Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

CPRA Data Discovery: The Step Towards Personal Data Compliance

By Anas Baig | Reviewed By Omer Imran Malik

Published November 27, 2021

CPRA was passed on November 4, 2020, and introduced as an extension to its predecessor, the California Consumer Privacy Act (CCPA) that came into effect on January 1, 2020. CPRA strengthens the critical areas where the CCPA lacked and creates the first US agency dedicated to enforcing and protecting the privacy rights of individuals.

In essence, both the CCPA and CPRA attempt to enforce data privacy and data protection requirements that would generally require businesses, which are serving California consumers, to have the personal information of consumers properly categorized in a structured database so that the organization can easily revert to it for ensuring governance obligations, fulfilling privacy rights, assessing processing activities and meeting compliance requirements.

As the CPRA is soon coming into effect, i.e., in January 2023, organizations must rethink their data discovery process to ensure compliance, and thus, stay ahead of the competition.

7 Key Areas of Concern CPRA Data Discovery Tools Must Address

CPRA is a consumer-centric regulation that is formulated to strengthen consumers’ knowledge about their personal information and the processing activities related to it, as well as with whom it is shared with and for what purpose; while also ensuring they have better control (rights) over the collection, storage, and processing of their information by businesses.

For effective data mapping and compliance, it is imperative that businesses should have a better understanding of the new category of personal information added to the category and the extended consumer rights, along with the other revisions introduced into CPRA.

Discovering Sensitive Personal Information (SPI)

Under Section 1798.140(v), CPRA has co-opted the definition of personal information from CCPA:

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Under the CPRA, personal information may include identifiers like name, alias, email address, IP address, other unique personal identifiers, social security number, passport number, driver’s license number, geolocation data, and biometric information, to name a few.

CPRA has also created a further sub-category related to“sensitive personal information” under Section 1798.140 (ae). Sensitive personal information (SPI) includes information such as a person’s social security, driver’s license, state identification card, passport number, financial account log-in information, financial account, debit card, financial access codes, credit card data, racial or ethnic origin, religious or philosophical beliefs, or union membership, biometric information, precise geolocation data, contents of a consumer's email, and text messages and genetic data.

The addition of this new category of PI also provides expanded rights to California consumers under CPRA Sections 1798.121 and 1798.135, allowing them to restrict the use or disclosure of their SPI.

The introduction of this new sub-category of personal information requires businesses to have a smart data discovery process that can discover and categorize personal information and sensitive personal information it may hold in its databases, at scale, while also keeping the false positive ratio to a minimum. Once the data is discovered and mapped accurately, businesses can design better access controls or use equivalent security measures to protect consumers’ SPI.

Honoring Data Subject Rights (DSRs)

CPRA is more celebrated than its predecessor, CCPA, because of the extended rights it delivers to California consumers. CPRA has derived some concepts from GDPR and introduced some new consumers’ rights, while also revising the existing rights, mentioned under the CCPA.

The data subject rights that were revised under CPRA, include

Right to Opt-Out of Third-Party Sales and Sharing: CCPA gave rights to consumers allowing them to opt out of the selling of personal information. CPRA strengthens the rights by adding “sharing” to the clause, enabling consumers to opt-out of the ‘renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means’ of their personal information by the business to a third party for the purposes of cross-context behavioral advertising.
Right to Know: CPRA extended the 12-month window as defined by CCPA, giving consumers the right to inquire businesses about their personal information collected within or beyond 12 months. It has also required businesses to disclose the categories of PI it has shared with third parties as well as the third parties it has shared the PI with.
Right to Delete: The right to request for deletion of PI requires businesses to instruct third-party vendors, service providers, or contractors to delete the personal information that might have been sold/shared to them by the business.
Right to Data Portability: Apart from having the right to ask businesses to send a copy of their personal information via mail or electronically, consumers can now also request businesses to transfer their personal information to a third-party entity.
Opt-In Rights for Minors: According to the new amendments, businesses now need to wait for 12 months before asking for the re-consent from a minor, regarding collecting, selling, or sharing of their personal information if the minor has refused to provide consent.

