CPRA in 2022: What’s New and How to Prepare

While the California Consumer Privacy Act of 2018 (CCPA) imposed a set of rigorous data handling and privacy standards on organizations doing business in California, the impending implementation of the Consumer Privacy Rights Act of 2020 (known as the CPRA, or more informally, CCPA 2.0) further increases the rigor and scope of data protection. It’s important to take stock of what has happened thus far regarding the CPRA in 2022 as the legislation moves closer to taking effect and how companies prepare to respond.

Let’s review how the CPRA modifies the CCPA, which CPRA 2022 changes have taken place, the industry’s readiness to adhere to CPRA standards, and what you need to do to get ready now and into 2023.

Reviewing the CPRA’s Biggest Changes

Building on the protections afforded by the CCPA to consumers, the CPRA extends protections to employees, job applicants, and contractors. Starting on January 1, 2023, people in any of these categories can have their information retrieved, modified, or deleted.

Additionally, users will be able to make more requests regarding their data. This includes the right to correct inaccurate information and restrict the usage and disclosure of sensitive personal information. “Sensitive personal information” is a new category that provides for Social Security numbers and genetic information.

While the CCPA applies to three categories of firms (businesses, service providers, and third parties), the CPRA adds the fourth category of “contractor.” This applies to firms that offer services that rely on another firm’s data without directly benefiting the other firm. While generally similar to service providers, contractors must also sign a certification that they understand and agree to abide by the CPRA’s requirements.

Finally, the CPRA mandated the creation of the United States’ first dedicated privacy agency, the California Privacy Protection Agency (CPPA). Establishing the CPPA was intended in part to better protect state legislation like the CCPA against lobbyists and business interests that pushed against it.

Reviewing CPRA 2022 Updates

California is moving steadily toward implementing the CPRA mandates as expected, and companies must be aware of CPRA 2022 changes.

As dictated by the CPRA, the CPPA established its first chair, Jennifer M. Urban, in March 2021. With the period for public feedback closed, the agency is now finalizing the legislation that will go into effect to transition current privacy laws into those established by the CPRA.

Most importantly, the “lookback period” for CPRA began on January 1, 2022. This means that come 2023, any parties given rights by the CPRA can request any applicable data types going back as far as the start of 2022, in line with the CCPA’s current 12-month lookback policy. While in the future, companies may need to provide records going back further than a year, the CPRA guarantees that the start of 2022 will be the earliest date ever required for these requests.

As a result of the “lookback period,” companies need to ensure they know what information they are collecting and storing on employees and other impacted parties, the ability to locate and identify sensitive personal information, and a clear understanding of whether their contractors will be able to sign the appropriate certification and comply with the CPRA.

How to Prepare for the CPRA in 2022

It’s urgent for any company that does business in California to meet the CPRA requirements if they don’t want to be penalized — yet many are still struggling to get started. A survey by Osterman Research revealed that only a third of firms were CPRA compliant as of December 2021, and research conducted by the firm CYTRIO revealed that more than half of all firms remained non-compliant at the end of June 2022. In fact, the Osterman survey showed more than 60% of firms weren’t yet compliant with the CCPA, even though the first fines for CCPA noncompliance have already been issued.

Simply assuming you know where your data resides isn’t sufficient for CPRA compliance because many firms have discovered their assumptions are inaccurate. Even if your organization does not know data is hiding on a device or the cloud, you are still responsible for providing that data upon request. As a result, the first and most fundamental step toward CPRA compliance is data discovery across your networks, servers, and platforms.

You must have a company-wide understanding of the exact data you have stored to assess your readiness for compliance, set up employee training programs for best practices, or ensure data privacy experts are using their time effectively. Enterprise Recon by Ground Labs provides accurate, fast, and thorough data discovery capabilities that prepare organizations for compliance with CPRA in 2022 and beyond.

Companies must give special attention to “sensitive personal information,” which means you must be able to distinguish between the various kinds of personal information you store. Enterprise Recon can identify more than 300 types of structured and unstructured data, so you will know precisely what data you have and what needs to be done with it.

Just as important as complying with CPRA rules is communicating that you have done so to build trust in your organization. Now that CPRA is expanding data privacy rights to employees and applicants in addition to consumers, organizations with poor adherence to data best practices will struggle to retain and attract talent. Enterprise Recon’s custom reporting can help you prove your readiness to stakeholders, employees, and customers as they count on your organization to keep their data safe.

Schedule a demo to learn how Ground Labs can help you and your organization begin your path toward CCPA and CPRA 2022 compliance.