Although that date may yet appear some way off, we’ve put together an overview of the things organisations should look out for when thinking about how best to approach the CPRA, and indeed their current approach to the California Privacy Protection Agency (CCPA).
Who does it apply to?
The CPRA has the same applicability as the CCPA. It applies to businesses in California that generate over $25 million in annual gross revenue and collect, use and share the personal data of Californian citizens.
Changes concerning how and why data is used and stored.
The CPRA notes that the collection, storage and use of consumer information should be “reasonably necessary and proportionate” to accomplish the organisation’s given purpose. Much like the GDPR, the CPRA makes certain provisions around data minimisation, and the purpose and conditions of storage of consumer data. Simply put, businesses should understand what Personal Data is held, why it is used, how long it is required, and where it is stored.
This understanding of how and why personal data is used should form the basis of any organisation’s data governance policy, and organisations should seek to address the CPRA with a combination of tools that solve for risk control, data minimisation, purpose limitation and data retention and deletion. Asking these questions will allow organisations to lay the foundations for proving compliance with the CPRA whilst also driving trust and transparency around data processing activities – benefits that should be passed on to consumers to drive revenue and long-term customer engagement.
A key change between the CCPA and CPRA lies in the extension of rights afforded to consumers. For example, in the case of data-sharing arrangements where citizens data may be shared with external third-parties, consumers now benefit from the option to opt-out of any such data sharing arrangement. This will manifest itself in an adjustment to the ‘Do Not Sell’ link which will now read ‘Do Not Sell or Share’. (The ‘Do Not Share’ extends the scope of the existing regulation so as to cover for cases not predicated on the exchange of data for monetary value). In addition to opting-out of data sharing, consumers will also be afforded the right to rectify inaccurate personal data, much like in the GDPR. If they haven’t done so already, businesses will need to adopt the right internal policies and tools to manage the increasing number of data subject rights requests allowed.
Changes to Special Category Data
Further to the ‘Do Not Sell / Share’, organisations will also need to provide greater transparency and flexibility to consumers around the use of Sensitive Personal Information, following this newly defined category of data. Examples of sensitive personal information include Social Security numbers, driver’s licenses, passport numbers, locations, genetic information and sexual orientation. Much like the ‘Do Not Sell or Share’, consumers will benefit from an extension of rights that allows them to restrict organisations in their use of Sensitive Personal Information. As such, businesses will also need to create a ‘Limit the Use of My Sensitive Personal Information’ link.
So, what now?
Although the CPRA only comes into effect in 2023, it extends much of the existing regulation to bring California’s Privacy Laws closer in line to the GDPR. At their core, these laws are designed to improve a business’ own understanding of how and why consumer’s data is used, and to build trust and transparency around these processes with consumers.
If you’d like to learn how Trunomi helps global businesses operationalise the CCPA, GDPR and all Global Regulations, request a demo at firstname.lastname@example.org.