Staying ahead of privacy legislation - How CPRA will impact your business
With the California Consumer Privacy Act (CCPA) coming into force in January 2020, businesses affected by the legislation have had time to adapt to the requirements and expectations that the legislation introduced.
As discussed in a previous article, 'What does the CCPA mean for your business?', the scope of the legislation and financial penalties, the need to comply with these privacy measures is essential.
However, while the CCPA created more privacy protections, the push for more hasn't stopped. On November 3rd, 2020, the Californian electorate voted to enact further data privacy legislation when they approved Proposition 24, the Californian Privacy Rights Act, or CPRA.
This new act is due to be effective in January 2023; however, while that may seem a significant time away, managing your risks where privacy is concerned is an ongoing process. Understanding what the CPRA means for your business now gives you time to enact an appropriate response to ensure compliance at the time of its introduction. We begin with what the CPRA is and who it affects.
An Overview of CPRA
CPRA sets out to make changes to a broad range of CCPA requirements. Much intends to provide clarity and more effective risk management for businesses regarding data privacy. However, one thing that doesn't change is who is affected. If your business is covered by CCPA legislation, as outlined in our earlier piece, then the new CPRA legislation will also apply to your business operations.
Think of CPRA as a kind of CCPA version 2.0, with one of the most significant changes being establishing a dedicated privacy enforcement agency at the state level. Following the European Union example, with no similar agency at the national level within the United States, California has decided to create a state enforcement agency, the Californian Privacy Protection Agency, who will be solely responsible for enforcing CPRA.
Other new components of CPRA that are that of the GDPR include:
The Right to Rectification – A consumer has a right to have inaccurate personal information corrected and updated as appropriate.
The Right to Restriction – Consumers will have the right to limit the use and disclosure of sensitive personal information
Extra emphasis on data discovery and controls is necessary as these measures increase the risk for businesses that share information as all data.
The legislation adds a category of data, Sensitive Personally Identifiable Data, which will have additional data privacy expectations for consumers. Such data includes specific identifiable information, such as a social security number
, gender, sex, religion, etc.
Businesses will also be obliged to protect the privacy of all employees and independent contractors. While the legislation provides data privacy of those employees, it does differ slightly from the measures applied to consumers, and it will require its own set of policies to comply.
Another area where there are new expectations for business is in the area of consent. Companies are required to provide adequate warnings about data usage, including where automated decision making occurs to process data. Importantly, this must be explained in advance of the processing.
Similarly, there are now more stringent penalties for children's data misuse, tripling the financial penalty, and adding a new approach to consent management that gives parents improved control.
Data Privacy for the Future
Several policies within the CPRA build from lessons learned within CPPA. One provides greater authority to the agency to prevent attempts to get around the privacy laws in place, something where CPPA was overtly weak.
Additionally, the legislation provides flexibility for lawmakers, giving a framework for updating and adding privacy laws to ensure that this legislation remains current over time rather than requiring a complete rewrite, as we see here. For those involved in privacy protection, including data discovery and data masking, this means an ever-changing environment that needs a flexible approach for privacy tools and solutions to ensure compliance.
With just a year and a half until becoming law, data privacy affects every business operation aspect and can become complicated exceptionally quickly. By preparing today, you have time to fully implement any compliance processes in time for the new legislation launch, avoiding problems of rushed rollouts of new systems and generating issues.