California may be well known for being a laid-back state, but it’s been one of the most rigid states regarding data privacy regulation, comparable to GDPR. The most recent amendment to CCPA, the California Privacy Rights Act (CPRA), takes an extended step regarding data privacy protection
Click here to download the checklist for yourself – or continue reading for further details on CPRA!
What’s the deal with CPRA?
The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act (CCPA) that goes into effect on Jan 1, 2023. CCPA was amended to protect the personal data of California employees (B2E) and business-to-business (B2B) contacts and requires all organizations collecting California resident data to apply more extensive protections, such as privacy risk assessments, data minimization and retention policies.
The CPRA now focuses data rights on b2b relationships and employees – from transparent data disclosure to more vigorous enforcement and higher awareness of privacy risks related to data collection and processing — and accounting for any data tied to California employees, businesses, and residents.
Who does the California Privacy Rights Act protect?
Any individual who is a California resident employee and a service provider/vendor, contractor, consultant, applicant, freelancer, and remote worker can reasonably be identified.
Employee & B2B Data Rights
- Right to know: Employees, contractors, and service providers have the right to know what data is being collected and managed with the right to access copies of “specific pieces of personal information.”
- Right to access: Similar to consumers, employees will be able to submit a data subject access request (DSAR) to their employer for access to their information, with some exceptions.
- Right to use and disclose: The right to request that a business limit or stop the use and disclosure of sensitive personal information.
- Right to correct: The right to request that the business correct inaccurate information.
- Right to opt-out: The right to opt-out of having personal information sold or shared.
- Right to Leniency: The right to not be retaliated against for exercising any data rights.
What the CPRA Now Means for Organizations
The CPRA new compliance guidelines focus on specific requirements for privacy risk assessments, retention policies, and data minimization principles:
- Data Minimization: CPRA requires organizations to implement minimization principles to determine whether data is adequate, relevant, and limited to what is necessary to the purposes of the data being used.
- Data Retention Policies: Businesses are required to apply retention policies to assure data isn’t kept for longer than reasonable necessary to reduce privacy risk.
- Privacy Risk Assessments: To evaluate risk, CPRA requires businesses to conduct annual internal cybersecurity audits and to submit privacy risk assessments to the California Privacy Protection Agency (CPPA – rulemaking authority)
Download the CPRA compliance checklist to focus on the seven areas you need to prioritize to become CPRA compliant, including how to:
- Better understand the CPRA requirements
- Map and inventory b2e & b2b data
- Fulfill CPRA data rights
- Define breach thresholds & response workflows
- Validate compliance with policy refinement and risk assessments
How BigID Helps with the CPRA
BigID helps organizations adapt to privacy regulations like CPRA. Leverage BigID to achieve full compliance with CPRA by using risk assessments, self-service portal, automated DSAR fulfillment, and regulatory reporting to automate privacy compliance. With BigID, organizations can:
- Discover and classify all CPRA
- Map and inventory CPRA data by individual, HR, & B2B data
- Streamline data flow mapping to monitor privacy risk
- Automate end to end data rights fulfillment
- Execute data retention policies at scale
- Conduct privacy risk assessments to safeguard data
- Manage and monitor third-party data sharing