As a business leader, your primary focus should be meeting consumer needs exceptionally well to keep them coming back. Traditionally, this involved offering impeccable products and at the right price.
However, you need to offer a lot more to win modern-day consumers. For instance, your brand needs relatable values, and the consumer journey must be smooth and desirable. And with the recent issues with cybersecurity and data breaches, consumers need to know they can trust you with their data.
According to PEW Research Report, concern about companies' data usage is widespread among Americans, with 79% expressing anxiety on the issue. As a result, most consumers are only willing to share their data with brands.
To help protect its residents, California has taken a progressive and stern approach to data privacy regulation. At the forefront of such efforts is the California Consumer Privacy Act (CCPA), passed in 2018 and came into effect in January 2020.
But in the future, businesses targeting California residents will also have to comply with stricter regulations. This will be under the California Privacy Rights Act (CPRA) of 2020, an extension of CCPA.
Considering the impact and potential ramifications, it's important to understand what CPRA entails and prepare for it. In this article, you'll learn all there is to know about CPRA.
Before going into what California Privacy Rights Act will entail for your company, it's vital to look at the current nature of California's privacy regulations. Since CPRA builds on the CCPA, it's important to understand the latter first.
For starters, CCPA was a response to public outcry in the wake of large-scale data breaches. It gives Californian residents more control over their personal information by:
The law applies to any for-profit company that does business in California, regardless of whether they have a physical presence there. And if a company fails to comply, it could be fined up to $7,500 per violation.
CPRA is an extension of the California Consumer Privacy Act passed by Californian voters in 2020. The law will come into effect on January 2023 and will give Californian residents greater control over their data.
CPRA builds on the already existing regulations set out by CCPA. But it also includes new provisions designed to protect consumer privacy further. For instance, CPRA will:
In addition, CPRA will also expand the definition of personal information to include things like IP addresses, biometric data, and geolocation data.
No, CPRA does not replace CCPA. Instead, it builds on existing regulations to create an even stronger framework for protecting consumer privacy. Businesses that are compliant with CCPA will still need to comply with CPRA when it comes into effect in 2023.
Now that you know the basics of CPRA, take a more detailed look at what the law entails.
As mentioned, CPRA builds on the existing regulations set out by CCPA. But it also includes new provisions designed to enhance consumer privacy protection.
CPRA applies to any for-profit company that does business in California and collects the personal information of Californian residents, regardless of whether they have a physical presence there.
Moreover, under the CPRA, fewer businesses will be required to comply. However, those that are eligible, they'll need to do a lot more to achieve compliance.
Once it comes into effect:
Another key change CPRA brings is the expansion of the definition of sensitive personal information. Under CPRA, sensitive personal information will include the following:
This is a significant expansion from the California Consumer Privacy Act, which only included social security and driver's license numbers.
The expanded definition of sensitive personal information means businesses must take extra care to protect this type of data. They'll also need explicit consumer consent before collecting, using, or sharing it.
Along with a broader definition of sensitive information, CPRA also expands consumer rights. CPRA will give Californian residents the right to:
These are similar to the rights that CCPA established. But CPRA goes a step further by giving consumers the right to dictate how you use their data.
For instance, under CPRA, if a consumer opts out of having their data sold, you'll need to stop selling it. So, unlike with the California Consumer Privacy Act, it's not about notifying customers about how you're using their data but getting their approval first.
With California's current privacy laws, companies must include a "Do Not Sell My Personal Information" link on the homepage. It should lead to a dedicated page where consumers can exercise their opt-out rights.
With CPRA, you'll also have to add a second link dubbed "Limit The Use of My Sensitive Personal Information." It should link to a dedicated page where they can dictate how you can use their personal information. Moreover, as long as the customer's intent is clear, you could let them express it in other ways.
The California Privacy Rights Act will create a new state agency, the California Privacy Protection Agency (CPPA), to enforce these rules. The CPPA will have the power to impose fines of up to $7,500 for each violation. And it can also bring civil action against companies that violate the law.
This is a big step considering the California Consumer Privacy Act left enforcement up to the state attorney general's office. The California Privacy Protection Agency will have more resources and be better equipped to handle enforcement than the attorney general's office.
The California Consumer Privacy Act (CCPA) allows consumers to opt-out of your ability to sell their data. The California Privacy Rights Act takes it a step further by giving individuals the right to opt-out of any disclosure or sharing of their information with third parties, regardless of whether or not it involves payment.
In the age of big data, data profiling is an invaluable asset for companies. It helps them to target ads, personalize content, and improve the customer experience.
However, CPRA will put some restrictions on automated decision-making. Companies will still be able to do it, but they'll need to get explicit consumer consent first. And they'll need to explain how the process works in a way that's easy for consumers to understand.
CPRA will also give consumers the right to correct any inaccurate or incomplete data companies have about them. This is in stark contrast to CCPA, which only allowed consumers to request the deletion of their data.
Now, if a consumer thinks that some of your information about them is wrong, they can contact you and ask you to fix it. If you don't comply with their request, they can file a complaint with the California Privacy Protection Agency.
As dictated by CCPA, businesses must provide detailed explanations of the data they collect, how it is used, and if it is shared with any other parties. But that's not all. For each data category, you must inform the data subject how long you'll retain the data or explain the methods of determining how long.
Furthermore, CPRA will put some restrictions on how long companies can keep consumer data. Companies will only be able to retain data for as long as it's necessary to achieve the purpose for which it was collected.