Rights that were added to CPRA include

Right to Correct Information: Consumers can now request businesses to fix any incorrect information they have on the consumers.
Right to Limit Use and Disclosure of Sensitive PI: CPRA enables consumers to direct businesses to limit the use of or not to disclose their SPI. However, this right is further subject to a few exceptions.
Right to Access Information About Automated Decision Making: The right authorizes consumers to direct businesses to explain the logical reasoning behind their automated decision-making processes.
Right to Opt-Out of Automated Decision-Making Technology: CPRA gives consumers the right to withdraw from the automated decision-making process.

To effectively comply with the DSR fulfillment, businesses must identify data containing PI and SPI of California consumers with great precision and link it to the respective consumer. For that to happen, businesses must put a leash on their data sprawl and understand where the data resides in their dynamic environments utilizing data intelligence to scan and recognize personal information within their databases.

Adding Protective Measures to an Added Data Breach Liability

While CCPA gave California consumers the right to take legal actions against a business that failed to protect their PI due to the lack of security measures, CPRA adds to the data breach liability with the inclusion of consumers’ accounts’ logins.

This further implies that businesses have to surgically locate the consumers’ logins across the vast data sets and add security measures like encryption, multi-factor authentication, and strict access control so that they can avoid strict regulatory action and enforcement, private court cases by affected data subjects and paying out huge penalties and compensatory awards.

Fulfilling Data Minimization and Retention Obligations

CPRA introduces certain GDPR-inspired obligations that were not included in the CCPA regulations, such as data minimization requirements as well as requirements to disclose the data retention period for different categories of personal information and sensitive personal information being collected.

If specifying the retention period against each category of PI or SPI isn’t possible, then businesses are required to define the criteria which are used to determine retention periods. The regulation further obligates businesses to not retain any information if it has fulfilled the purpose for which it was collected.

The obligation requires businesses to first scan deep through its structured and unstructured systems to detect categories and metadata, such as the purpose of retention, file creation, age metadata, etc. Lastly, the discovered data and labeled metadata need to be mapped to the respective consumer accordingly. This will allow businesses to keep track of the data whose retention period is expired, and thus, needs to be deleted for compliance.

Cyber Security Audits and Risk Assessments

The CPRA also requires that businesses that hold personal information that might “present a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA. This audit must be independent and thorough according to the law. To determine the risk of PI processing operations, organizations need to consider the following factors:

The size and complexity of data processing activities of the organization.
The nature and scope of data processing activities.

The CPRA will also require organizations to conduct regular risk assessments to evaluate their processing activities. All assessments must weigh the privacy risks created by the processing activity against the benefits that are provided. One of the factors that can be used to evaluate a processing activity is the use of consumers’ sensitive personal data. This assessment then needs to be submitted to the California Privacy Protection Agency (CPPA).

Businesses need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This process will allow the business to conduct timely risk assessments and identify problem areas quickly. An effective data discovery process is the first significant step for businesses to properly audit and assess their processing activities. Without knowing what type of data is being stored, where and being collected, and for what processing purposes, a business cannot begin to evaluate the risks produced by its processing activities.

Protecting Children’s Personal Information

As per Section 1798.155(a) of the CPRA, any violation involving children’s personal information - i.e., personal information of a person below 16 years of age - would be automatically considered an intentional violation if the business, third party, service provider or contractor is found to have had actual knowledge. This offense carries along with an administrative fine of $7500 imposed by the CPPA.

Thus businesses would gain a lot from being able to discover children’s personal information within their databases so that they can take actions to provide added protection and ensure it remains within compliance with the CPRA.

Monitoring Third Parties’ and Vendors’ Compliance

As per Section 1798.100(d) CPRA significantly requires businesses to sign contracts with service providers, contractors, and third parties to whom they may share, sell or disclose personal information to.

