Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Published on November 27, 2021 AUTHOR - Privacy Research Team
Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.
CPRA was passed on November 4, 2020, and introduced as an extension to its predecessor, the California Consumer Privacy Act (CCPA) that came into effect on January 1, 2020. CPRA strengthens the critical areas where the CCPA lacked and creates the first US agency dedicated to enforcing and protecting the privacy rights of individuals.
In essence, both the CCPA and CPRA attempt to enforce data privacy and data protection requirements that would generally require businesses, which are serving California consumers, to have the personal information of consumers properly categorized in a structured database so that the organization can easily revert to it for ensuring governance obligations, fulfilling privacy rights, assessing processing activities and meeting compliance requirements.
As the CPRA is soon coming into effect, i.e., in January 2023, organizations must rethink their data discovery process to ensure compliance, and thus, stay ahead of the competition.
CPRA is a consumer-centric regulation that is formulated to strengthen consumers’ knowledge about their personal information and the processing activities related to it, as well as with whom it is shared with and for what purpose; while also ensuring they have better control (rights) over the collection, storage, and processing of their information by businesses.
For effective data mapping and compliance, it is imperative that businesses should have a better understanding of the new category of personal information added to the category and the extended consumer rights, along with the other revisions introduced into CPRA.
Under Section 1798.140(v), CPRA has co-opted the definition of personal information from CCPA:
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Under the CPRA, personal information may include identifiers like name, alias, email address, IP address, other unique personal identifiers, social security number, passport number, driver’s license number, geolocation data, and biometric information, to name a few.
CPRA has also created a further sub-category related to“sensitive personal information” under Section 1798.140 (ae). Sensitive personal information (SPI) includes information such as a person’s social security, driver’s license, state identification card, passport number, financial account log-in information, financial account, debit card, financial access codes, credit card data, racial or ethnic origin, religious or philosophical beliefs, or union membership, biometric information, precise geolocation data, contents of a consumer's email, and text messages and genetic data.
The addition of this new category of PI also provides expanded rights to California consumers under CPRA Sections 1798.121 and 1798.135, allowing them to restrict the use or disclosure of their SPI.
The introduction of this new sub-category of personal information requires businesses to have a smart data discovery process that can discover and categorize personal information and sensitive personal information it may hold in its databases, at scale, while also keeping the false positive ratio to a minimum. Once the data is discovered and mapped accurately, businesses can design better access controls or use equivalent security measures to protect consumers’ SPI.
CPRA is more celebrated than its predecessor, CCPA, because of the extended rights it delivers to California consumers. CPRA has derived some concepts from GDPR and introduced some new consumers’ rights, while also revising the existing rights, mentioned under the CCPA.
The data subject rights that were revised under CPRA, include
Rights that were added to CPRA include
To effectively comply with the DSR fulfillment, businesses must identify data containing PI and SPI of California consumers with great precision and link it to the respective consumer. For that to happen, businesses must put a leash on their data sprawl and understand where the data resides in their dynamic environments utilizing data intelligence to scan and recognize personal information within their databases.
While CCPA gave California consumers the right to take legal actions against a business that failed to protect their PI due to the lack of security measures, CPRA adds to the data breach liability with the inclusion of consumers’ accounts’ logins.
This further implies that businesses have to surgically locate the consumers’ logins across the vast data sets and add security measures like encryption, multi-factor authentication, and strict access control so that they can avoid strict regulatory action and enforcement, private court cases by affected data subjects and paying out huge penalties and compensatory awards.
CPRA introduces certain GDPR-inspired obligations that were not included in the CCPA regulations, such as data minimization requirements as well as requirements to disclose the data retention period for different categories of personal information and sensitive personal information being collected.
If specifying the retention period against each category of PI or SPI isn’t possible, then businesses are required to define the criteria which are used to determine retention periods. The regulation further obligates businesses to not retain any information if it has fulfilled the purpose for which it was collected.
The obligation requires businesses to first scan deep through its structured and unstructured systems to detect categories and metadata, such as the purpose of retention, file creation, age metadata, etc. Lastly, the discovered data and labeled metadata need to be mapped to the respective consumer accordingly. This will allow businesses to keep track of the data whose retention period is expired, and thus, needs to be deleted for compliance.
The CPRA also requires that businesses that hold personal information that might “present a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA. This audit must be independent and thorough according to the law. To determine the risk of PI processing operations, organizations need to consider the following factors:
The CPRA will also require organizations to conduct regular risk assessments to evaluate their processing activities. All assessments must weigh the privacy risks created by the processing activity against the benefits that are provided. One of the factors that can be used to evaluate a processing activity is the use of consumers’ sensitive personal data. This assessment then needs to be submitted to the California Privacy Protection Agency (CPPA).
Businesses need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This process will allow the business to conduct timely risk assessments and identify problem areas quickly. An effective data discovery process is the first significant step for businesses to properly audit and assess their processing activities. Without knowing what type of data is being stored where and being collected and for what processing purposes, a business cannot begin to evaluate the risks produced by its processing activities.
As per Section 1798.155(a) of the CPRA, any violation involving children’s personal information - i.e personal information of a person below 16 years of age - would be automatically considered an intentional violation if the business, third party, service provider or contractor is found to have had actual knowledge. This offense carries along with an administrative fine of $7500 imposed by the CPPA.
Thus businesses would gain a lot from being able to discover children’s personal information within their databases so that they can take actions to provide added protection and ensure it remains within compliance with the CPRA.
As per Section 1798.100(d) CPRA significantly requires businesses to sign contracts with service providers, contractors, and third parties to whom they may share, sell or disclose personal information to.
The contracts must specify that the personal information is being sold or disclosed by the business only for limited and specified purposes and should obligate the third party, service provider, or contractor to comply with applicable obligations under the CPRA and provide the same level of privacy protection as is required by CPRA to the transferred personal information.
Furthermore, the CPRA requires that the contracts should grant the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations.
Furthermore, under Section 1798.140(ag) and 1798.140(j)(1), the CPRA requires businesses to annually monitor service providers’ and contractors’ compliance with the contractual limitations and protections afforded to the transferred personal information by various means including automated scans.
An automated data discovery process is essential for businesses in not only mapping their data flows of California consumers’ personal information - so as to ensure they take adequate steps to protect transferred personal information of Californian consumers - but also to be able to scan data inventories of third parties, service providers and contractors to ensure they are complying with the CPRA’s obligations and the required contractual protections.
Securiti delivers a 360-degree suite that enables hyper-scale organizations to efficiently meet security, governance, and compliance requirements. With the integration of Securiti’s AI/ML-enabled Data Discovery solution, organizations can enhance, streamline, and automate their data discovery process. The solution enables organizations to
Request a free demo today to learn more about Securiti’s Data Discovery solution.