This is one of the major changes from the California Consumer Privacy Act, which allowed companies to keep data for up to seven years. CPRA will force companies to reevaluate their data retention practices and ensure they're not holding onto data longer than needed.
In addition to the key features of the regulation, CPRA will also make a few other notable changes, including:
The CPRA has been described as the "GDPR of California." And while there are some similarities between the two regulations, there are also some key differences.
First, CPRA is much narrower in scope than GDPR. It only applies to companies that do business in California or process the data of California residents. GDPR, on the other hand, applies to any company that processes the data of EU citizens, regardless of where they are located.
Second, CPRA gives consumers more rights than GDPR. For example, CPRA gives consumers the right to opt-out of any disclosure or sharing of their information with third parties, regardless of whether or not it involves payment. GDPR only allows individuals to opt out of personal data from being used for marketing purposes.
Finally, CPRA is much more lenient when it comes to enforcement. The maximum fine for a CPRA violation is $7,500, while the maximum for a GDPR violation is 20 million euros (about $24 million).
The California Privacy Rights Act is the most comprehensive privacy law in the United States. And other states will likely follow California's lead and pass similar laws of their own. This means that CPRA compliance isn't just a good idea; it's essential for businesses that want to stay ahead of the curve.
If your business collects Californian residents' personal information, you must start preparing for CPRA now. That way, when the law comes into effect in 2023, you'll be able to comply easily.
If your business is subject to CCPA, then you're already most of the way there regarding compliance with CPRA. But there are still some key steps you need to take.
Before you can achieve CPRA compliance, you must first determine where you fall short. Conduct a gap assessment to identify areas where your privacy practices don't meet CPRA standards.
Once you know what needs to change, you can update your privacy policy. Make sure your policy is clear and concise and covers all the bases. Include information on what personal data you collect, why you collect it, how you use it, and how long you retain it.
After you've updated your privacy policy, it's time to implement changes to your data handling practices. If CPRA requires you to change how you collect or process data, make sure these changes are reflected in your systems and processes.
Your employees are the key to CPRA compliance. They must be up-to-date on the law and your company's privacy practices. Ensure they know what they can and can't do with personal data and understand CPRA's opt-out provisions.
The California Privacy Rights Act defines sensitive personal information more broadly than CCPA. Personal information will now include race, ethnicity, sexual orientation, and health data. You need to identify all the ways you collect and use this type of information. Then you can determine whether or not these uses are CPRA-compliant.
A data map will help you keep track of all the personal data you collect, where it comes from, and where it goes. This is a valuable tool for CPRA compliance because it allows you to see at a glance whether or not you're meeting CPRA's requirements.
Under CPRA, businesses must provide customers with certain disclosures before personal data is collected. These include your company's contact information and a description of the customer's rights under CPRA.
You must also get explicit consent from customers before collecting sensitive personal information. So, include the mandated links for opt-out and personal information usage.
If you share personal data with third parties, you must have contracts that ensure CPRA compliance. These contracts should stipulate that the third party will only use the data for the purpose specified in the contract and that they will protect the data in accordance with CPRA's requirements.
Considering the ramifications of non-compliance, it will be vital to perform privacy risk analyses regularly. And the best way to do this is with tag management software. This software will help you identify and assess risks, so you can take steps to mitigate them.
In addition, tag management software will help you manage consents, track opt-outs, and generate reports. These features will be invaluable as you work to achieve CPRA compliance.
There are several potential pitfalls when it comes to CPRA enforcement and litigation. To avoid these, you must be familiar with the law and your rights and obligations.
Some of the things you should know include:
Data minimalization is the practice of only collecting and retaining the data you need for a specific purpose. This is a good CPRA compliance strategy because it reduces the risk of data breaches and unauthorized use of personal data.
Security should be a top priority for any business, but it's especially important when dealing with personal data. CPRA requires businesses to take reasonable security measures to protect personal data from unauthorized access, destruction, or use.
Some of the things you can do to improve your security include:
CPRA compliance may seem like a lot of work, but it's worth it. There are many benefits of CPRA compliance for businesses, including:
With the California Privacy Rights Act looming, it's vital that you enhance your data compliance and governance policies and procedures. As you do this, keep in mind that other data privacy regulations may emerge with time. So, it's not just about complying with CPRA but ensuring you adopt ideal data handling practices.
With this in mind, it's important to have data archiving capabilities to help retain and speed up the retrieval of relevant information. This is where a solution like the Veritas Digital Compliance portfolio comes in handy.
Data archiving helps you index, search, and audit data while ensuring the security and privacy of information.
The portfolio also includes Data Insight which uses machine learning to identify sensitive data across an organization's entire network. This solution gives you visibility into how data is being used, shared, and accessed. As a result, you can take steps to mitigate risks and improve compliance.
CPRA is a complex law with many requirements. Other states will likely follow California's lead and pass similar laws of their own. This means that CPRA compliance isn't just a good idea; it's essential for businesses that want to stay ahead of the curve.
If your business collects Californian residents' personal information, you must start preparing for CPRA now. That way, when the law comes into effect in 2023, you'll be able to comply easily.
Conduct a gap assessment to identify areas where your privacy practices don't meet CPRA standards and update your privacy policy to reflect the new law. CPRA compliance may seem like a lot of work, but it's worth it.
Contact us today to learn more about how we can help keep your organization in compliance.
Veritas customers include 95% of the Fortune 100, and NetBackup™ is the #1 choice for enterprises looking to protect large amounts of data.
Learn how Veritas keeps your data fully protected across virtual, physical, cloud and legacy workloads with Data Protection Services for Enterprise Businesses.