'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on August 4, 2021 AUTHOR - Privacy Research Team
The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot. 56% of California voters favored the law as it amends and strengthens consumer data privacy rights granted by the CCPA in 2018.
Most notably, the CPRA grants new privacy protection rights to the employees of covered businesses. The exemption for employee data (originally provided by the CCPA) is scheduled to end on the same day as when the CPRA becomes effective i.e January 1st 2023. CPRA’s enforcement will begin six months later, on July 1, 2023.
Organizations will have additional obligations to treat employee and consumer personal information similarly when the CPRA goes into effect. It is expected that the California Privacy Protection Agency (CPPA), the exclusive regulator and enforcement body set up by the CPRA, shall enact regulations that will adapt the CPRA requirements and business obligations towards employee data.
The CPRA grants the following DSR rights to employees concerning their Personal Information:
Securiti offers the DSR Automation Solution to help organizations honor all rights and simplify the process of fulfilling these rights. The solution turns manual work into an automated process that helps enterprises swiftly respond to data subject requests and enables coordination between stakeholders for reviews and approvals.
Similar to the CCPA requirement for notice which is applicable to employers right now, (despite the general exemption on employee data), as per the CPRA, businesses must also notify employees before or at the point of collection of their personal information (PI) or sensitive personal information (SPI). The notice must include the following details:
Securiti provides a Privacy Notice creation and management solution that utilizes automation and data intelligence to continuously scan data stores, which dynamically updates the disclosure with any changes to the collection, processing, sharing, selling, or retention of personal data in real-time, ensuring compliance.
Securiti’s Consent Management solution helps organizations automate the collection and management of user consent. The solution updates consent status in real-time across systems to ensure organizations always honor the latest, up-to-date preference of the user.
Businesses must not collect additional PI/Sensitive PI or use the already collected PI/Sensitive PI of employees for any purpose that is incompatible with the earlier disclosed purpose unless they provide a new notice to the employee.
Securiti’s data mapping solution helps organizations discover, identify, and map personal data to its owners. Organizations can then create privacy notices and incorporate sensitive data intelligence into their practices to ensure that all the data protection principles have been complied with.
Businesses must only collect, retain and sell/share employees’ PI and sensitive PI that is necessary, minimum, and proportionate to the purpose it was being collected.
Securiti provides a Privacy Notice creation and management solution that recruits robotic automation and data intelligence to scan data stores, dynamically updating the disclosure with any changes to the collection, processing, sharing, selling, or retention of personal data in real-time, ensuring compliance.
The CPRA mandates that businesses that process employees’ personal information in a manner that “presents a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA.
This audit must be independent and thorough according to the law. To determine the applicability of the PI processing requirement, organizations need to consider the following factors:
Businesses must plan now and engage a reliable third-party cybersecurity partner to complete the obligatory annual audits.
The CPRA also requires organizations to conduct regular risk assessments to evaluate the privacy risks of processing activities. One of the factors that can be used to evaluate a processing activity is the use of employees’ sensitive PI data. All assessments must weigh the privacy risks of the processing activity against the benefits that are provided. This assessment then needs to be submitted to the CPPA.
Organizations need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This will allow the organization to conduct timely risk assessments and identify problem areas quickly.
Securiti’s Assessment Automation solution utilizes A.I. to help organizations complete PIAs, DPIAs, Readiness Assessments, and Transfer Impact Assessments. The relevant assessment is automatically triggered based on the determined risk.
Businesses must take reasonable and appropriate security practices to protect employees’ PI. Failure to undertake reasonable and appropriate security measures which result in a breach of the employees’ PI (or employee account and password details) may make the business liable to a private right of action. This action can range from $100 to $750 in statutory damages (or actual damages). However, the business has a period of 30 days after receiving the mandatory notice to remediate the issue.
Businesses must notify employees of any breach of unredacted/unencrypted PI (or employee account and password details). Businesses must also notify employees if they encrypted the PI, but the encryption key/security credential is compromised. The notification should be made as soon as reasonably possible. This does not include the time taken to understand the breach’s scope and regain reasonable integrity of the system.
Securiti’s Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations meet breach notification requirements within hours of a security incident.
Businesses must enter into contracts with the third-party, service provider, or contractor with whom it sells or shares employees PI with, to ensure:
Securiti’s Vendor Assessments solution helps organizations evaluate their current and prospective vendors’ compliance with global privacy regulations. Specifically, it assesses how the vendor manages personal information and privacy & security risks.It also reviews how well the vendor has implemented security measures, and how well the vendor complies with regulatory requirements.
Under the CPRA, organizations can be fined $2,500 per unintentional violation and up to $7,500 per intentional violation. In addition, fines for all violations related to children’s personal information under the age of 16 are $7,500 per violation if the organization had actual knowledge that the personal information belonged to a minor.
Also, organizations do not have the 30-day period to remediate before being fined for violations. Instead, the CPRA gives this responsibility to the CPPA agency, which has the discretionary power to provide the length of time to resolve the issue.
Learn more about the CPRA vs. CCPA here.
The CPRA will take effect starting January 1, 2023, and enforcement will begin six months later (July 1, 2023). To learn more about the CPRA, and its importance, read this article.
Securiti has a suite of AI-powered solutions that have been customized to help organizations comply with the specific regulations of the CPRA.
Request a demo today and start your CPRA compliance journey with Securiti.
Security | PrivacyOps | Governance | Compliance