The California Privacy Rights Act of 2020 (CPRA) sets a new privacy standard well beyond California alone. Businesses located anywhere that collect Californian consumers’ information also must abide by the CPRA.
The California Privacy Rights Act of 2020 (CPRA) sets a new privacy standard well beyond California alone. Businesses located anywhere that collect Californian consumers’ information also must abide by the CPRA. The first few months of 2021 are critical for businesses to implement tools for CPRA compliance, with automated data mapping at the top of the list.
The passage of the CPRA closely follows the start of enforcement for the California Consumer Protection Act of 2018 (CCPA). As the evolution from CCPA to CPRA began in 2020, we discussed key CPRA privacy builds. We now share how businesses can implement the law through automated data mapping.
The CPRA rollout makes the strongest case yet for companies to use automation in data mapping. Here, we zoom in on 4 important CPRA requirements for which automated data mapping tools are instrumental in achieving compliance.
The CCPA gave consumers the right to request that a business share any of their personal information gathered over the past 12 months. Under the CPRA, this 12-month window gets extended indefinitely, beginning January 1, 2022. That is, once the CPRA goes into effect at the start of 2023, any request for access will extend back to January 1, 2022.
To fulfill access requests that apply over this extended lookback period, businesses cannot rely on the idiosyncrasies of manual mapping that might shift as their personnel or organizational behavior changes over time.
Data mapping demands consistency in database labels and schemas. To achieve this, automation can efficiently apply detailed instructions to huge volumes of data. This approach delivers the nuance of human review without the human error that could easily occur during a months-long manual mapping initiative.
Businesses must implement a process for managing the amount of information and the duration that different types of personal information are retained in their business systems. These requirements depend on the data’s business purpose and the process for obtaining consent to this data.
As an example of this principle, let’s look to a similar law: the EU’s General Data Protection Regulation (GDPR). A business subject to GDPR must re-obtain consent annually to retain a user’s email address. If a user does not re-supply consent, the business must purge such data from all business systems under penalty of law.
Enforcing non-uniform retention rules across a wide array of platforms – email providers, CRM tools, order tracking, accounting – is, in plain terms, incredibly difficult. However, an automated data map helps businesses comply in collecting the appropriate amount of users’ data for the appropriate amount of time.
Data minimization is also an investment in consumers’ trust. For 52% of Americans, a company collecting too much information is a deal-breaker when deciding whether to use a product or service.
The CPRA builds on the CCPA’s classification of personal information, adding a subset called Sensitive Personal Information, or SPI. Sensitive Personal Information includes consumer information such as precise geolocation, race/ethnicity, and biometric information. The CPRA affords consumers rights specific to their SPI, so companies must account for any SPI, including in third-party applications.
The ideal data mapping tools for SPI management will pair in-house knowledge of business operations with the efficiency of automation. This setup will apply the appropriate labels and retention schedules across large volumes of data. Building such systems manually would cost a business months, if not years, to implement.
Under the CPRA, an effective data map must not be a blunt tool. A more granular categorization of personal information types is necessary for regulatory compliance.
Third parties will need to assist in the correction or deletion of consumer information, as requested by the consumer. Third-party data processing occurs in 90% of surveyed privacy professionals’ firms. As data flows become more complex, leveraging automated mapping is a must for data-driven businesses. Further, businesses are responsible for remediation if a third party fails to comply. An effective data map keeps contractual associations in alignment with the CPRA.
We have highlighted 4 ways in which automated data mapping makes CPRA compliance not just possible for businesses but also viable. Ethyca’s data mapping tools simplify CPRA compliance, enabling businesses to meet legal requirements and show users that they take privacy seriously.
Introducing consent management in Fides 2.0. With the coming state privacy laws in 2023, your business needs to have granular control over users’ data and their consent preferences. Learn more about how Fides can enable this for your business, for free.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team at Ethyca attended the PEPR 2022 Conference in Santa Monica live and virtually between June 23rd and 24th. We compiled three main takeaways after listening to so many great presentations about the current state of privacy engineering, and how the field will change in the future.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Get a Demo