What Is CPRA?
There are roughly forty million people residing in the State of California – more than one in eight United States residents. If your company does business in the US, there’s a good chance that your business uses the personal information of California residents and is subject to the California Privacy Rights Act (CPRA).
California’s new data privacy law, CPRA, recently went into effect, with enforcement starting later this year. This has many businesses asking themselves whether they’re compliant with CPRA, and how to prepare for the start of CPRA enforcement.
In this post, we will cover the history of data privacy laws in California, how CPRA differs from its predecessor, the California Consumer Privacy Act (CCPA), and what your business can do to help ensure compliance.
The History of California Data Privacy Laws
CCPA, the predecessor of CPRA, was a groundbreaking data privacy law when passed in 2018.
When CCPA went into effect on January 1, 2020, it gave California consumers the right to know what personal information businesses were collecting about them, the right to request that their personal information be deleted, and the right to opt-out of the sale of their personal information.
The combination of these rights gave millions of consumers more control than ever before over their personal information.
CCPA’s Shortcomings Give Rise to CPRA
However, CCPA had some limitations, and it faced criticism from privacy advocates for not going far enough to protect the privacy of California residents. In response, a ballot initiative was put forward and passed by California voters, resulting in the passage of CPRA.
CPRA, which builds upon and expands CCPA, went into effect on Jan 1, 2023, with enforcement beginning July 1, 2023.
By passing CPRA, California’s stance on data privacy has aligned more closely with the EU’s GDPR. This means that technologies that enable GDPR compliance are useful to businesses that need effective ways to comply with CPRA.
Who Must Comply with CPRA?
CPRA applies to businesses that collect, process, share, or sell the personal information of California residents, and it applies to both online and offline data collection. If your business is already required to comply with CCPA, you will likely need to comply with CPRA.
Any business that’s expanding into the California market will be required to comply with CPRA if they meet one or more of the following criteria:
- Have revenues exceeding $25 million
- Annually sell, buy, receive, or share personal information of 100,000 or more California consumers for commercial purposes
- Derive 50% or more of annual revenue from selling or performing targeted advertising using personal information
This is somewhat similar to the threshold requirements that determine which companies were required to comply under CCPA, but CPRA has introduced several additional changes to California privacy regulations.
Let’s look at these changes next.
What Else Has Changed with CPRA?
You can think of CPRA as an expanded and improved version of CCPA, with numerous differences in scope, enforcement, and approach to data breaches – as well as fines and penalties for CPRA violations.
CPRA Scope and Enforcement
CPRA introduces several changes to the scope and enforcement of California residents’ data privacy rights.
One major change is that CPRA adds a new category of information, sensitive personal information (SPI), that increases the amount of data that falls under the scope of compliance.
The following are some examples of the various types of SPI: login ID and password, precise geolocation, race and ethnicity, sexual orientation, and genetic data.
CPRA also expands the scope of data regulation to include the sharing of personal information and its use in targeted advertising. And, it establishes the nation’s first agency dedicated to privacy regulation and enforcement, the California Privacy Protection Agency (CPPA).
Finally, CPRA expands the protection of California residents’ personal information to go beyond protecting just the consumer (B2C) data within the scope of CCPA. With CPRA, B2B data, HR data, and personal information held in other contexts have the same protections as consumer data.
And as we’ll see next, CPRA also changes what’s considered adequate remediation for data breaches.
Data Breach Remediation under CPRA
Under CPRA, the implementation of security practices and procedures after a data breach is no longer considered a proper defense or remediation for that data breach.
This change is welcomed by privacy advocates, who pointed out that CCPA didn’t do enough to motivate proactive approaches to preventing data breaches or limiting their scope.
CPRA Fines and Penalties
CCPA already has provisions to fine businesses between $2,500 and $7,500 per violation for data breaches, and those provisions remain in effect with the passage of CPRA.
Additionally, CPRA gives individuals a right to penalize violations by taking legal action, letting them or their lawyers bring lawsuits to recover up to $750 per consumer, per incident, or actual damages – whichever is greater.
Now that we’ve reviewed what CPRA includes, we’ll look at how companies can prepare for CPRA enforcement.
How Can I Prepare for CPRA Enforcement?
If you have already reviewed your privacy program to confirm compliance with other data privacy regulations, such as HIPAA and GDPR, great! You’re off to a good start. If not, you should review CPRA regulations in full to determine whether your company is subject to CPRA, and review CPRA analysis from privacy experts.
And, even if your business isn’t subject to CPRA, you should consider working to comply with it. Doing so will help you to be ready for the data privacy laws currently in effect in other states, such as Colorado, Connecticut, Utah, and Virginia – as well as the draft privacy bills that could soon become law in 27 other states.
