IDC Names Securiti a Worldwide Leader in Data PrivacyView
Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.
The California Privacy Rights Act (CPRA) is on the ballot this November. It is expected to change the legal landscape of data privacy regulation by bringing significant changes to the California Consumer Privacy Act (CCPA) and imposing stricter obligations on businesses. Some of the key changes that will be introduced by the CPRA are as follows:
The CCPA currently applies to businesses who operate in California which:
The CPRA will only apply to businesses who operate in California, which:
November 2002: Ballot results are certified and CPRA is enacted if voted in
January 2021: CPRA becomes operative
February 2021: California Privacy Protection Agency gets established
July 2021: Rulemaking process commences
January 2022: 12-month lookback period for collected data commences
July 2022: Deadline for CPPA to adopt final regulations
January 2023: CPRA becomes fully operative and enforceable; employment and B2B exemptions expire, and those datasets become fully integrated by the CPRA
One of the strongest criticisms of the CCPA was that it failed to create an independent entity for the enforcement of the highly specialized data protection law. The CPRA however addresses this by creating a new dedicated enforcement authority, the California Privacy Protection Agency (CPPA).
The CPRA creates a new sub-set of personal information, sensitive personal information. Businesses cannot use sensitive personal information for purposes other than it was collected unless they provide notice to the concerned consumer along with an opportunity to stop further processing.
The CPRA gives consumers new rights and modifies the already existing rights under the CCPA. Below is a consolidated list of rights under the CPRA:
The CPRA has expanded the types of covered personal information to include emails and passwords, two of the most common types of information leaked in data breach events. The CPRA also clarifies that any implementation of reasonable security measures after the occurrence of a data breach does not cure the violation.
Under the CPRA, businesses are required to honor opt-out and access requests received for the processing of personal information by automated decision-making including profiling. For the purposes of an individual’s right to object to profiling, businesses must provide meaningful information about the logic involved and a description of the likely outcomes of such decision-making processes.
The CPRA has introduced stricter penalties against failure to protect personal information belonging to minors. Any violation of an opt-in sale and share of personal information rule in relation to a minor can result in a $7500 administrative fine, which is three times the minimum amount of $2500. Moreover, the CPRA requires businesses to respect global opt-out preference signals identifying consumers as minors.
The CPRA introduces the following new notification obligations on businesses that were not explicitly part of the CCPA:
The CPRA classifies three distinct categories of entities a business is likely to interact with in relation to the processing of personal information of consumers and requires businesses to have written contracts to engage with them. These categories are contractor, service provider and third-party. Businesses must take reasonable steps to ensure that the entities they are engaging with protect personal information as per the requirements of the CPRA.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128