The California Privacy Rights Act of 2020 (CPRA) sets a new privacy standard well beyond California alone. Businesses located anywhere that collect Californian consumers’ information also must abide by the CPRA. The first few months of 2021 are critical for businesses to implement tools for CPRA compliance, with automated data mapping at the top of the list.
To Succeed Under CPRA, Automate Your Data Mapping
The passage of the CPRA closely follows the start of enforcement for the California Consumer Protection Act of 2018 (CCPA). As the evolution from CCPA to CPRA began in 2020, we discussed key CPRA privacy builds. We now share how businesses can implement the law through automated data mapping.
The CPRA rollout makes the strongest case yet for companies to use automation in data mapping. Here, we zoom in on 4 important CPRA requirements for which automated data mapping tools are instrumental in achieving compliance.
- Access Requests
- Data Minimization
- Sensitive Personal Information
- Third-Party Requirements
Fulfilling Users’ Access Requests
The CCPA gave consumers the right to request that a business share any of their personal information gathered over the past 12 months. Under the CPRA, this 12-month window gets extended indefinitely, beginning January 1, 2022. That is, once the CPRA goes into effect at the start of 2023, any request for access will extend back to January 1, 2022.
To fulfill access requests that apply over this extended lookback period, businesses cannot rely on the idiosyncrasies of manual mapping that might shift as their personnel or organizational behavior changes over time.
Data mapping demands consistency in database labels and schemas. To achieve this, automation can efficiently apply detailed instructions to huge volumes of data. This approach delivers the nuance of human review without the human error that could easily occur during a months-long manual mapping initiative.
Automated Data Mapping for Data Minimization
Businesses must implement a process for managing the amount of information and the duration that different types of personal information are retained in their business systems. These requirements depend on the data’s business purpose and the process for obtaining consent to this data.
As an example of this principle, let’s look to a similar law: the EU’s General Data Protection Regulation (GDPR). A business subject to GDPR must re-obtain consent annually to retain a user’s email address. If a user does not re-supply consent, the business must purge such data from all business systems under penalty of law.
Enforcing non-uniform retention rules across a wide array of platforms – email providers, CRM tools, order tracking, accounting – is, in plain terms, incredibly difficult. However, an automated data map helps businesses comply in collecting the appropriate amount of users’ data for the appropriate amount of time.
Data minimization is also an investment in consumers’ trust. For 52% of Americans, a company collecting too much information is a deal-breaker when deciding whether to use a product or service.
Classifying Sensitive Personal Information
The CPRA builds on the CCPA’s classification of personal information, adding a subset called Sensitive Personal Information, or SPI. Sensitive Personal Information includes consumer information such as precise geolocation, race/ethnicity, and biometric information. The CPRA affords consumers rights specific to their SPI, so companies must account for any SPI, including in third-party applications.
The ideal data mapping tools for SPI management will pair in-house knowledge of business operations with the efficiency of automation. This setup will apply the appropriate labels and retention schedules across large volumes of data. Building such systems manually would cost a business months, if not years, to implement.
Under the CPRA, an effective data map must not be a blunt tool. A more granular categorization of personal information types is necessary for regulatory compliance.
Upholding Third-Party Requirements
Third parties will need to assist in the correction or deletion of consumer information, as requested by the consumer. Third-party data processing occurs in 90% of surveyed privacy professionals’ firms. As data flows become more complex, leveraging automated mapping is a must for data-driven businesses. Further, businesses are responsible for remediation if a third party fails to comply. An effective data map keeps contractual associations in alignment with the CPRA.
Automated Data Mapping for CPRA Readiness
We have highlighted 4 ways in which automated data mapping makes CPRA compliance not just possible for businesses but also viable. Ethyca’s data mapping tools simplify CPRA compliance, enabling businesses to meet legal requirements and show users that they take privacy seriously.