The following list of actionable steps can help your organization to become more proactive about protecting personal information, so that you’re ready when the CPPA begins CPRA enforcement, and well-prepared to comply with other data privacy laws.
#1 Use a Privacy by Architecture Approach
CPRA compliance becomes much easier when you have all personal information that’s subject to CPRA isolated in a data privacy vault, where it’s separated from other data, protected, and subject to fine-grained data governance.
When you isolate (or centralize) personal information in a data privacy vault, you avoid one of the major issues with data security: sensitive data sprawl.
Data sprawl occurs when sensitive data like names or social security numbers are replicated from one system to another, increasing the amount of infrastructure impacted by regulatory compliance.
Read on to learn more about this problem, and how to solve it.
#2 Data Classification and Mapping for Personal Information
Data classification and mapping for CPRA starts with reviewing the definitions of personal information and sensitive personal information (SPI).
With these definitions in mind, your organization needs to identify all of the data you collect across your organization, where it’s stored, and how you’re approaching data retention for personal information (including SPI).
CPRA forbids indefinite retention of personal information, so you need to identify all personal information and SPI that you collect across your organization, and build and operationalize retention schedules around this data.
#3 Plan Ahead for DSARs
After you’ve completed data classification and mapping for CPRA, you should plan how you will respond to DSARs (Data Subject Access Requests) for personal information. And, keep in mind that DSARs won’t only come from current and former customers because personal information gathered for B2B and HR purposes is also within CPRA’s scope.
DSARs can be very expensive to handle if you don’t have a process in place, and manage them on an ad-hoc basis. So, you should develop detailed plans for various types of DSARs (from customers, current and former employees, etc.) and document these processes.
And, after you plan your DSAR response, you should consider rehearsing that process so you’re confident in your plan before you receive your first DSAR.
Next, let’s look at how you can use a privacy-by-architecture approach that eases the technical aspects of CPRA compliance with a data privacy vault.
Ease CPRA Compliance with a Data Privacy Vault
Whether you’re looking to comply with CPRA, GDPR, or another data privacy law, the only certainty is that data privacy laws will continue to evolve – creating potential disruptions for companies that use personal information.
That’s why we believe that the best way to prepare for this uncertainty is to develop a strong privacy posture, going beyond what’s required by current laws to future-proof your business and protect personal information from misuse.
Improve Your Privacy Posture with Skyflow
Skyflow Data Privacy Vault isolates, secures, and tightly controls access to manage, monitor, and use personal information. It uses a set of advanced data protection techniques, including advanced encryption, redaction, and fine-grained access control to isolate, protect, and govern personal information.
Skyflow is not only highly secure, it’s also highly interoperable, with a simple but intuitive API and support for sensitive data integrations with trusted third parties. This helps you maintain a strong privacy posture throughout the lifecycle of personal information used by your business.
To learn more about these capabilities and how Skyflow can help you protect the privacy of personal information without sacrificing data utility, check out our data privacy vault blog post.
Since data sprawl poses such a challenge to any CPRA compliance plan, let’s take a closer look at how you can avoid it with Skyflow.
Avoiding Data Sprawl: Tokenize and Isolate Personal Information
How can you isolate personal information if you need to use it and it’s everywhere: databases, logs, data warehouses, etc.? The issue of data sprawl complicates compliance, and it makes compliance with DSARs, especially deletion requests, exceedingly difficult.
A typical example of an architecture with data sprawl looks like this:
Skyflow’s flexible approach to tokenization prevents data sprawl while putting all of your access controls – and personal information – in one place, where they can be centrally managed (and quickly located in the event of DSARs, including deletion requests).
The result looks like this:
You can learn more about Skyflow’s flexible approach to tokenization in our tokenization blog post.
Final Thoughts
Data privacy laws like CCPA and CPRA can be a source of uncertainty for businesses. But, complying with these laws doesn’t need to be painful for businesses that take a proactive approach to protecting personal information.
The benefits of being proactive with data privacy extend beyond addressing immediate compliance needs. Although CCPA and CPRA are important milestones in data privacy regulation, privacy regulations will continue to evolve in the US, and internationally.
We also expect that agencies like the CPPA and the FTC will continue to focus on the investigation and enforcement of data privacy violations. Taking a proactive approach to protecting personal information can save most businesses a lot of headaches and expenses.
You can use Skyflow to ease CPRA compliance by isolating, protecting, and governing the personal information of your customers, employees, and business contacts who reside in California. To learn more about how Skyflow can help your business, try Skyflow.