The contracts must specify that the personal information is being sold or disclosed by the business only for limited and specified purposes and should obligate the third party, service provider, or contractor to comply with applicable obligations under the CPRA and provide the same level of privacy protection as is required by CPRA to the transferred personal information.

Furthermore, the CPRA requires that the contracts should grant the business rights to take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations.

Furthermore, under Section 1798.140(ag) and 1798.140(j)(1), the CPRA requires businesses to annually monitor service providers’ and contractors’ compliance with the contractual limitations and protections afforded to the transferred personal information by various means including automated scans.

An automated data discovery process is essential for businesses in not only mapping their data flows of California consumers’ personal information - so as to ensure they take adequate steps to protect transferred personal information of Californian consumers - but also to be able to scan data inventories of third parties, service providers and contractors to ensure they are complying with the CPRA’s obligations and the required contractual protections.

What an Effective CPRA Data Discovery Process Looks Like

An efficient and smart data discovery tool must allow an organization to effectively integrate with its disparate data assets through native connectors for frictionless and accurate data discovery across shadow and sanctioned data assets.
The discovery tool further needs to enable organizations to thoroughly scan the data assets for metadata, such as vendor information or encryption status, and catalog it within relevant categories.
The tool then needs to discover the data that exists in structured and unstructured data stores with high accuracy. Once the data is discovered, the tool must use smart contextual analysis to classify personal information and sensitive personal information under accurate categories and data elements, such as CVV, username, password, routing number, unique personal identifier, etc.
The tool should include regional labeling so that specific data attributes can be labeled based on regional privacy regulations. Additionally, the tool should give system administrators the ability to apply other essential labels, such as sensitivity-based labels, policy, and privacy based.

How Securiti Streamlines Data Discovery for CPRA Compliance

Securiti delivers a 360-degree suite that enables hyper-scale organizations to efficiently meet security, governance, and compliance requirements. With the integration of Securiti’s AI/ML-enabled Data Discovery solution, organizations can enhance, streamline, and automate their data discovery process. The solution enables organizations to

Discover structured and unstructured data assets, spread across on-premise and multi-cloud environments
Create a single repository of searchable data assets, with accurate metadata
Discover and categorize disparate data across structured and unstructured data stores
Classify and tag relevant metadata
Tag specific attributes for global and regional compliance

Request a free demo today to learn more about Securiti’s Data Discovery solution.

CPRA Data Discovery: The Step Towards Personal Data Compliance

Get California Privacy Rights Act (CPRA) Readiness Assessment

7 Key Areas of Concern CPRA Data Discovery Tools Must Address

Discovering Sensitive Personal Information (SPI)

Honoring Data Subject Rights (DSRs)

Adding Protective Measures to an Added Data Breach Liability

Fulfilling Data Minimization and Retention Obligations

Cyber Security Audits and Risk Assessments

Protecting Children’s Personal Information

Monitoring Third Parties’ and Vendors’ Compliance

What an Effective CPRA Data Discovery Process Looks Like

How Securiti Streamlines Data Discovery for CPRA Compliance

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

CPRA Data Discovery: The Step Towards Personal Data Compliance

Get California Privacy Rights Act (CPRA) Readiness Assessment

7 Key Areas of Concern CPRA Data Discovery Tools Must Address

Discovering Sensitive Personal Information (SPI)

Honoring Data Subject Rights (DSRs)

Adding Protective Measures to an Added Data Breach Liability

Fulfilling Data Minimization and Retention Obligations

Cyber Security Audits and Risk Assessments

Protecting Children’s Personal Information

Monitoring Third Parties’ and Vendors’ Compliance

What an Effective CPRA Data Discovery Process Looks Like

How Securiti Streamlines Data Discovery for CPRA Compliance

Join Our Newsletter

Share

More Stories that May Interest You

CPRA Cookie Consent – All You Need To Know [2024 Guide]

A Breathing Room for Businesses : Court Decision Postpones CPRA Enforcement Until March 2024

CPRA Do Not Sell or Share My Personal Information – Definition

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

What's
New