The California Privacy Rights Act poses additional potential compliance challenges for businesses that have in many cases made significant efforts over the previous few years to ensure compliance with the California Consumer Privacy Act.
Failure to comply with this ever-evolving landscape of privacy standards might lead to legal action that is costly and financially destructive. In addition to making sure that its PII data discovery processes and information governance procedures are up to standard, businesses must adopt a defendable approach to data privacy legislation.
The team at Data Sentinel created the checklist below to assist businesses that are currently mostly in compliance with the CCPA in tackling the next compliance challenge because of the numerous compliance risks involved.
What is CPRA?
The existing California Consumer Privacy Act (CCPA), passed in 2018, is amended by the California Privacy Rights Act (CRPA), which goes into effect on January 1st, 2023. Data privacy rights for people are established under the California Privacy Rights Act, which for-profit businesses and some non-profit organizations are required to abide by.
The General Data Protection Regulation of the European Union (GDPR) and the CPRA are similar in many aspects. The analogy is particularly appropriate since it pertains to citizens of California regardless of where the organization acquires its sensitive data, how it classifies its data, or where it stores its data.
Why is CPRA Data Privacy Compliance Important?
To put it simply, your business could suffer from high fines, potential consumer litigation and other repercussions if you are not CPRA compliant. Companies will be required to pay the state of California $7,500 for a willful violation (or $2,500 per infraction if it is deemed an accident). What constitutes a violation is still up for debate; it remains to be seen whether the state decides to adopt a more liberal perspective.
However, it’s important to know if your business even needs to be compliant with this regulation. Any for-profit firm operating in California that gathers consumer data or chooses the methods and objectives for doing so is subject to the CPRA. Furthermore, it only applies to companies that:
- Have a total income of more than $25 million each year.
- Have a yearly purchase, sale, or sharing of 100,000 or more consumer's or household's personal information.
- Generate at least 50% of their yearly income from the sale or exchange of customer information.
Be aware that the CPRA applies to not just your firm but also every other organization that you do business with, your vendors, partner firms and their parties. it critical that companies understand this extended obligations.
The CPRA Compliance Checklist
Get Support From Your Senior Management and Build a Governance Counsel
In order to successfully implement compliance with the CPRA, it will require top-level support from your organization. The board of directors or senior management of your organization must be aware of the law and its ramifications in order for your compliance initiative to get the funding it requires to provide long-term benefits and risk reduction.
Inform the board of the risks to the company and its customers, and the advantages of CPRA compliance. To do this, you must allocate the required funds and resources for your CPRA project. Add the privacy mandate and requirements to your Data Governance counsel. Assign responsibility, important roles, and tasks for CPRA compliance to the right individuals and teams. Leverage data owners, subject matter experts, risk and compliance, legal and IT to participate as needed in the process.
Start With a Compliance Data Audit and Find Your Pain Points
You may learn how well your present procedures adhere to the CPRA's criteria as well as where they fall short by doing a CPRA gap analysis. The issues that need to be resolved in order to comply with the legislation can then be prioritized. Data governance, data policies and rules, data access, sensitive data mapping, data security and data loss prevention, the scope of regulatory compliance for your organization based on your data holdings, incident management process analysis, and of course consumer rights are all important topics to include in your gap analysis. This is where a platform for data compliance automation like Data Sentinel may help.
Create Active PII Inventories and Data Maps
Consumers in California have a right to know what personal information is being gathered, used, and sold, as well as where it came from, thanks to the CPRA. The ability to quickly, completely, and compliantly respond to data access requests is made possible by identifying data-gathering locations and capturing these in data maps.
A consumer's profile can be created using a variety of categories of information about them, including their preferences, traits, psychological tendencies, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes. These categories of information range from name, home address, and personal email address to biometric information, exact location data, and even employment information. A consumer's exact location, race, religious or philosophical opinions, emails and text messages, genetic information, and health information are examples of other kinds of sensitive personal information.
Automated data maps may help with more thorough and accurate privacy disclosures, which will increase compliance. This is because they might identify actions involved in downstream processing that may not be visible to data collectors but that must be disclosed to the subjects at the time of collection. Analyze the types of personal information your company maintains, the sources from which it originates, and the commercial or business purposes for processing it. Keep track of the movement of personal data into, through, and out of your company.
Creating and Implementing Operation Processes for Regulatory Compliance
Following the mapping of your PII inventory and identification of your compliance gaps, you should align your personal information processing practices with the CPRA's regulations. This entails evaluating your current contracts, rules, and processes and putting new ones into place when required. You will also need to update your website to make sure that customers have access to privacy and data use policies.
Create a procedure for Data Subject Access Request (DSAR) processing to abide by the CPRA's right to be forgotten. Your data map and PII inventory will be key to being able to automate the DSR process.
The next step is to evaluate all employee, customer, and supplier contracts and, if required, revise them to address the handling of personal information. Next, establish a plan for how to identify, confirm, and act upon customer requests for access to or deletion of personal information. Make sure you are able to react to consumer requests for data subject access within 45 days through phone or email. Additionally, you will have to make customer data available in an accessible way upon request. There should be written instructions for this procedure, along with a toll-free number and internet URL.
Is \Your Organization Actually Securing Personal Information?
It is essential to your compliance program that you have the proper safeguards in place to protect the personal data your organization handles. Establish an information security policy. Implement fundamental data security technological measures. This is made easier by following frameworks and standards such as the NIST Cybersecurity Framework. When necessary, employ deidentification and encryption technology. Make sure rules and procedures are in place to identify, report, and investigate breaches of personal information. Create and maintain a strong incident response strategy.
Train and Retrain Your Team
Developing a data governance and data privacy culture is critical to the long long-term success of your privacy program. It has to start from the top of the organization and become a priority for all leadership for the cultural change to take hold and persist. It goes well beyond the data management, data privacy, data security and governance teams. You must make sure that your staff members who are in charge of responding to consumer questions about their privacy rights are aware of the CPRA's obligations and are adept at maintaining appropriate data hygiene. Make sure internal communications with personnel and stakeholders are successful. Your staff should get training on the value of protecting personal information, fundamental CPRA principles, and the policies you have put in place to guarantee compliance.
Regularly Monitor Your Regulatory Compliance Processes
The CPRA is not a one-time endeavour. It is a continuous practice. Internal audits conducted on a regular basis will guarantee that your operations are current and that you won't run afoul of the law. A regular review of pertinent policies should be done to make sure they are current, legal, and easily accessible. Plan routine inspections of security measures and handling of personal data. Keep an up-to-data inventory/map of sensitive data. Keep up-to-date records of the processing of personal information. Conduct regular Privacy Impact Assessments.