IDC Names Securiti a Worldwide Leader in Data Privacy


CPRA Data Discovery: The Step Towards Personal Data Compliance

By Securiti Research Team
Published November 27, 2021 / Updated September 26, 2023

Get California Privacy Rights Act (CPRA) Readiness Assessment

Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.

For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.

California Privacy Rights Act (CPRA) counts amongst the many privacy regulations that are emerging across the globe. To date, over 120 countries have enacted data privacy regulations, which are mostly modeled after the European Union’s General Data Protection Regulation (GDPR) template.

CPRA was passed on November 4, 2020, and introduced as an extension to its predecessor, the California Consumer Privacy Act (CCPA) that came into effect on January 1, 2020. CPRA strengthens the critical areas where the CCPA lacked and creates the first US agency dedicated to enforcing and protecting the privacy rights of individuals.

In essence, both the CCPA and CPRA attempt to enforce data privacy and data protection requirements that would generally require businesses, which are serving California consumers, to have the personal information of consumers properly categorized in a structured database so that the organization can easily revert to it for ensuring governance obligations, fulfilling privacy rights, assessing processing activities and meeting compliance requirements.

As the CPRA is soon coming into effect, i.e., in January 2023, organizations must rethink their data discovery process to ensure compliance, and thus, stay ahead of the competition.

7 Key Areas of Concern CPRA Data Discovery Tools Must Address

CPRA is a consumer-centric regulation that is formulated to strengthen consumers’ knowledge about their personal information and the processing activities related to it, as well as with whom it is shared with and for what purpose; while also ensuring they have better control (rights) over the collection, storage, and processing of their information by businesses.

For effective data mapping and compliance, it is imperative that businesses should have a better understanding of the new category of personal information added to the category and the extended consumer rights, along with the other revisions introduced into CPRA.

1. Discovering Sensitive Personal Information (SPI)

Under Section 1798.140(v), CPRA has co-opted the definition of personal information from CCPA:

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Under the CPRA, personal information may include identifiers like name, alias, email address, IP address, other unique personal identifiers, social security number, passport number, driver’s license number, geolocation data, and biometric information, to name a few.

CPRA has also created a further sub-category related to“sensitive personal information” under Section 1798.140 (ae). Sensitive personal information (SPI) includes information such as a person’s social security, driver’s license, state identification card, passport number, financial account log-in information, financial account, debit card, financial access codes, credit card data, racial or ethnic origin, religious or philosophical beliefs, or union membership, biometric information, precise geolocation data, contents of a consumer's email, and text messages and genetic data.

The addition of this new category of PI also provides expanded rights to California consumers under CPRA Sections 1798.121 and 1798.135, allowing them to restrict the use or disclosure of their SPI.

The introduction of this new sub-category of personal information requires businesses to have a smart data discovery process that can discover and categorize personal information and sensitive personal information it may hold in its databases, at scale, while also keeping the false positive ratio to a minimum. Once the data is discovered and mapped accurately, businesses can design better access controls or use equivalent security measures to protect consumers’ SPI.

2. Honoring Data Subject Rights (DSRs)

CPRA is more celebrated than its predecessor, CCPA, because of the extended rights it delivers to California consumers. CPRA has derived some concepts from GDPR and introduced some new consumers’ rights, while also revising the existing rights, mentioned under the CCPA.

The data subject rights that were revised under CPRA, include

  • Right to Opt-Out of Third-Party Sales and Sharing: CCPA gave rights to consumers allowing them to opt out of the selling of personal information. CPRA strengthens the rights by adding “sharing” to the clause, enabling consumers to opt-out of the ‘renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means’ of their personal information by the business to a third party for the purposes of cross-context behavioral advertising.
  • Right to Know: CPRA extended the 12-month window as defined by CCPA, giving consumers the right to inquire businesses about their personal information collected within or beyond 12 months. It has also required businesses to disclose the categories of PI it has shared with third parties as well as the third parties it has shared the PI with.
  • Right to Delete: The right to request for deletion of PI requires businesses to instruct third-party vendors, service providers, or contractors to delete the personal information that might have been sold/shared to them by the business.
  • Right to Data Portability: Apart from having the right to ask businesses to send a copy of their personal information via mail or electronically, consumers can now also request businesses to transfer their personal information to a third-party entity.
  • Opt-In Rights for Minors: According to the new amendments, businesses now need to wait for 12 months before asking for the re-consent from a minor, regarding collecting, selling, or sharing of their personal information if the minor has refused to provide consent.

Rights that were added to CPRA include

  • Right to Correct Information: Consumers can now request businesses to fix any incorrect information they have on the consumers.
  • Right to Limit Use and Disclosure of Sensitive PI: CPRA enables consumers to direct businesses to limit the use of or not to disclose their SPI. However, this right is further subject to a few exceptions.
  • Right to Access Information About Automated Decision Making: The right authorizes consumers to direct businesses to explain the logical reasoning behind their automated decision-making processes.
  • Right to Opt-Out of Automated Decision-Making Technology: CPRA gives consumers the right to withdraw from the automated decision-making process.

To effectively comply with the DSR fulfillment, businesses must identify data containing PI and SPI of California consumers with great precision and link it to the respective consumer. For that to happen, businesses must put a leash on their data sprawl and understand where the data resides in their dynamic environments utilizing data intelligence to scan and recognize personal information within their databases.

