CCPA 2.0 – The Dawn of the CPRA and how it applies to your business?
January 05, 2021
California is expanding on the ground-breaking California Consumer Privacy Act (CCPA) when Proposition 24, or the California Privacy Rights Act (CPRA), comes into effect on January 1, 2023. The new regulation was voted into law on November 3, 2020, with over 55% of votes cast in favour of the measure, and will create additional privacy rights for California’s consumers as well as obligations on certain businesses.
The law will be enforced from July 1, 2023 by a first-of-its-kind agency, the California Privacy Protection Agency (CPPA), which will be responsible for building public awareness of privacy risks while providing businesses and consumers with guidance on privacy.
So, what does this all mean for businesses? What changes will the CPRA bring and how can they be managed?
What’s New in This Legislation?
The most obvious change is the newly defined “sensitive personal information” (SPI) data category and regulatory guidance on how to limit its use and disclosure. SPI includes details like Social Security numbers, account login credentials, financial account information, and data regarding sexual orientation. It’s similar to the General Data Protection Regulation’s special category “personal data” and puts further restrictions on how businesses deal with this information.
The CPRA also brings in higher fines for violations involving children’s data as well as codifying Fair Information Practice Principles (FIPPs) regarding data quality, data minimization, security safeguards and use limitation.
Crucially for many businesses, the CPRA puts in place a higher threshold for applicability. To qualify as a business that’s subject to the CPRA, you must now collect or deal with information from over 100,000 households or consumers, up from the 50,000 stipulated by the CCPA.
Does It Affect You?
The first step in determining what your business needs to do is to check if the CPRA applies to you, particularly in light of the higher threshold. It’s important to remember that the CCPA still applies until 2023, so any changes won’t come into effect immediately.
Now is the time to prepare if the CPRA does apply to you. There’ll be no rush to get ready for the 2023 deadline and less risk of falling foul of the CPPA if you put in the groundwork today.
How Can Your Organization Get Prepared?
You should begin by assessing the data you already hold and the data handling practices you employ within your business. It’s imperative to identify and isolate data categories that have been named as SPI under the CPRA, as well as looking at how that data is managed. Maintaining records and completing regular risk assessments and cyber security audits for high risk data are mandated in the CPRA, so nothing should be left to chance.
The CPRA extends the reach of the CCPA, expanding the breadth and depth of access and deletion rights that are currently in place. It’s crucial for businesses to stay up-to-date with proposed changes by monitoring how these will impact their organizations. Firms can get ahead of the game by putting the right processes and procedures in place now.
As California continues to lead the conversation on data privacy in the United States, businesses who develop the right strategies and systems to keep pace with the ever-evolving data privacy landscape will achieve robust regulatory compliance. This demonstrates a real commitment to safeguarding customer data, helping to nurture and sustain increasingly important long-term customer relationships.
For more information on how the Aptean Respond team can help you navigate the data privacy landscape, contact us now.