Getting Your Data Protocols CPRA-ready
By Ameesh Divatia, CEO and co-founder | November 5, 2020
Amidst the frenetic activity still going on with the presidential election, this week California passed Proposition 24, an important bill which will strengthen digital privacy protection for consumers. The legislation, more commonly known as the California Privacy Rights Act (CPRA), expands upon the California Consumer Privacy Act (CCPA), which went into effect earlier this year. By passing CPRA, the citizens of California are setting an example for the rest of the country. While giving consumers greater control over and access to personal data collected by companies, CPRA will require companies to review and update their existing data management protocols.
Perhaps the new bill’s most immediate change will be the assembly of a five-member board, known as the California Privacy Protection Agency (CPPA), which will enforce the new law. This is a major modification to CCPA when you consider that enforcement was previously left up to the attorney general’s office. The CPPA will be solely focused on reviewing potential violations and determining the appropriate recourse. With the expectation of heightened compliance scrutiny once CPRA commences on Jan. 1, 2023, here are three specific areas of the legislation that organizations should begin addressing immediately:
- Expansion of protected data. CPRA now requires covered entities to protect “sensitive personal information,” which goes beyond more traditional protected data (e.g., banking information, addresses, Social Security numbers) and now includes information like sexual orientation, race, ethnicity and religion. This creates a new wrinkle for many organizations as they will now have to identify and protect data contents that they have not traditionally addressed.
- Detailed data tracking. For quite some time, organizations built their data collection and retention infrastructure to address their own challenges and satisfy their own needs, but CPRA will change that. Under the law, consumers have more control over their data; for example, they now have the right to know how long a company plans to retain their data. For organizations that are not currently set up to respond to such requests in a timely manner, if at all, drastic changes will have to occur. This will mean more comprehensive and accessible data retention schedules and best practices that will position them to more easily access and communicate those schedules.
- Partner compliance. Another interesting aspect of CPRA is that its reach extends beyond covered entities and will include contractors, third parties and service providers that organizations share data with. While partner compliance will be the partner’s responsibility, this wrinkle will certainly change things. For example, when seeking out a new partnership, covered entities will have to invest more time into the vetting process to ensure a potential partner has the proper infrastructure in place to maintain CPRA compliance.
Data Protection Services
The Baffle Data Protection Service seamlessly de-identifies sensitive data in the cloud to mitigate the risk of data breaches while enabling privacy-preserving analytics.
While covered entities will have to invest considerable time and resources to become CPRA compliant, they have time to institute the necessary infrastructure to comply. Here are a few suggestions to ensure they are ready:
- Audit current protocols. Many companies will have to completely rethink how they identify, protect and retain data, and to be certain, this is no easy task. Organizations can begin by taking a close look at the protocols they established for CCPA compliance and see what adjustments they need to capture sensitive personal information. For organizations covered by GDPR, they will have a head start as several CPRA requirements are similar to what GDPR already requires.
- Talk to contractors, third parties and service providers: Businesses must be more proactive with partners they share data with to ensure they too are setting themselves up properly to comply with the new law, and consider switching providers if they are not making such changes. While they will be responsible for any violations, an organization’s reputation can be affected by associating with a partner that does not properly adhere to regulations.
- Review current solutions. Any solution that touches data should be scrutinized starting now. Like with contractors, third parties and service providers, open discussions with solution providers to better understand how their current solutions address CPRA requirements and updates they plan on making to do so. And if seeking new solutions, CPRA compliance should be a top consideration when making a decision.
Organizations are getting bombarded with compliance demands, and the CPRA will put pressure on them to more consistently catalog data to comply with consumers’ requests to limit the use of their data. All privacy regulations try to strike a balance between individual rights and market/business regulation, and CPRA is a significant step in that direction. Becoming CPRA-compliant will not only protect consumer data now, but it will also prepare organizations for future privacy regulations.