3. Adding Protective Measures to an Added Data Breach Liability

While CCPA gave California consumers the right to take legal actions against a business that failed to protect their PI due to the lack of security measures, CPRA adds to the data breach liability with the inclusion of consumers’ accounts’ logins.

This further implies that businesses have to surgically locate the consumers’ logins across the vast data sets and add security measures like encryption, multi-factor authentication, and strict access control so that they can avoid strict regulatory action and enforcement, private court cases by affected data subjects and paying out huge penalties and compensatory awards.

4. Fulfilling Data Minimization and Retention Obligations

CPRA introduces certain GDPR-inspired obligations that were not included in the CCPA regulations, such as data minimization requirements as well as requirements to disclose the data retention period for different categories of personal information and sensitive personal information being collected.

If specifying the retention period against each category of PI or SPI isn’t possible, then businesses are required to define the criteria which are used to determine retention periods. The regulation further obligates businesses to not retain any information if it has fulfilled the purpose for which it was collected.

The obligation requires businesses to first scan deep through its structured and unstructured systems to detect categories and metadata, such as the purpose of retention, file creation, age metadata, etc. Lastly, the discovered data and labeled metadata need to be mapped to the respective consumer accordingly. This will allow businesses to keep track of the data whose retention period is expired, and thus, needs to be deleted for compliance.

5. Cyber Security Audits and Risk Assessments

The CPRA also requires that businesses that hold personal information that might “present a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA. This audit must be independent and thorough according to the law. To determine the risk of PI processing operations, organizations need to consider the following factors:

  1. The size and complexity of data processing activities of the organization.
  2. The nature and scope of data processing activities.

The CPRA will also require organizations to conduct regular risk assessments to evaluate their processing activities. All assessments must weigh the privacy risks created by the processing activity against the benefits that are provided. One of the factors that can be used to evaluate a processing activity is the use of consumers’ sensitive personal data. This assessment then needs to be submitted to the California Privacy Protection Agency (CPPA).

Businesses need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This process will allow the business to conduct timely risk assessments and identify problem areas quickly. An effective data discovery process is the first significant step for businesses to properly audit and assess their processing activities. Without knowing what type of data is being stored, where and being collected, and for what processing purposes, a business cannot begin to evaluate the risks produced by its processing activities.

6. Protecting Children’s Personal Information

As per Section 1798.155(a) of the CPRA, any violation involving children’s personal information - i.e., personal information of a person below 16 years of age - would be automatically considered an intentional violation if the business, third party, service provider or contractor is found to have had actual knowledge. This offense carries along with an administrative fine of $7500 imposed by the CPPA.

Thus businesses would gain a lot from being able to discover children’s personal information within their databases so that they can take actions to provide added protection and ensure it remains within compliance with the CPRA.

7. Monitoring Third Parties’ and Vendors’ Compliance

As per Section 1798.100(d) CPRA significantly requires businesses to sign contracts with service providers, contractors, and third parties to whom they may share, sell or disclose personal information to.

The contracts must specify that the personal information is being sold or disclosed by the business only for limited and specified purposes and should obligate the third party, service provider, or contractor to comply with applicable obligations under the CPRA and provide the same level of privacy protection as is required by CPRA to the transferred personal information.

Furthermore, the CPRA requires that the contracts should grant the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations.

Furthermore, under Section 1798.140(ag) and 1798.140(j)(1), the CPRA requires businesses to annually monitor service providers’ and contractors’ compliance with the contractual limitations and protections afforded to the transferred personal information by various means including automated scans.

An automated data discovery process is essential for businesses in not only mapping their data flows of California consumers’ personal information - so as to ensure they take adequate steps to protect transferred personal information of Californian consumers - but also to be able to scan data inventories of third parties, service providers and contractors to ensure they are complying with the CPRA’s obligations and the required contractual protections.

What an Effective CPRA Data Discovery Process Looks Like

  1. An efficient and smart data discovery tool must allow an organization to effectively integrate with its disparate data assets through native connectors for frictionless and accurate data discovery across shadow and sanctioned data assets.
  2. The discovery tool further needs to enable organizations to thoroughly scan the data assets for metadata, such as vendor information or encryption status, and catalog it within relevant categories.
  3. The tool then needs to discover the data that exists in structured and unstructured data stores with high accuracy. Once the data is discovered, the tool must use smart contextual analysis to classify personal information and sensitive personal information under accurate categories and data elements, such as CVV, username, password, routing number, unique personal identifier, etc.
  4. The tool should include regional labeling so that specific data attributes can be labeled based on regional privacy regulations. Additionally, the tool should give system administrators the ability to apply other essential labels, such as sensitivity-based labels, policy, and privacy based.

How Securiti Streamlines Data Discovery for CPRA Compliance

Securiti delivers a 360-degree suite that enables hyper-scale organizations to efficiently meet security, governance, and compliance requirements. With the integration of Securiti’s AI/ML-enabled Data Discovery solution, organizations can enhance, streamline, and automate their data discovery process. The solution enables organizations to

  • Discover structured and unstructured data assets, spread across on-premise and multi-cloud environments
  • Create a single repository of searchable data assets, with accurate metadata
  • Discover and categorize disparate data across structured and unstructured data stores
  • Classify and tag relevant metadata
  • Tag specific attributes for global and regional compliance

Request a free demo today to learn more about Securiti’s Data Discovery solution.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend