Securiti announces a $75M Series C Funding RoundView
The California Privacy Rights Act (CPRA) is a privacy law that was passed in the November 2020 ballot, as 56% of California voters favored it. The law amends and strengthens consumer data privacy rights established initially by the CCPA in 2018.
The CPRA also imposes additional consumer privacy protection obligations on organizations. The new law will take effect from January 1, 2023, and enforcement will start six months later (July 1, 2023).
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and came into effect on January 1, 2020. Often compared to GDPR, the CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared, or sold. The CCPA was passed by the California legislature under pressure from rights groups who wished to pass it in the form of a ballot measure.
The CPRA amends and expands the CCPA, creating new requirements, consumer privacy rights, and enforcement mechanisms for applicable organizations. Once the CPRA comes into effect on January 1, 2023, it will effectively replace the CCPA. Till then, CCPA requirements will continue to apply to covered businesses.
Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.
The CPRA applies to businesses that buy, sell, or share the personal information of 100,000+ California consumers or households. Previously, under the CCPA, the threshold was 50,000. This means that some small businesses that might have been subject to the CCPA will be exempt under the CPRA.
Also, the CPRA applies to organizations that derive at least 50% of their revenue from selling or sharing a consumer’s Personal Information. Under the CCPA, this provision only included businesses that “sell” consumers’ Personal Information (PI).
The CPRA introduces the Sensitive Personal Information (SPI) category, which is subject to more stringent disclosure and purpose limitation requirements. Specifically, the law says security measures should be appropriate to the data type - thus, SPI would need extra protection.
Finally, the CPRA gives consumers the right to ask organizations to limit the use of their SPI.
SPI includes highly sensitive data such as:
The CPRA prohibits selling the personal information of a person under the age of 16 without their consent, similarly to the CCPA. However, under the CPRA, violations involving children’s personal information are liable similarly to intentional violations, i.e., fines of $7500 per violation. This amendment has provided extra protection to children’s personal information in the CPRA.
The CPRA grants consumers additional rights regarding their personal data.
Data subjects may request to limit the use and disclosure of their sensitive PI for specific secondary purposes, including disclosure to third parties.
Data subjects can request the correction of any of their PI held by the organization if inaccurate.
Data subjects have the right to request information about automated decision-making processes based on their personal information. Data subjects may also request a description of the likely outcomes that will result from these processes.
Data subjects may also request to opt-out of the use of automated decision-making technology, which can include “individual profiling.”
The CPRA has also expanded or modified the organization’s obligations in fulfilling consumer rights requests granted by the CCPA.
Consumers can now request businesses to instruct third-party vendors, service providers, or contractors to delete the personal information that might have been sold/shared to them by the business.
Businesses must provide all PI data specified in the CCPA along with the categories of PI it has shared with third parties as well as the third parties it has shared the PI with.
Data subjects now have the right to opt-out of both the sale and sharing of their PI with third parties, including for the purposes of cross-context behavioral advertising.
Data subjects have the right to ask organizations to transmit specific pieces of PI to another entity. However, this transmission should be technically feasible for the organization.
Businesses will need to notify customers, employees, job applicants, and other workers at or before the point of data collection, similarly to the CCPA. However, businesses must also include details about the retention periods for the collected personal data now.
Businesses are only allowed to retain PI as long as it is ‘reasonably necessary’ for the business/commercial purpose the PI has been collected for.
The CPRA mandates organizations to also notify consumers about the categories of SPI being collected, the collection purpose, and the length of time the SPI will remain stored in their databases before or at the point of collection of the SPI.
Another addition is that businesses must notify minors if they intend to sell or share their personal data. It is also important to note that after a consumer under 16 years of age has declined to provide consent to the business to sell or share their personal information, a business must either wait for another 12 months or wait until the consumer turns 16 before requesting their opt-in consent again.
The CPRA also has additional requirements for Privacy Notices. Starting from January 2023, organizations will be required to modify their privacy notices to include three additional categories of disclosure such as:
Unlike the CCPA, the CPRA creates an exclusive agency for the interpretation and enforcement of the law - the California Privacy Protection Agency (CPPA). Tasked with taking over rule-making power from the California Attorney General, the CPPA shall be the first US-based regulatory authority exclusively focused on data privacy issues.
It shall not only provide guidance on the enforcement of the CPRA but shall also have powers to investigate violations, conduct hearings and assign liability to covered entities for violations.
The CPRA mandates that organizations that hold personal information that might “present a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA.
This audit must be independent and thorough according to the law. To determine the risk of PI processing operations, organizations need to consider the following factors:
The CPRA will also require organizations to conduct regular risk assessments to evaluate their processing activities. All assessments must weigh the privacy risks created by the processing activity against the benefits that are provided. One of the factors that can be used to evaluate a processing activity is the use of consumers’ sensitive personal data. This assessment then needs to be submitted to the CPPA.
Organizations need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This process will allow the organization to conduct timely risk assessments and identify problem areas quickly.
Under the CCPA, consumers can bring a civil suit against a business for actual damages or $100 to $750 in statutory damages (whichever is higher) for failing to take reasonable and appropriate security measures to protect their unencrypted or unredacted personal information from being subject to a breach - under the CPRA the categories of PI for which they can sue has been increased to include, email addresses in combination with a password or security question and answer that would permit access to the account. Since most data breaches involve this category of PI, this is a significant change that could increase liabilities for businesses subject to a breach.
Organizations must limit their collection of PI to what is reasonably necessary for its disclosed intended purposes.
Organizations that decide to use PI differently than previously disclosed must notify all data subjects before proceeding.
The CPRA mandates that organizations not retain PI for longer than “reasonably necessary” for each disclosed purpose. In addition, organizations must also inform their retention periods for each category of PI data at the time of collection. However, if that is not possible, the organization must at least provide the criteria used to determine the retention period.
Here are some commonly asked questions you may have related to CPRA vs. CCPA:
The CCPA is enforced within the state of California by the Office of the Attorney General (OAG). The OAG is responsible for sending notifications to any organizations found in breach or non-compliance with the CCPA and levying fines and other possible punitive measures in case of severe breaches.
The GDPR’s enforcement is unique since all 27 EU member states have their own individual data protection agencies responsible for enforcing both the main GDPR and the local adaptation of the GDPR within their respective countries. These agencies also collaborate with one another for more effective enforcement of the GDPR across the EU.
That’s a somewhat complicated question. For starters, ever since the GDPR came into effect, an increasing number of countries have adopted similar data protection regulations. This has meant that for many organizations, ensuring adequate privacy measures are in place is now a question of legal obligation rather than sound business practice.
Similarly, users are much more educated about their rights, so organizations have an added responsibility to ensure transparency in how they collect users’ data.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
3031 Tisch Way Suite 110 Plaza West, San Jose,