A Brief Overview of the CPRA for Data Security and Privacy Professionals
Published 04/19/2023
Originally published by Laminar.
Written by Orin Israely, Product Manager, Laminar.
The new year brought in new changes to the California Consumer Privacy Act (CCPA) under the California Privacy Rights Act (CPRA). What does that mean for data security and privacy professionals? Here are the pertinent details you need to know. Note: This is just our brief, informational summary, not legal advice. You should consult your attorney for details on your legal obligations.
When did the CPRA take effect?
The California Privacy Rights Act (CPRA) went into effect on January 1, 2023. As an amendment to the California Consumer Privacy Act (CCPA), the CPRA provides additional protections for California residents’ personal information.
What other changes were instituted on January 1?
Prior to Jan. 1, employees, contractors, emergency contacts, and more, were exempt from the CCPA. Now, any California resident is covered by the CCPA, which means businesses not only have to be concerned about the privacy of their California-based consumers, but also for their California-based employees, contractors, and emergency contacts. In addition, businesses must understand which PII data is employee data versus consumer data.
When will enforcement of the CPRA begin?
While the CPRA went into effect January 1, 2023, enforcement will not begin until July 1, 2023, and enforcement will apply only to violations occurring on or after that date. In the meantime, however, the CCPA’s provisions remain in effect and enforceable.
How does the CPRA expand on the CCPA?
The CPRA expands the definition of personal information. Under the CCPA, personal information is defined as “information that identifies, relates to, or could be reasonably associated with a particular consumer or household.” Under the CPRA, consumers now have the right to limit a business’ use and disclosure of their “sensitive personal information,” thus expanding the scope of data covered by the CCPA to include:
- Government identifiers (for example, Social Security Number or driver’s license number)
- Financial information
- Precise geolocation
- Biometric information
- Health information (such as health conditions or sexual orientation)
- Racial or ethnic origin and beliefs
The CPRA also gives California residents several additional rights, including:
- The right to correct inaccurate personal information
- The right to limit the use of sensitive personal information
- The right to opt-out of the sharing of this information for targeted advertising
- The right to bring a lawsuit against a business if their non-encrypted and non-redacted sensitive personal information is accessed, exfiltrated, or destroyed without authorization
The CPRA also requires businesses to conduct data protection assessments and to appoint a data protection officer, if certain conditions are met. These requirements are intended to help ensure that businesses are taking the necessary steps to protect personal information and to respond promptly to data breaches.
Finally, the CPRA strengthens enforcement and penalties for violations of the law. It gives more power to the California attorney general to enforce the law and increase the fines for non-compliance.
What rights do California residents have under the CCPA?
The CCPA creates six specific rights for California residents as consumers:
- The right to know what information a business collected about them, why they collected it, where or from whom it was collected, and, if it was sold, to whom
- The right to delete personal information collected from them (with exceptions)
- The right to opt-out of the sale of personal information (if applicable)
- The right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable)
- The right to non-discriminatory treatment for exercising any rights under the CCPA (A business cannot lawfully decline to provide goods or services, change the price structure or provide a different quality service or good because a consumer exercised their CCPA rights, unless the personal information is needed for the sale or provision of services.)
- The right to initiate a private cause of action for data breaches
The CPRA creates two additional rights:
- The right to correct inaccurate personal information
- The right to limit use and disclosure of sensitive personal information
As a data security and privacy professional, what should I do?
It all starts with knowing your data and business operations. Do you operate in California? Do you store any sensitive information on California residents? If you do, where and what measures are taken to protect the data and uphold California residents’ rights under the CPRA?
Understanding what personal data you have and how it’s being used is critical for meeting regulatory requirements like the CPRA.
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
AI-Powered Cybersecurity: Safeguarding the Media Industry
Published: 11/20/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024