Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

A Brief Overview of the CPRA for Data Security and Privacy Professionals

Home
Industry Insights
A Brief Overview of the CPRA for Data Security and Privacy Professionals

Blog Article Published: 04/19/2023

Originally published by Laminar.

Written by Orin Israely, Product Manager, Laminar.

The new year brought in new changes to the California Consumer Privacy Act (CCPA) under the California Privacy Rights Act (CPRA). What does that mean for data security and privacy professionals? Here are the pertinent details you need to know. Note: This is just our brief, informational summary, not legal advice. You should consult your attorney for details on your legal obligations.

When did the CPRA take effect?

The California Privacy Rights Act (CPRA) went into effect on January 1, 2023. As an amendment to the California Consumer Privacy Act (CCPA), the CPRA provides additional protections for California residents’ personal information.

What other changes were instituted on January 1?

Prior to Jan. 1, employees, contractors, emergency contacts, and more, were exempt from the CCPA. Now, any California resident is covered by the CCPA, which means businesses not only have to be concerned about the privacy of their California-based consumers, but also for their California-based employees, contractors, and emergency contacts. In addition, businesses must understand which PII data is employee data versus consumer data.

When will enforcement of the CPRA begin?

While the CPRA went into effect January 1, 2023, enforcement will not begin until July 1, 2023, and enforcement will apply only to violations occurring on or after that date. In the meantime, however, the CCPA’s provisions remain in effect and enforceable.

How does the CPRA expand on the CCPA?

The CPRA expands the definition of personal information. Under the CCPA, personal information is defined as “information that identifies, relates to, or could be reasonably associated with a particular consumer or household.” Under the CPRA, consumers now have the right to limit a business’ use and disclosure of their “sensitive personal information,” thus expanding the scope of data covered by the CCPA to include:

  • Government identifiers (for example, Social Security Number or driver’s license number)
  • Financial information
  • Precise geolocation
  • Biometric information
  • Health information (such as health conditions or sexual orientation)
  • Racial or ethnic origin and beliefs

The CPRA also gives California residents several additional rights, including:

  • The right to correct inaccurate personal information
  • The right to limit the use of sensitive personal information
  • The right to opt-out of the sharing of this information for targeted advertising
  • The right to bring a lawsuit against a business if their non-encrypted and non-redacted sensitive personal information is accessed, exfiltrated, or destroyed without authorization

The CPRA also requires businesses to conduct data protection assessments and to appoint a data protection officer, if certain conditions are met. These requirements are intended to help ensure that businesses are taking the necessary steps to protect personal information and to respond promptly to data breaches.

Finally, the CPRA strengthens enforcement and penalties for violations of the law. It gives more power to the California attorney general to enforce the law and increase the fines for non-compliance.

What rights do California residents have under the CCPA?

The CCPA creates six specific rights for California residents as consumers:

  1. The right to know what information a business collected about them, why they collected it, where or from whom it was collected, and, if it was sold, to whom
  2. The right to delete personal information collected from them (with exceptions)
  3. The right to opt-out of the sale of personal information (if applicable)
  4. The right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable)
  5. The right to non-discriminatory treatment for exercising any rights under the CCPA (A business cannot lawfully decline to provide goods or services, change the price structure or provide a different quality service or good because a consumer exercised their CCPA rights, unless the personal information is needed for the sale or provision of services.)
  6. The right to initiate a private cause of action for data breaches

The CPRA creates two additional rights:

  1. The right to correct inaccurate personal information
  2. The right to limit use and disclosure of sensitive personal information

As a data security and privacy professional, what should I do?

It all starts with knowing your data and business operations. Do you operate in California? Do you store any sensitive information on California residents? If you do, where and what measures are taken to protect the data and uphold California residents’ rights under the CPRA?

Understanding what personal data you have and how it’s being used is critical for meeting regulatory requirements like the CPRA.

PrivacyComplianceLegal

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Certificate of Cloud Auditing Knowledge (CCAK)
The industry's first global auditing credential.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Upselling Cybersecurity: Why Baseline Security Features Shouldn’t Be a Commodity

Published: 04/24/2024

Understanding the Nuances: Privacy and Confidentiality

Published: 04/22/2024

How to Set Your Small Privacy Team Up for Success

Published: 04/17/2024

How to Audit Your Outdated Security Processes

Published: 04/16/2024