On January 1, 2023, the California Privacy Rights Act (CPRA) will formally come into effect and replace the existing California Consumer Privacy Act (CCPA). For businesses, this means a laborious process of revising and assessing current data policies and practices to ensure compliance with the upcoming law.
The CPRA represents an update over the CCPA as it introduces a host of new obligations and responsibilities for businesses while giving consumers more rights over their data.
However, the path to CPRA compliance may not be as tricky for businesses, provided they take proactive measures that increase their chances of compliance and help them honor their obligations more effectively.
Hence, here are five actionable steps that businesses can take to achieve compliance with the CPRA moving on from the CCPA:
1. Annual Risk Assessments & Cybersecurity Audits
One of the highlights of the CPRA coming into effect is the mandate requiring regular and independent cybersecurity audits in cases where an organization regularly processes personal information on consumers that may pose considerable risk to their privacy or security.
Additionally, organizations involved in processing such personal information or sensitive personal information that pose such a high risk are required to perform regular risk assessments of their internal security mechanisms similar to the Data Protection Impact Assessment (DPIA) in the GDPR.
Conducting such assessments and audits is not only a regulatory requirement, but doing so regularly and vigorously will give organizations vital insights into the capability of their existing procedures and mechanisms to protect their consumers’ data adequately. Moreover, such insights are vital in highlighting and eliminating any potential blindspots that may pose any sort of threat to users’ personal information.
2. Map Your Data & Its Sources
As far as adjusting your data practices to ensure compliance with CPRA is concerned, this might arguably be the most important part. It would be highly recommended for a business to conduct a rigorous data mapping exercise to gain real-time insights related to their data inventories.
This is important to ensure that organizations have a complete understanding of their data inventories as well as the readiness to ensure such data is prepared to handle consumer data requests.
Similarly, a business may want to conduct a vendor risk assessment to ensure their third-party service providers have similarly adequate data protection mechanisms in place to make your CPRA compliance easier.
If any discrepancies are discovered, you can proactively work on eliminating them promptly or look for alternatives.
3. Effectively Handle Consumer Requests
While the CCPA guarantees consumers a range of data rights, such as the right of access, right to know, right to deletion, and right to opt-out of the sale of their data, the CPRA expands upon these rights even further.
Per the CPRA, consumers will have additional rights to rectification, portability, limit the use and disclosure of their sensitive personal data, as well as expansion to the right to opt-out of the sale or sharing of their personal information. It is also important to note that an organization’s employees will have the same rights against their organizations.
Hence, it would be highly advisable for organizations to have a robust and efficient mechanism in place to handle consumer requests related to their data. The best way to do that is via automation. Having a reliable DSR automation solution in place would enable you to handle all consumer requests effectively and fulfill them within the periods mandated, as well as keep a detailed record of such requests for documentation and compliance needs.
4. Understand the Widened Scope
As mentioned above, the CPRA expands upon the CCPA in more ways than one. The introduction of SPI and giving consumers the right to limit the sale or sharing of their personal information are some of the highlights.
Personal information such as racial and ethnic origins, social security numbers, biometric information, and geolocations are all covered under SPI.
SPI also requires specific data protection mechanisms such as data minimization and retention requirements to ensure SPI is only collected when absolutely necessary and disposed of properly when no longer of use or consented to by the consumer.
5. Implement Do Not Sell or Share My Information Mechanisms
One of the CCPA’s primary criticisms was the fact that organizations were left free to loosely interpret the “Do Not Sell” requirements of the CCPA. This ambiguity raised questions about whether consumers’ data was being afforded the degree of protection it should.
- The CPRA eliminates any such ambiguity by requiring businesses to have a “Do Not Sell or Share” link on their websites. Additionally, businesses must adequately educate consumers about this right and what their decisions would mean.
As mentioned earlier, lapses in complying with the CPRA’s new obligations can lead to heavy financial and reputational losses. Hence, it would be pertinent for businesses to adjust their practices and arrangements with third-party vendors and service providers to ensure no selling or sharing of personal information that may be adverse to the requirements set by the CPRA.