CPRA Data Discovery: The Step Towards Personal Data Compliance

CPRA was passed on November 4, 2020, and introduced as an extension to its predecessor, the California Consumer Privacy Act (CCPA) that came into effect on January 1, 2020. CPRA strengthens the critical areas where the CCPA lacked and creates the first US agency dedicated to enforcing and protecting the privacy rights of individuals.

In essence, both the CCPA and CPRA attempt to enforce data privacy and data protection requirements that would generally require businesses, which are serving California consumers, to have the personal information of consumers properly categorized in a structured database so that the organization can easily revert to it for ensuring governance obligations, fulfilling privacy rights, assessing processing activities and meeting compliance requirements.

As the CPRA is soon coming into effect, i.e., in January 2023, organizations must rethink their data discovery process to ensure compliance, and thus, stay ahead of the competition.

7 Key Areas of Concern CPRA Data Discovery Tools Must Address

CPRA is a consumer-centric regulation that is formulated to strengthen consumers’ knowledge about their personal information and the processing activities related to it, as well as with whom it is shared with and for what purpose; while also ensuring they have better control (rights) over the collection, storage, and processing of their information by businesses.

For effective data mapping and compliance, it is imperative that businesses should have a better understanding of the new category of personal information added to the category and the extended consumer rights, along with the other revisions introduced into CPRA.

Discovering Sensitive Personal Information (SPI)

Under Section 1798.140(v), CPRA has co-opted the definition of personal information from CCPA:

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Under the CPRA, personal information may include identifiers like name, alias, email address, IP address, other unique personal identifiers, social security number, passport number, driver’s license number, geolocation data, and biometric information, to name a few.

CPRA has also created a further sub-category related to“sensitive personal information” under Section 1798.140 (ae). Sensitive personal information (SPI) includes information such as a person’s social security, driver’s license, state identification card, passport number, financial account log-in information, financial account, debit card, financial access codes, credit card data, racial or ethnic origin, religious or philosophical beliefs, or union membership, biometric information, precise geolocation data, contents of a consumer's email, and text messages and genetic data.

The addition of this new category of PI also provides expanded rights to California consumers under CPRA Sections 1798.121 and 1798.135, allowing them to restrict the use or disclosure of their SPI.

The introduction of this new sub-category of personal information requires businesses to have a smart data discovery process that can discover and categorize personal information and sensitive personal information it may hold in its databases, at scale, while also keeping the false positive ratio to a minimum. Once the data is discovered and mapped accurately, businesses can design better access controls or use equivalent security measures to protect consumers’ SPI.

Honoring Data Subject Rights (DSRs)

CPRA is more celebrated than its predecessor, CCPA, because of the extended rights it delivers to California consumers. CPRA has derived some concepts from GDPR and introduced some new consumers’ rights, while also revising the existing rights, mentioned under the CCPA.

The data subject rights that were revised under CPRA, include

• Right to Opt-Out of Third-Party Sales and Sharing: CCPA gave rights to consumers allowing them to opt out of the selling of personal information. CPRA strengthens the rights by adding “sharing” to the clause, enabling consumers to opt-out of the ‘renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means’ of their personal information by the business to a third party for the purposes of cross-context behavioral advertising.
• Right to Know: CPRA extended the 12-month window as defined by CCPA, giving consumers the right to inquire businesses about their personal information collected within or beyond 12 months. It has also required businesses to disclose the categories of PI it has shared with third parties as well as the third parties it has shared the PI with.
• Right to Delete: The right to request for deletion of PI requires businesses to instruct third-party vendors, service providers, or contractors to delete the personal information that might have been sold/shared to them by the business.
• Right to Data Portability: Apart from having the right to ask businesses to send a copy of their personal information via mail or electronically, consumers can now also request businesses to transfer their personal information to a third-party entity.
• Opt-In Rights for Minors: According to the new amendments, businesses now need to wait for 12 months before asking for the re-consent from a minor, regarding collecting, selling, or sharing of their personal information if the minor has refused to provide consent.

Rights that were added to CPRA include

• Right to Correct Information: Consumers can now request businesses to fix any incorrect information they have on the consumers.
• Right to Limit Use and Disclosure of Sensitive PI: CPRA enables consumers to direct businesses to limit the use of or not to disclose their SPI. However, this right is further subject to a few exceptions.
• Right to Access Information About Automated Decision Making: The right authorizes consumers to direct businesses to explain the logical reasoning behind their automated decision-making processes.
• Right to Opt-Out of Automated Decision-Making Technology: CPRA gives consumers the right to withdraw from the automated decision-making process.

To effectively comply with the DSR fulfillment, businesses must identify data containing PI and SPI of California consumers with great precision and link it to the respective consumer. For that to happen, businesses must put a leash on their data sprawl and understand where the data resides in their dynamic environments utilizing data intelligence to scan and recognize personal information within their databases.

Adding Protective Measures to an Added Data Breach Liability

While CCPA gave California consumers the right to take legal actions against a business that failed to protect their PI due to the lack of security measures, CPRA adds to the data breach liability with the inclusion of consumers’ accounts’ logins.

This further implies that businesses have to surgically locate the consumers’ logins across the vast data sets and add security measures like encryption, multi-factor authentication, and strict access control so that they can avoid strict regulatory action and enforcement, private court cases by affected data subjects and paying out huge penalties and compensatory awards.

Fulfilling Data Minimization and Retention Obligations