What businesses need to know about CPRA

CPRA is a new piece of data privacy regulation in California, affecting companies located anywhere who do business with California residents. It passed on the November 2020 state ballot and officially goes into effect July 1, 2023.

A little more than three years after the California Consumer Privacy Act (CCPA) was enacted, the CPRA builds upon its predecessor and addresses a few provisions where the first piece of legislation was lacking. The CPRA was actually intended to appear on the 2018 ballot, but was pulled at the last minute in exchange for the less restrictive CCPA.

This is just one of a growing number of privacy regulations taking hold in many states and countries around the world. According to a Pew Research study, 81% of Americans think the potential risks of data collection by companies outweigh the benefits. As consumers learn more about the potential risks to the information they share with companies, they are becoming more vocal about their expectations.

Your organization is subject to CPRA requirements if it:

• Earned $25 million in gross revenue the previous calendar year;
• Processes the data of more than 100 thousand consumers; or
• Earns more than 50% of revenue from the sale of personal information.

Just about every department leader needs to be familiar with this law, because it impacts them all—from product development and HR to information security and records management. It will also require close involvement from the legal and compliance departments.

The law includes multiple disclosure requirements on the use and sharing of personal information, and marketers should be able to demonstrate transparency as to their use of that information and compliance with the law.

For companies that need to adhere to CPRA, these are the changes and enhancements from the CCPA that you need to know about:

1. The legislation calls for the creation of the California Privacy Protection Agency (CPPA), which is tasked with enforcing the CPRA and other state privacy regulations. In GDPR terms, the CPPA would be a supervisory authority. Organizations (and especially their third-party vendors) should expect to be much more closely watched by the law than they were under the CCPA.
2. It creates a new category of personal information called special personal information (SPI) that merits its own unique protections, including stricter restrictions on its use. Examples of SPI are:
   • Social Security numbers
   • Precise geolocations
   • Biometric data
   • Contents of consumers’ private communications, such as emails or texts
3. There is a “positive” information security mandate, meaning that businesses are required to implement proactive risk-based controls, such as encryption and multi-factor authentication, over personal information like user log-in credentials, rather than merely punishing companies after a breach due to a lack of such controls.
4. Data subjects now have expanded rights over their personal information, giving them the rights to correct their data, limit the use and disclosure of their SPI, and request information about automated decision-making with the ability to opt out of the process.

With these new components of CPRA outlined and understood, you should be in a better position to take effective action toward compliance.

As mentioned above, CPRA builds upon CCPA. A weakness of CCPA was that the California legislature could have watered down the requirements of the statute if it became politically expedient to do so. As a constitutional amendment, the CPRA doesn’t suffer from that weakness.

In addition, the CCPA contained some gaps, such as the inability to amend one’s personal information, minimal application to service providers, and no restrictions on marketing abuses, such as cross-context behavioral advertising. The CPRA bans advertising deemed to use “profiling” tactics.

It’s unlikely you will be starting from scratch to comply with CPRA. If a business is compliant with the European Union’s GDPR, it is likely pretty close to being CPRA compliant as well. However, you still have some tasks to complete, such as addressing the “do not sell my personal information” mandates. Specifically, you will need to put two links on your website:

• If a business sells or shares consumer personal information (outside of some narrow exceptions), it must put a Do Not Sell or Share My Personal Information link on its website.
• If a business uses or discloses sensitive personal information (also outside of some narrow exceptions), it must put a Limit the Use of My Sensitive Personal Information link on its website.

Your web development team should be able to put these in place well ahead of the deadline.

The time to begin preparing for CPRA compliance is right now. In order to fulfill the requests of the aforementioned website notices and execute other CPRA requirements, like creating more robust policies for data processing and retention, your organization first needs to evaluate its existing data. How much time this takes will vary, depending on factors like the amount of data you possess and which tools you have in place to process it all.

The following are some guidelines for your preparations.

Evaluate your data inventory

Businesses should take a fresh look at the personal information they’re collecting or processing and determine if they truly still need all of it. Under CPRA, you cannot keep data longer than “reasonably necessary for that disclosed purpose.” You will need to assess how long you currently keep data and what you can consider reasonably necessary. In the U.S., businesses have traditionally collected every bit of information they could, even if they didn’t need it all. Today, that unnecessary data is just a liability under modern data protection laws.

A data inventory will, when properly developed and maintained, give data protection professionals the information they need to understand the state of their data protection program at any given time, including unnecessary information.

Map how data moves across your organization

Once you’re aware of the data you possess and where it lives within your organization, you need to understand how it’s being used and shared, especially with third parties. With the CPRA’s new SPI categorization, certain pieces of data can’t move around as they once could, nor can they exist without a certain level of security measures applied. This will enable you to create a privacy policy that clearly discloses your reasons for collecting and using consumer data.

Keep in mind that you’re responsible for your third parties, who will now be closely monitored by the CPRA’s supervising body. You’ll need to update any agreements with them, ensuring they’re equipped to securely process your sensitive data and can do so within the confines of your privacy policy.

Create processes to fulfill data subject rights requests

Because a key feature of CPRA is enhancing data subjects’ rights over their personal information, your organization needs to have processes in place that enable you to fulfill their access, change, deletion, and opt-out requests in a timely manner. These capabilities should already be set up to a degree, since the CPRA’s predecessor, CCPA, as well as the GDPR, grant similar rights. As data privacy legislation evolves in the upcoming years, it’s safe to assume that these rights will evolve as well, and having a process in place that can shift alongside them will make compliance that much easier.

Tools you will need

Data discovery software tools with capabilities for classifying, monitoring, and remediating sensitive data can make the process of preparing for CPRA compliance go more smoothly. Businesses will need technology that enables them to identify in-scope personal information wherever it exists in their information ecosystem. It’s common for businesses to be surprised when they develop a data inventory and discover systems that store or process personal information that they didn’t know about.

Once located, context-rich tags can ensure both personal information and the new category of sensitive personal information get the proper levels of protection they require. This detailed labeling also enables you to closely monitor this data so behavior that violates CPRA requirements can be swiftly identified, and any modifications or duplications can be just as efficiently remediated.

In addition to intelligent technology, the final component of your CPRA preparation toolkit is a team of skilled IT, security, compliance, and legal professionals working together toward your goal.

It’s a very good bet that with the CPRA as our default national data protection standard, we’ll see most states follow suit over the next five years. In fact, similar laws in Virginia (the Consumer Data Protection Act) and Colorado (the Colorado Privacy Act) are already in motion to go into effect around the same time as the CPRA. By getting started now with assessing the state of your company data and putting these privacy measures in place, you should be well positioned to handle any future laws that pass in the next few years.

Spirion is the critical first step toward data privacy, security, and compliance. We build and deliver the most accurate data discovery and classification solutions on the planet, positioning our customers for unparalleled success in meeting the numerous requirements of strict privacy laws like the CPRA.