with third parties is no replacement for giving customers an easy way to opt out of data sharing.

Following these recommendations helps to put your organization in compliance with CPRA’s technical requirements. This vigilance moves you from a reactive approach of responding to each new legal development to a proactive approach where your organization is on the cutting edge of data privacy, ready to quickly address whatever new regulations might come along.

Final Thoughts

Adapting your business to ever-changing data privacy laws and regulations can be a huge challenge that could disrupt your business operations. Many companies now realize that they need a new approach that’s both comprehensive and proactive to stay in compliance while remaining nimble.

Skyflow Data Privacy Vault isolates, secures, and tightly controls access to manage, monitor, and use personal information. By taking a proactive approach to data privacy where your customers’ personal information is stored in Skyflow, you can effectively isolate, protect and govern that data.

This lets you get ahead of privacy regulations, deliver on the consumer demand for data privacy, and be confident that you’re ready when CPRA enforcement begins. And, this approach ensures that you’re well-positioned for whatever data privacy laws and regulations the future has in store for your business.