On November 3, 2020, California voters approved Proposition 24, establishing the California Privacy Rights Act (CPRA) as the most comprehensive consumer data privacy law in the United States.
Commonly referred to as the CCPA 2.0, the law amends the California Consumer Privacy Act (CCPA) and expands the rights of California residents beginning on January 1, 2023.
What will change under the CPRA?
While the CPRA won’t take effect until 2023, the law builds on the foundation of the CCPA and aims to enhance consumer privacy protections, as well as the obligations for companies and organizations that process personal information. There are a number of changes that organizations will need to become familiar with, but below are some specific changes to pay attention to:
- Employee and Independent Contractor Data: Under the CPRA, the obligations of companies and organizations to protect the privacy rights of their employees and independent contractors is delayed until January 1, 2023. Originally supposed to be in effect in 2021, the CPRA expands the moratorium on employee and contractor data, providing the governing body and organizations to prepare.
- Redefining of Key Words: One of the major changes is the redefinition to key words that focus on the meaning and scope of “business” and “breach” to apply to remove some of the ambiguity the CCPA had been criticized for.
- Establishment of California Privacy Protection Agency (CPPA): The CPPA would create the first agency in the United States dedicated solely to privacy — the California Privacy Protection Agency. Comprising a five-member board, with expertise in privacy and data security, the CPPA will be in charge of creating public awareness about the upcoming amendment, as well as provide guidance to businesses and consumers. This governing body will be key to keeping privacy laws up to date over time enabling the law to remain current and applicable.
- Power of the CPPA: The CPRA grants the governing buddy the authority to prevent future attempts by businesses to avoid or not comply with the CPRA. One of the major reasons for the creation of the CPRA was that the CCPA was targeted by businesses and lobbyists in an attempt to remove some of the “teeth” the law had. This nuance addresses this in the hopes of preventing business interference in the future.
These are just small samples of some of the changes under the CPRA. Representing the next generation of consumer data privacy laws, the CPRA is the next step for the world’s fifth largest economy to protect its residents and make the companies that do business in California more responsible with all forms of consumer data.
GDPR concepts the CPRA will introduce
The CCPA was already often referred to as the “American GDPR” and the CPRA will further this by introducing several changes to consumers’ rights and the definition of personal information. With the implementation of the CPRA, the following concepts will be introduced:
- Right to Rectification: Under the CPRA, consumers have the right to request that organizations correct inaccurate information. Additionally, a business that collects personal information about consumers must disclose the consumer’s right to rectification.
- Right to Restriction: The CPRA grants consumers the right to limit the use and disclosure of their sensitive personal information, and businesses must notify a consumer if they intend to use it beyond specified purposes.
- Sensitive Personally Identifiable Information: Not all personally identifiable information (PII) will be created equal under the CPRA, as it introduced a new category of data known as “sensitive personal information.” While the definition is broad, it applies to things like log-in credentials, financial account information, precise geolocation, contents of certain types of messages, genetic data, racial or ethnic origin, religious beliefs, biometrics, health data, and data concerning sex life or sexual orientation.
These changes illustrate the evolution of consumer data privacy not just in the United States, but across the world. As consumers continue to interact, shop and share online, they are creating digital twins of themselves that businesses can use to get a better understanding of their target audience and customers. However, it is imperative that organizations take the time to understand the nuances of the CPRA or they run the risk of a compliance breach or loss of customer trust.
How business should prepare for the CPRA
For businesses now looking to prepare for the CPRA implementation date, there are several steps to take. For starters, organizations will need to know if they are subject to the provisions within the CPRA. A good rule of thumb is that if your organization is subject to the CCPA, then you likely will also need to achieve CPRA compliance.
Next, know the key dates. For the CPRA, organizations will need to achieve compliance by July 1, 2023, three years following the CCPA enforcement date. But organizations should also keep in mind that the CPRA has a “look back” clause that applies to all data collected starting on January 1, 2022. So starting your compliance journey early and effectively will be critical to avoiding falling victim to this look back period.
And of course, businesses looking to achieve CCPA compliance and prepare for the CPRA must have the right tools in place to ensure compliance, starting with data discovery. By taking a no-assumptions based approach, through data discovery organizations will have a more holistic view of their data management strategies and locate missing or sensitive data because CPRA doesn’t differentiate between the data you know you store and don’t know about.
Ground Labs’ premier and award-winning data discovery software Enterprise Recon is able to detect over 300 types of structured and unstructured data, including CCPA-specific PII patterns. With the ability to map data across networks, servers, and platforms and demonstrate CCPA and CPRA compliance with custom reporting, your organization can proactively prepare for any data security challenge that comes your way.
If you are interested in learning more about the nuances and impact of the CPRA on the evolution of data privacy, check out my latest in Risk Management Magazine here.
Ready to learn how Ground Labs can help you and your organizations begin their path to CCPA and CPRA compliance? Schedule a demo today to find out more.
