IDC Names Securiti a Worldwide Leader in Data PrivacyView
The California Privacy Rights Act (CPRA) is California’s equivalent of the European Union’s General Data Protection Regulation (GDPR). Its principal purpose is to ensure that businesses dealing with California consumers’ personal information take the appropriate measures to protect the privacy and integrity of their data.
Furthermore, it requires businesses to undertake several changes within their standard practices to ensure users are properly educated and informed about what personal information about them is being collected and what are their rights in relation to the captured personal information.
In view of that, CPRA compliance must take the front seat for businesses still catering to California’s consumers. To make that process easier, the following CPRA compliance checklist will allow companies to decide what direction they must take going forward.
Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.
The road towards CPRA compliance is hard but it becomes slightly easier if you have a thorough CPRA compliance checklist to follow. This can include the following:
The first step to becoming properly CPRA compliant is to know whether your business falls within the CPRA’s scope. Unlike the GDPR, which applies to both for-profit and nonprofit entities - including government bodies - the CPRA is only meant to regulate data collection, storage, processing, and sharing practices of for-profit businesses doing business in California. Furthermore, a for-profit business conducting business in California would need to be CRPA compliant if they fulfill the following criteria:
In case a business fulfills the criteria above, it is essential that it begins devising a plan to meet any and all CPRA compliance requirements as soon as possible. Here’s a rundown of things to get started on:
Figuring out where to start can be tough. Hence, the wise thing to do would be to conduct a thorough gap analysis of your current data collection practices. Once you’ve done so, you’ll know what kind of data you’re currently collecting, storing, using, and whether these current practices are compliant with the requirements under the law. More importantly, you’ll know how drastically the company needs to alter its current practices.
A gap analysis can provide you with a framework to work with. Make sure the personnel, in charge of this analysis, have an in-depth understanding of both the CPRA compliance requirements and the company’s own data collection, processing, and protection practices.
The most important of these updates include informing whether the data handler collects any sensitive personal information (SPI) on its users. CPRA defines SPI as the consumers’ social security number, driver’s license number, passport number, financial information, racial and ethnic origin, geo-location, health data, religious affiliation, and trade union membership. By going into such details, CPRA has mandated businesses to be transparent with their users if they collect any of this information.
Lastly, a business must have a toll-free number and email address for a customer to contact if they ever want to exercise any of the above-mentioned rights.
As per CPRA, the customer has a right to know exactly what information the business has collected on them. These include information that falls under these criteria:
A business must only respond to a customer’s request to know about their data once a Verifiable Customer Request (VCR) is made. It is the business's responsibility to create two methods for the customer to submit a VCR. These can include a toll-free number and an email channel.
A business must respond to a legitimate request within 45 days, with a further 45 allowed if necessary, provided the customer is properly informed of this extension within the first 45 days. Afterward, a report covering the previous 12-month period from when the request was made must be sent to the customer via mail or email, depending on the mode the customer chooses.
Educating the users includes establishing an easy and simple way for any customer to request access, change, and deletion of any data collected on them, including SPI. The best practice to follow in this case would be to embed a DSR form on your website as it makes it convenient for users to make any sort of requests related to their data.
Additionally, it is highly advisable that data handlers should set up a verification process for data subjects to ensure that only the right person gets access to their data when they file a DSR request.
Another key facet that differentiates CPRA from CCPA is that failure of compliance with CPRA requirements in the case of minors can lead to a hefty $7,500 penalty per violation. Hence, businesses should have mechanisms in place that would require special opt-in consent from any consumer below the age of 16 for the sale or sharing of their personal information. Moreover, data handlers are prohibited to request consent within 12 months of the previous consent’s refusal. .
Typical mechanisms to be used may include requiring an adult’s email to ensure proper consent is given.
Unlike the GDPR which follows an opt-in approach where a business is required to seek a user’s consent before processing their data, the CPRA follows an opt-out model where the onus is on the customer to request their data not be shared, sold, or forwarded to any other parties.
However, the CPRA does require all data handlers to make opting-out easier for all customers since each page must carry a “Do Not Sell or Share My Personal Information” and a ‘Limit the use of my Sensitive Personal Information’ button across the website.
Additionally, it is advisable to have a visible opt-out banner on the website’s homepage in addition to dedicated resources on the website educating customers on things such as the difference between opt-in and opt-out, how the data collected on them is used, and most importantly, how to opt-out of having their data shared, sold, or forwarded to any other parties.
This is arguably the most important part of being CPRA compliant as it is the most volatile part. Make sure that all the data collected on users is properly stored, backed up, and encrypted, whether on the company’s own premises or any other remote location such as data lakes, hybrid, or multi-clouds. All data handlers must maintain proper data maps, records, and inventories on the data they collect. Some other practices that make up a good data governance regime include the following:
Any follow-up steps differ from regulation to regulation. Hence, an organization must ensure its data storage practices are in compliance with the statutes of the regulation tehya re subject to.
A business’ responsibility towards their users’ data does not end with themselves. Under CPRA, any other parties involved with whom the consumers’ personal information was shared or sold to, will have certain obligations and restrictions placed on them as well.
As per CPRA, a “contractor” is defined as someone that a business shares their users’ data with for a business purpose in the presence of a written formal agreement. This agreement, pursuant to CPRA, shall bar all such contractors from:
Similar to a contractor, the CPRA defines “service providers” as someone that might receive the users’ data to perform a business-related task for the business. Similar to a contractor, the CPRA prohibits service providers from:
The CPRA defines a “third party” as an umbrella term for anyone that the consumer does not interact intentionally and to whom the consumer’s personal information may be shared or sold. They can be anyone apart from the following:
As per the CPRA, even third parties must agree to provide the data similar protections to the CPRA for the transfer to be valid.
The CPRA will come into effect on January 1, 2023. Businesses have until then to audit their current practices, come up with a new framework that adheres to the CPRA regulation on data protection, train their staff accordingly, and reinvent how they handle their customers’ data. It wouldn’t be wrong to state that this presents a significant challenge for all corporations.
Securiti is a market leader in AI-driven solutions to data privacy and data compliance software. Using robotic automation, artificial intelligence, and machine learning, it automates most of the organizations’ compliance tasks at the click of a single button. To learn more about how Securiti and its several privacy compliance tools can help your business, request a demo today.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128