CCPA’s requirements around stronger data rights for consumers are keeping privacy practitioners busy. But many businesses may not have a moment to catch their breath before California’s next round of data privacy laws, the California Privacy Rights Act (CPRA, a.k.a., CCPA Version 2.0) further expands data protections for consumers — and regulations for businesses.
Why New California Privacy Regulations … Already?
Some feel that CCPA did not go far enough. Specifically, the group that originated the CCPA — the Californians for Consumer Privacy — seemed to suffer from seller’s remorse after CCPA passed.
“Some of the world’s largest companies have actively and explicitly prioritized weakening the CCPA,” says Alastair Mactaggart, the head of the Californians for Consumer Privacy.
Plus, “technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences. I believe using a consumer’s data in these ways is not only immoral, but it also threatens our democracy,” he says.
New Protections Under the California Privacy Rights Act (CPRA)
With the CCPA apparently weakened, the group laid out the new California Privacy Rights Act ballot initiative for November’s election.
The CPRA is essentially an amendment to the CCPA and proposes legislation that will strengthen certain provisions of the original law, as well as introduce some new protections. Some of these include:
- establishing a dedicated state privacy regulatory authority to handle enforcement
- extending the scope of regulated data
- instituting new consumer data rights that govern the processing and sharing of data
- amending breach liability
- creating requirements for data minimization
In short, the CPRA presents a new set of requirements that will compel enterprises to know their data and leverage data intelligence to underpin responsive, flexible, and comprehensive privacy programs.
New Definitions and Provisions Under CPRA
Enforcement Under the California Privacy Protection Agency
CPRA would establish the California Privacy Protection Agency, the first agency in the U.S. with rulemaking authority that is exclusively devoted to privacy.
The agency would take over the California Attorney General’s role in enforcement, and now be able to go after companies without giving them a 30-day period to mitigate their violations.
Defining Sensitive Personal Information (SPI)
“Sensitive personal information” (SPI) is a new term that would exist under CPRA.
Beyond personal information (PI), SPI includes information like social security numbers, drivers license numbers, state ID cards, passport information, precise geolocation, user credentials, financial and health information, “sex life” or sexual orientation data, biometric and genetic data, racial or ethnic origin, religious or philosophical beliefs, or union membership — as well as contents of mail, email, and SMS messages.
The Right to Correction
The first of the CPRA’s new game-changing consumer rights provisions is the “right to correction,” which stipulates that companies must offer consumers the ability to update and correct inaccurate information a company may have about them.
Where to start: Discover and inventory all sensitive and personal data belonging to an identity — direct and inferred — for a full picture of what consumer data you’re collecting.
Right to Limit the Use and Disclosure of Sensitive Personal Information
The second significant provision related to data rights offers consumers the ability to limit the purpose of collecting and processing SPI to only those purposes necessary to provide goods or services requested.
The Right to Know
The CPRA has broadened the scope of the CCPA’s “right to know” provision to specifically include personal information that is collected and sold or shared. Businesses need to disclose up front what categories of information is collected and shared with a third-party service provider or contractor.
Where to start: Inventory SPI, document data flows, and automate “right to know” fulfillment processes for a stronger privacy management program.
The Right to Delete
CPRA clarifies CCPA’s “right to delete” to require that third parties, service providers, and contractors must comply with a valid deletion request.
Where to start: Determine what data should be deleted and where it’s located, and ensure ongoing deletion validation via automated queries.
Do Not Sell
The infamous mandate of “do not sell” personal information is also stronger. It now includes the ability to opt out of the sharing of information — not just its sale — for behavioral advertising purposes.
Where to start: Track and document preference management, consent, and all third-party data sharing.
Data Minimization and Data Retention
In addition to the expanded scope of regulated information, the proposed law includes data minimization and data retention requirements. Businesses would have to disclose how long they keep data and ensure that the timeline is only as long as is “reasonably necessary.”
Where to start: Define and enforce data retention rules with automated workflows, and uncover duplicate, derivative, and similar data for privacy-compliant governance and effective reporting.
Data Breach Liability
The CPRA amends CCPA’s data breach liability provision to include breaches resulting in the compromise of a consumer’s email address in combination with a password or security question. This is in line with a growing number of states, such as New York’s SHIELD Act, who are including user credentials as data worthy of breach notification.
Where to start: Discover and correlate personal information like an email address with passwords to better protect it from potential breaches. Identify potentially impacted users from known data breaches for proactive incident response.
Compliance Challenges with CPRA, and How BigID Can Help
The CPRA presents a number of practical challenges for compliance.
The first is the need for deeper discovery. Traditional approaches to data discovery do not consistently identify the data that is now in scope, especially with the newly defined SPI. The proposed legislation’s new data rights create a deeper need for businesses to understand personal information in context so they can appropriately process SPI, facilitate the opt-out of sale and sharing, and have the ability to put limitations on the use of that data.
The proposed law’s expansion of breach liability to include email and password combinations also puts more data at risk. This requires that companies be able to automatically link and classify data, and understand how identifiers are related to each other based on measures like proximity.
The new minimization and retention requirements based on a disclosed purpose create the need to identify duplicate and redundant data, which extends into the data governance space.
With BigID, companies can get ahead of these challenges by:
- Knowing their data: combine the identification of PI and classification of sensitive data
- Understanding whose data it is: identity profiling and data indexing that covers PI and SPI — including geolocation
- Minimizing duplicate or sensitive data: enable data minimization with duplicate identification and apply retention rules for SPI based on a disclosed purpose
- Managing data risk: discover, classify, and map user credentials to apply controls for breach risk reduction
- Ensuring they’re sharing the right data: track and report sharing with third parties
- Reporting on whose data they have: enable correction workflows and validate whether geolocation is being captured
While it’s still not certain that CPRA will become official, the Secretary of the State of California recently declared that CPRA had enough votes to qualify for the general election ballot. All the proposed law needs are enough Californians to say “yes” to it this coming November.
If that happens, businesses focused on CCPA compliance — and those who have not — may have some catching up to do. Getting ahead of the constantly evolving compliance landscape is never a bad idea.