NIST Privacy Framework : Our Essential Data Protection Guide

Close

The ultimate CPRA compliance checklist

The California Privacy Rights Act (CPRA) goes into effect on July 1, 2023, and protects a wide-range of privacy rights for California residents. CPRA statutes and regulations build upon the privacy rights recognized by the earlier California Consumer Privacy Act (CCPA), such as requiring businesses to notify consumers how their information will be used and obtain explicit consent, fulfill “request to know” inquiries from consumers in a timely manner, and protect consumer privacy by providing accessible opt-outs and private information deletion requests. New rights also include the right to correct inaccurate information, limits to data collection and its uses, the right to receive notice of personal data use, and the right to ask businesses to stop using sensitive personal data.

The CPRA can be seen as California’s version of the EU’s General Data Protection Regulation (GDPR), and applies to businesses outside of the state of California. The rules and regulations, while not as extensive as those within the GDPR, can be difficult to parse down and understand. Here, we cover the key highlights you need to know about the CPRA, as well as what you can do to make sure your organization remains compliant.

Which businesses need to be CPRA compliant?

At first glance, it may seem like the CPRA applies only to businesses based in California. However, the CPRA regulates any business, including those based outside of the United States, that collects personal information from California consumers — with the exception of nonprofit organizations or government agencies.

A business or organization is subject to CPRA regulations if it:

  • Earned $25 million in gross revenue during the previous calendar year.
  • Processes data for more than 100,000 consumers.
  • Earns more than half of its annual revenue from selling consumers’ personal information.

If you are scaling or conducting any business online, it will become increasingly difficult to confidently disregard the CPRA. Small businesses with no online footprint may be able to safely ignore CPRA regulations, but many other businesses that have a digital presence are advised to be “privacy forward,” as they may soon reach the threshold for CPRA conditions.

What types of data are regulated by the CPRA?

Personal data that is protected by the CPRA includes:

  • Names
  • Ages
  • Birthdays
  • Location information
  • Mailing, billing and email addresses
  • Credit card numbers
  • Social Security numbers
  • Income or similar information
  • Internet browsing and search history
  • Political and religious affiliations
  • Biometric data

In short, forms of personally identifiable information (PII) are protected by the CPRA. Even if a business is not selling or sharing it, it is vital to protect this collected information with the most secure measures. Industries that tend to collect greater amounts of sensitive private information include the financial, healthcare, higher education, eCommerce, manufacturing, and telecommunications industries.

Due to the increased regulation of service providers and contractors who have access to personal information, businesses need to be aware of the information they are collecting as well as how it is being stored, accessed, and protected. The best starting point to determine your organization’s compliance with CPRA is through sensitive data discovery.

5 steps for becoming CPRA compliant

If your business collects forms of PII or Special Personal Information (SPI) from consumers and customers based in the United States, then it is in your best interest to become CPRA compliant. Even if your customer base isn’t made up predominantly of California residents, if your services are available to those residing in the United States, there’s the likelihood that your organization has, or will at some point, collect PII or SPI that is protected under the CPRA. Below are five recommended steps an organization should take to become CPRA compliant.

1. Get an accurate read of your organization’s data

Most organizations think they know the scope of data that they collect, but it’s very common for data to be hidden in unexpected places. In order to be CPRA compliant, or compliant with any type of legal regulation, your team should be aware of all of the collected data in your organization, what types of data are being collected on an ongoing basis, and where all sensitive data lives. Data discovery can be a tricky process because certain data, like unstructured data, is not easily searchable. Thankfully, there are sensitive data discovery tools that can aid security teams in this process while providing efficient, accurate results.

2. Create and implement classifications for your organization’s data

Once you have a full understanding of all the data that lives within your organization, you can begin organizing that data with classification labels. This is important because not all pieces of data need to be treated with the same level of security or are required to live within your organization’s network for the same lengths of time. Data classification will make monitoring and remediating data much easier for your organization’s security team, and tools are available that can automate classification once your organization sets specified parameters and terminology.

3. Take necessary remediation steps

Remediation does not always mean deletion. The best next step will depend on the types of sensitive data your organization has acquired, and includes actions like cleansing, organizing or migrating data so it is fit for its intended purpose while adhering to compliance regulations.

4. Make Subject Rights Requests easy for consumers and for your team

Under the CPRA, California consumers are entitled to request information on how their personal data is being used. These requests should be easy for your customers, and just as easy for your security and legal teams to process. Since the CPRA stipulates that these requests must be acknowledged within 10 days and fulfilled within 45 days, it’s important to have a system in place that works efficiently. This is where compliance automation tools—equipped with features like AI-driven name recognition, identity matches, and comprehensive dashboards—can help your organization remain CPRA compliant.

5. Create data governance and data classification policies

Once you’ve properly organized and assessed your data, your organization should create data governance and data classification policies to ensure that everyone on your team is on the same page. When everyone in your organization knows who owns what, your team can work more efficiently and accurately.

What are the risks of CPRA non-compliance?

If your business is found in violation of the CPRA, there may be financial penalties. The penalties for violations are determined by the nature of the offenses:

  • The penalty for mistakes is $2,000 per offense.
  • The penalty for mistakes resulting from negligence is $2,500 per offense.
  • The penalty for willful disregard of regulations is $7,500 per offense.

Given that CPRA penalties are per individual violation, costs of non-compliance can quickly add up to millions of dollars.

Aside from the financial penalties your organization may incur, the general public is also taking privacy rights more seriously. From a reputation standpoint, your business may see its reputation damaged if you are accused or found in violation of the CPRA. Trust from your customers and community is too valuable to risk.

Tools to help your business become CPRA compliant

Manually searching for all instances of PII within your organization is time consuming, as is fulfilling Subject Rights Requests. Automated tools, like Spirion’s Sensitive Data Platform, make CPRA compliance easier for businesses.

Data Privacy Manager offers visibility into data, no matter where it lives, and automates workflows for sensitive data discovery, classification, and remediation. Our compliance tool enables you to add automated Subject Rights Request processing, making request intake and fulfillment more efficient. By automating these processes, you save your security teams countless hours of work and eliminate the potential for human error. To see these tools in action and assess whether they are the right fit for your organization, request a free demo.