The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
The California Privacy Rights Act (CPRA) was passed in November 2020. It amends the 2018 California Consumer Privacy Act (CCPA) introduced in response to rising consumer data privacy concerns. It has significantly impacted data collection and handling practices, giving consumers more control over how businesses handle their data.
Companies were given until January 1st, 2023, to achieve compliance. This article will discuss the key requirements of the CPRA and provide practical tips for companies to implement the necessary changes to ensure compliance.
The CPRA is California’s most technical privacy law to date. It resembles the EU’s older and more popular General Data Protection Regulation (GDPR). The main difference is that the GDPR framework focuses on legal bases for data processing. On the other hand, the CPRA relies on opt-out consent.
The CPRA builds on the six original consumer rights introduced by the CCPA in 2018. As a reminder, the CCPA rights are:
CPRA created two additional rights:
The CPRA also introduced the California Privacy Protection Agency (CPPA,) which is the privacy enforcement agency for the new regulations.
Data collection is a nearly universal activity for companies in the 21st century. Significant changes to data collection and handling practices can cause slight disruptions in operations. For example, the new regulations force businesses to re-evaluate their service provider and contractor relationships. Service providers and contractors, regardless of location, must abide by the same laws when dealing with businesses in California.
Since enforcement action is possible even when there has not been a breach, businesses must quickly understand their CPRA obligations and implement reasonable security procedures.
Non-compliance with CPRA regulations results in financial penalties, depending on the nature of the offenses.
Since the penalties are on a “per offense” basis, costs of non-compliance can easily reach millions, particularly in the event of a data breach.
The CPRA introduces the data minimization principle. Businesses should only obtain the personal information they need for processing purposes. If you collect any more data than data, it’s time to update your collection practices. The collected data must be stored securely. A reputable cloud storage solution is an excellent way to keep consumer data.
With the eight new rights introduced by the CCPA and CPRA, there must be changes to your privacy policy to abide by these regulations. Adequate policy notices for consumers should accompany the policy changes. You must provide the notices at the starting point of data collection. To re-purpose any already-collected data, you must first get consent.
To comply with the retention requirements of the CPRA, you must delete the personal data you no longer need. Establishing a data retention policy is a great first step towards compliance. The policy should include the categories of collected information, their purpose, and the time you plan to store it before deletion.
Service providers must abide by the same regulations. That’s why any third-party contracts must include adequate measures for handling data to ensure its protection and security. Service providers must notify you if they can no longer comply with your requirements.
Compliance with regulations is only the first step in consumer data protection. You should also take steps to improve your cyber resilience and minimize the chances of a data breach. Ensure employees use modern tools such as password managers to protect their online accounts. Train employees to recognize common scams attackers use to gain access.
You should also consider regular risk assessments and cybersecurity audits to identify system vulnerabilities. Knowing your risks will help you make the necessary changes to protect your data.
The CPRA requires businesses to provide consumers with links where they can change how they wish their data to be handled. Consumers must be able to opt out of the sale or sharing of their data. Additionally, consumers have the right to limit the use of sensitive information such as geolocation, health data, document numbers, etc.
Retaliation against customers who exercise their CPRA rights clearly violates the new regulations. Customers have rights, and you must comply with them to avoid financial punishment.
California businesses must comply with CPRA regulations. We also see other states implementing the same or similar data protection frameworks. Even if you’re not based in California, understanding these new laws and how they impact your business operations will help you start implementing positive changes.
The post The CPRA compliance checklist every business should follow in 2023 appeared first on Cybersecurity Insiders.
AI is proving that it’s here to stay. While 2023 brought wonder and 2024 saw widespread experimentation, 2025 will be […]
We’ve all experienced those moments as consumers — receiving an offer for something irrelevant or being addressed by the wrong […]
The emergence and growing adoption of generative AI and the agreement to and implementation of the EU AI Act uncannily […]