CPRA Passed on the California Ballot: What to Add to Your CCPA Compliance Checklist Dec 1, 2020
The world at large is facing a privacy paradox. With personal data used more and more for everything from unlocking a phone to downloading an app, the public is increasingly aware of the risks of sharing data online. Unfortunately, individuals continue to share personal data. Largely because we have to: Individuals are required to give up certain personal data simply in order to interact in the modern world.
While a Deloitte survey found that 91 percent of consumers agree to terms of service without actually reading them, more companies are legally required to get explicit user consent to gather—or keep—a user’s personal data, show what has been gathered, and offer the opportunity to delete personal data on request. All together, this ideally creates a higher standard for consent.
Different laws and mandates around the world have been pushing for this higher standard, such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Earlier in November, the majority of Californians voted to add the California Privacy Rights Act (CPRA), proposition 24, to CCPA. While some are calling this new proposition CCPA 2.0, others liken it more to a California version of GDPR, highlighting data minimization, purpose limitation, and storage limitation.
Extensive Personal Data Protection with CCPA
Passing CPRA pushes California even further ahead of the rest of the United States with regard to data privacy legislation, making CCPA one of the strongest privacy laws in the country. With CCPA, Californians have the right to know what personal data businesses collect and store, and have the additional right to dictate if their data will be sold to anyone else.
Under CCPA, Californians can:
- Restrict the use of sensitive personal information
- Request corrections of inaccurate personal information
- Prevent companies from storing their personal data longer than necessary
- Limit companies from collecting more data than is necessary
- Have insight into what personal information is sold or shared and to whom, and choose to opt-out of sale and sharing
- Be protected against retaliation from employers for exercising their privacy rights
CCPA was passed back in 2018 and went into effect on January 1, 2020. While it is technically only state law, the Act affects all American businesses the same way GDPR impacts companies who do business in the EU while located physically elsewhere.
Building on CCPA and Closing Loopholes with CRPA
CPRA expands even further on the privacy rights of CCPA, and additionally closes some of the loopholes that some companies—such as social media giant Facebook—were using to claim exemption from following CCPA.
In addition to the rights afforded to Californians by CCPA, adding CPRA also:
- Allows individuals the right to tell businesses what personal data they can and cannot use, such as sensitive information like race, religion, or sexual orientation
- Tightens controls so that “do not sell” includes the action of sharing data between companies
- Triples violation fines if any affected consumer is under the age of 16
- Establishes the California Privacy Protection Agency to ensure these measures are fully enforced
Adding to the CCPA Compliance Checklist
Proposition 24 goes into effect on January 1, 2023, with all measures fully enforceable by a dedicated agency on July 1, 2023, giving businesses two years to interpret and build systems that will enable them to comply with these expanded consumer privacy rights. And while this privacy act is only enacted in the state of California, like the original CCPA ruling, it will impact all organizations that have data on or do business with Californians.
Therefore, within the next two years, organizations that fall within those criteria will need to stand up solutions that can:
- Detect and protect all relevant data elements
- Manage consumer requests to minimize data
- Track necessary retention limits
- Find incorrect data and prove that corrections have been completed
- Locate and protect information for minors under the age of 16
From this list, it’s clear that an interesting shift with CPRA is that it applies to data elements within a record, and not the full record itself. Information can be added to a record at any time, and data discovery tools will need to be able to report on changes at the element level. This increasing granularity in privacy data management is not going away, and will likely become more widespread because of CPRA and other regulations like it.
Stand Up Additional Compliance with Help from Dataguise
There’s no doubt that more pre- and post-breach controls are needed than ever before because of the volume and type of personal data that we now exchange in order to live in the modern world. So too is more compliance enforcement needed to protect that volume of data. And that’s where Dataguise comes in. With the ability to discover, classify, protect, and delete specified data elements per CPRA regulations, our solutions can keep your business safe, and your customers’ personal data safer.
See our data privacy solutions in action. Request a free demo now.