Last year, the California legislature passed the CCPA – the California Consumer Privacy Act – into law. Its goal is to protect consumers whose data is collected and processed by businesses and other organizations during the course of their internet activity. In the last year, it wasn’t just Californians who experienced the impact of the new California data privacy laws. All companies nationwide with California customers in their data systems had to rapidly bring their data privacy practices up to the law’s standards.
But now, there’s a whole new law on the table. The CPRA, or California Privacy Rights Act, expands on the CCPA by introducing additional detailed requirements for businesses that process consumer data and creating a whole new agency to handle privacy compliance and the enforcement of data privacy laws.
There are plenty of differences between the two laws that businesses need to be aware of. Here are the top 5 changes your company might need to make to get from CCPA compliance to CPRA compliance.
#1 – Clarify The Data Practices Of Your Vendors
The CPRA places more obligations on businesses to ensure their vendors are treating data responsibly. Under CPRA, you could be charged with penalties if your company shares consumer data with another company that proceeds to mishandle it. In other words, if you collect any consumer data, you need to be absolutely sure that your team understands how to handle it safely.
One of the big builds of CPRA is that the data relationship between a business and a vendor must be captured in a contract – businesses that send personal information to third parties, service providers or contractors must enter into a contract binding the vendor to the same level of privacy protection as provided by the act, granting the business rights to take reasonable and appropriate steps to remediate unauthorized use, and requiring the vendor to notify the business if can no longer comply.
If you share any data with other companies, like mailing lists or ad-targeting information, then it’s time to audit your list of vendors. Make sure they understand CPRA and are prepared to handle the new data compliance regulations, and capture that in your written agreements.
#2 – Strengthen Your Capabilities For Data Classification
If you spent time getting into compliance with the CCPA, your company should already have clear, robust processes in place to help customers easily erase their PII on demand. The CPRA builds on what’s required in this area. It introduces a new category of PII, Sensitive Personal Information, and requires that users can mandate their SPI is only leveraged for the delivery of a good or performance of a service.
This category includes identifying data points like race, ethnicity, precise geolocation, union membership, religious affiliation, and any biometric data from health trackers.
If your forms collect data related to SPI, it’s time to ensure that you have procedures in place to manage this data securely. Under the CPRA, companies will be allowed to retain PI as separate from SPI to avoid a situation where a company must forfeit all data it has collected for marketing purposes. You’ll need to add a separate opt-in/opt-out option for customers to make a choice regarding the usage of their SPI.
#3 – Prepare to Answer Consumer Questions about Automated Decision Making
Under the new privacy laws for CPRA, customers have the right to access information about any automated decision making related to their profile. This means that your business can predict an increase in inquiries about the behind-the-scenes decision-making processes.
If your company utilizes any machine learning algorithms to automate decisions related to consumer marketing, be prepared to share your process with the public. CPRA gives all consumers the right to request this information, including the logic used to make decisions and a description of what is likely to be the outcome of that process.
#4 – Get Serious About Data Retention Policies
This CPRA requirement isn’t getting the attention it deserves considering the new obligations in places on companies with a California footprint. Data minimization is a core feature of Europe’s GDPR, but the CCPA contained no requirements around “collecting and storing only the data you need for the time you need it.”
Under CPRA, businesses must disclose the length of time they intend to hold onto the PII they collect, at the time it’s being collected. They also can’t hold onto data any longer than it’s reasonably needed for the purpose it was collected. Sound straightforward? Well, per our friends at the IAPP:
While many privacy officers have implemented annual data deletion days as a best practice, getting all employees to comply and delete troves of outdated data, which no longer serves a purpose, has remained a perpetual challenge. This new obligation would force businesses to take a careful look at the personal data they have stored and delete unnecessary data much more regularly.
#5 – Combine In-House Expertise with The Right Tools
There’s no point in risking your company’s reputation by trying to DIY a strategic approach to CPRA compliance. Invest resources in meeting with your legal team and giving them the tools they need to do the job. Additionally, your privacy operation is not something to completely outsource. The in-house understanding of business data flows and structures will be invaluable as the number and requirements of privacy laws around the world multiply.
In the words of General Counsel and Privacy Pro Danielle Sheer at a recent Ethyca webinar:
You will do a massive disservice to your company if you look at your baseline privacy program only through the lens of compliance or fully outsource all operations.
Choose the right privacy partners to help you manage CPRA compliance and reap the benefits of developing in-house expertise.
Overall, the transition from CCPA to CPRA presents an opportunity for businesses to get a handle on their data practices. The era of big data is here to stay and consumers will continue to grow savvier about exercising their personal data rights.
Privacy management is something that all US businesses must take seriously. Ethyca can help you automate the nuts and bolts of day-to-day privacy management, freeing up your team to focus on the big privacy picture.