The California Privacy Rights Act (CPRA) has amended several provisions of its predecessor, the California Consumer Privacy Act (CCPA). Set to take effect from January 2023, the new and improved consumer privacy legislation comes with stricter rules, lesser exemptions, and enhanced consumer privacy rights. Consequently, the CPRA imposes further responsibilities on businesses, service providers, third parties, and contractors concerning consumer data privacy.
Businesses that have attuned their data processing operations to CCPA privacy requirements would face reduced friction when they switch to the CPRA. Yet, the question remains, “Is every business subject to the CPRA fully compliant with its requirements?” The answer is no.
An alarming study by Osterman Research reveals that so far, only 36% of organizations claim to be fully compliant with the CCPA, while only 24% maintain that their overall privacy framework is “very” mature. This study raises serious concerns about what challenges businesses might be facing that significantly hinder their compliance effort under the data privacy legal framework.
Businesses Do Not Know Where Their Data Exists
The CPRA retains the definition of ‘personal information’ from the CCPA while introducing a special sub-category with enhanced protections, i.e., sensitive personal information. The CPRA, like its predecessor, the CCPA, specifies extensive requirements in relation to the collection, use, sale, retention, and disclosure of consumers’ personal information.
In order to fulfill the foregoing requirements, businesses must have a deep understanding of their data processing operations. Unfortunately, many businesses lack awareness and vigilance regarding what data they own, maintain, or license or where it is located in their ever-expanding data environment.
A concerning example of this was recently revealed by an ex-Twitter whistleblower who stated that the company did not know “what data they have, where it lives and where it came from and so.”
In the present times, data processed by businesses are spread across on-premise infrastructure, SaaS applications, IaaS, data lakes, data warehouses, and other multiple cloud services.
Businesses must gain intelligence around their data resources by having a robust data discovery and intelligence framework. For this purpose, they should identify and discover all data retained by them across structured and unstructured systems.
Moreover, businesses should tag the data with metadata and context to create a single source of truth or provide tribal knowledge across departments. Further, all the data types must be tagged with relevant data elements and listed down under relevant categories.
No More Impunity for Businesses for Vendor Violation
As per CPRA Section 1798.100(d)(3), a business must take reasonable and appropriate steps to help to ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business's obligations under the law.
If the proposed CPRA regulations are enacted, businesses may face further compliance issues. § 7051(c) of the draft CPRA regulations specify that a business’s due diligence in relation to its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using consumers’ personal information in violation of the law.
Therefore, if a business fails to conduct due diligence - for example, it never enforces the terms of the contract entered into with a service provider or contractor as per the CPRA or never exercises its rights to audit or test its service providers’ or contractors’ systems, then it may not be able to rely on the defense provided under Cal. Civ. Code § 1798.145(i), which grants impunity to businesses in the event a violation of the CPRA occurs on the part of a service provider or contractor to whom a business has disclosed consumers’ personal information provided at the time of disclosure, the business had no actual knowledge, or reason to believe, that the service provider or contractor intended to commit such a violation.
Vendor risk assessment, as a principle, has been introduced and implemented by other global privacy laws, such as the European Union’s General Data Protection Regulation (EU GDPR). In fact, it has been revealed that organizations are now paying more attention to vendor risk management when compared with previous years, with legal and compliance teams showing the most interest.
Surprisingly, the same study reveals certain aspects of vendor risk assessment that add further complexity to risk assessments. For instance, 45% of organizations still heavily rely on manual assessment processes. Manual assessments via spreadsheets result in added complexity and unnecessary workload and effort on the part of the assessment teams. Consequently, it increases the reporting time from a week to more than 90 days, as illustrated in the study.
Businesses must be diligent and efficacious in optimizing their assessment process. Assessment templates must be created for varying regulations and industry standards so that teams do not have to create assessments from scratch each time.
Similarly, businesses must enable third-party integrations with data mapping tools to discover protection gaps and remediate risks. Lastly, businesses should automate their assessment processes, including reviews and follow-ups so that the assessment period can be shortened from an average of 90 days to a week or a few days.
Businesses Aren’t Protecting All Their Data Adequately
The CPRA, under Cal. Civ. Code § 1798.100(e) requires businesses that collect consumers’ personal information to implement reasonable security procedures and practices appropriate to the nature of the personal information in order to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure.
The Osterman Research report reveals that businesses have varying controls related to identity access and management around different data types. Moreover, businesses do not ensure equally adequate controls across all their datasets. For instance, the research states that 69% of organizations report having “well” or “extremely well” controls concerning who can access corporate data. But 47% of personnel believe that they do not have adequate technical and organizational controls regarding personal data falling within the scope of the CPRA. This alarming revelation shows that many businesses' actual data privacy and security practices are inadequate in the face of the ‘reasonable and appropriate security procedures and practices’ requirement imposed by the CPRA.
One of the challenging aspects that hinders a business’s ability to enforce strict data access governance controls around the data they own or manage is that they lack awareness of all users and roles across the environment that have access to the data. As data is spread across varying data systems and geographies, it is critical to track it and understand which global regulations and cross-border considerations are applicable to it.
The same regulatory knowledge further enables teams to assess and implement proper controls. These controls may include modern processes like field-level encryption, data pseudonymization, least privilege access, and data masking. With automated data masking, businesses can enable the broad sharing of data across different departments and jurisdictions in a secure manner.
Businesses Lack Employees’ CPRA Readiness
Ensuring CPRA compliance isn’t the responsibility of a single team in an organization, such as the legal or compliance team. In fact, every department or individual that directly or indirectly manages or handles data should work in tandem to ensure compliance. To be able to get every department on the same page, businesses must conduct CPRA or privacy training. The training must focus on developing a better understanding of national and global data laws, data privacy and security hygiene practices, and employee ethics.
Unfortunately, most organizations lack such privacy training programs, which may ultimately undermine their CPRA compliance efforts. The Osterman Research cites that 54% of organizations do not have a privacy training program on CPRA for their employees. Where the lack of training programs generally undermines businesses’ CPRA compliance efforts, the same may also be construed as violating the CPRA.
CPRA Section 1798.130(6) requires organizations to ensure that all personnel responsible for handling consumer inquiries about the business’s privacy practices or compliance with the CPRA must be informed of the consumer’s data subject rights as per CPRA Section1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.125, and 1798.130. Further, the section mandates that businesses train their employees on how to direct consumers to exercise their rights under the aforementioned legal provisions.
Businesses may develop in-depth CPRA training courses for their employees that tackle key areas like general business responsibilities for data processing, fulfillment of data subject rights, provision of notices, making of disclosures, etc.
Take CPRA Assessment
This isn’t an exclusive list of the CPRA challenges that businesses face but just the tip of the iceberg. There are a number of other complexities that businesses must actively identify and resolve in relation to fulfilling the CPRA requirements.
For starters, a quick CPRA assessment test, which lists some important questions related to the data privacy law, can enable organizations to assess their CPRA standing, identify compliance gaps, and resolve them to achieve complete compliance.
Take a quick CPRA assessment now - it’ll take only a few minutes.
