How Your Business Can Prepare for CPRA

Introduction

With a host of new state privacy laws coming into effect in 2023, privacy compliance challenges are ramping up for businesses that operate in the United States. To help your business prepare for all of the state by state regulatory changes, Ethyca will release a series of articles on how you can enhance your business’ data privacy practices for the new year.

The first article in this series is about California’s CPRA, as most of its revisions will start on January 1, 2023. Let’s go over how your business can start preparing to be CPRA-ready in the next couple of months.

Background of CPRA

The California Consumer Privacy Act (CCPA) became the official state privacy law of California in 2020. Shortly after its enactment, though, California voters created a ballot initiative for the California Privacy Rights Act (CPRA). This was in response to the hurried process of CCPA’s passage. Since California voters and privacy advocates had limited involvement in CCPA’s creation, they voted to pass CPRA on November 3, 2020, 

Rather than a replacement, CPRA is an amendment to CCPA, expanding consumers’ privacy protections that were already established. It’s still unclear whether California’s privacy law will be called CCPA or renamed CPRA. For the purposes of this article, we will address the changes that go into effect on January 1, 2023 as CPRA.

Next, let’s take a look at the CPRA amendments your business needs to account for.

Additions to CPRA

The Right to Correct and The Right to Limit Companies’ Use of Sensitive Personal Information

Along with Californians’ rights to know and delete the data companies have on them, consumers will have two new rights under CPRA:

• The right to correct information.
• The right to limit companies’ use of Sensitive Personal Information (SPI).

These new rights are in addition to those guaranteed under CCPA, such as the right to portability, the right to non-discriminatory behaviror based on consumer data, and the right to opt out of the selling of consumers’ personal data from businesses.

CPRA takes the latter “Do Not Sell” right a step further. Now, consumers can also opt out of the sharing of their personal information. The CPRA amendment defines “sharing” to include businesses communicating consumers’ personal information to a third-party, regardless of whether monetary transaction was involved. Companies will need to determine if their data processes involve what’s considered “sharing” under CPRA.

New Definitions of Sensitive Personal Information

CPRA also creates new categories of Sensitive Personal Information (SPI). Starting in the new year, SPI will be considered personal information that reveals consumers’:

• Social security number, license number, or state ID number, 
• Account log-in, password, access code, or other information regarding their account.
• Geolocation.
• Racial, ethnic, religious, and sexual identity, or philosophical beliefs.
• Non-business-related emails, messages, and mail.
• Genetic and biometric data.

Now that Californians will have more control over their data, companies need to make sure their data privacy practices respect these additional rights. Your business can start doing so by locating where SPI lies in your systems, and establish guardrails to abide by the new requirements in the coming months.

New Governing Body

To implement and enforce California’s privacy law, the California Attorney General will remain the enforcement authority, while the California Privacy Protection Agency (CPPA) acts as the governing body. Consumers will be able to file a complaint with the Office of the Attorney General if they suspect a company has violated their rights. By 2023, consumers will also be able to file complaints of business violations with the CPPA.

(We recognize these acronyms can be confusing, so bookmark our Data Privacy Acronyms List for your reference).

With the new protections CPRA gives to consumers, here’s how Ethyca recommends your business start preparing for these changes:

How Can Your Business Prepare for CPRA?

Data Minimization

The first line of defense when complying with privacy laws is minimizing the amount of data your business collects and retains. Your business can’t be penalized for violating state privacy laws if it doesn’t have that user data in the first place. 

Data minimization doesn’t just mean storing less data, however. Rather, it’s a methodical practice of collecting, retaining, and deleting data in a way that minimizes privacy risks for the user. Companies should only use data for an explicitly stated purpose that consumers have consented to. CPRA requires stricter data-use limitations on businesses.

To reduce your company’s chances of violating Californians’ new rights under CPRA, your business needs to be intentional with its data management practices, and it needs to have tools for granular PII governance. 

New Consent Management Requirements

In addition to the stricter limitations on business use of consumer data, companies must also obtain user consent in more explicit ways. 

CRPA places a higher standard on what constitutes user consent. It’s defined as “any freely given, specific, informed and unambiguous indication of the consumer’s wishes… such as by a statement or by a clear affirmative action, [that] signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.”

This means explicit user consent does not include:

• Agreeing to broad terms of data processing without stating specific purposes.
• “Hovering over, muting, pausing, or closing a given piece of content.”
• Using dark patterns.

Companies must instead provide separate consent notices and disclosures to users. This includes the additional opt-in and opt-out options businesses are required to provide before legally processing user data.

Starting next year, Calironians will be allowed more opt-out options, including the new categories for SPI listed above. CPRA also requires explicit consumer opt-in options for specific types of data, such as the selling or sharing of personal information of consumers under the age of 16. Companies must provide the appropriate opt-in and opt-out options and mechanism for California consumers in order to comply with CPRA.

Fulfill User Subject Requests

In addition to access and erasure requests, CPRA guarantees all Californians new subject request rights: data correction. Under this rule, businesses are required to respond appropriately to consumer requests to correct their data.

These may seem like a lot of changes, but there’s still time to get your business ready for CPRA. Ethyca’s privacy engineering platform, Fides Open-Source can help you do this easily. Continue reading to learn more. 

How Ethyca Can Help Your Business Comply With CPRA

Ethyca users and customers will be able to comply with the CPRA’s updated requirements. In order to continue to enable your team to comprehensively implement users’ consent preferences, Ethyca will be making a series of updates to the Consent Management experience to ensure you stay in compliance. These updates will allow you to classify your collected data under multiple data categories, and enable users to opt in or out of data usages on your Consent Management page, Additionally, consent preference updates will now be stored for reporting and auditing purposes.

Using the Fides privacy engineering platform, your business can orchestrate users’ privacy requests automatically. Correction requests can also be addressed by discovering and displaying users’ PII via Fides’ dynamic data map. In other words, Fides empowers your business to create and maintain a dynamic data map to see where all of your customer data is stored. With full data visibility, correction requests become simpler to fulfill, and erasure and access requests can be completely automated.

Conclusion

While preparing your company for new state privacy laws that will be enacted in 2023, getting your business CPRA-ready is a great starting point. California’s privacy law is seen as the standard for other U.S. state privacy laws, like the EU’s GDPR. If your business is ready for the changes coming to California, you’ll have an easier time preparing for other state privacy laws in the future.