The world of data privacy is ever-evolving, and with more and more countries not only proposing privacy legislation but actually enacting it, it’s all the more tricky to maintain compliance. Here’s what’s on the horizon and how your organization can be ready for it all.
California to take privacy to the next level with the CPRA
On January 1, 2023, the California Privacy Rights Act—successor to the California Consumer Privacy Act (CCPA)—will take effect, bringing with it even tighter protections for California consumers’ privacy.
The CPRA is an enhancement of its already-strict predecessor. This is to say, CCPA rules aren’t being loosened or removed; they’re actually becoming more specific to better resemble those of the European Union’s General Data Protection Regulation (GDPR). Some of the most notable changes the CPRA will bring include:
- The creation of the California Privacy Protection Agency (CPPA), tasked with enforcement of the CPRA and other state privacy regulations. In GDPR terms, the CPPA would be a supervisory authority;
- The appointment of a state “Chief Privacy Auditor” to conduct audits of businesses;
- The creation of a new class of personal information, called “sensitive personal information,” and significant restrictions on its use. Examples of SPI include Social Security numbers, a consumer’s precise geolocation, biometric information, and contents of a consumer’s private communications;
- A ban on advertising deemed to use “profiling”;
- The elimination of the 12-month rolling time period used to calculate in-scope personal information. Instead, all information collected would be in scope;
- A mandate to conduct cybersecurity audits and publish risk assessments pursuant to regulations to be issued by the CPPA;
- The implementation of risk-based controls over user log-in information, such as encrypting usernames and enforcing multi-factor authentication, to proactively avoid data breaches generated from this source; and
- An expansion of data subjects’ rights over their data, including the right to correct their information, the right to limit the use and disclosure of their SPI, and the right to request information about automated decision-making and opt out of the process.
Virginia and Colorado to follow California’s suit
2023 will see Virginia and Colorado implement their own variations of privacy legislation with the Virginia Consumer Data Protection Act (CDPA) effective at the start of the year, like the CPRA, and the Colorado Privacy Act (CPA), effective in July.
Organizations both in and out of Virginia that process the personal data of more than 100,000 Virginia residents or 25,000+ residents but attribute more than 50% of revenue to the sale of personal information must comply with the CDPA. Vendors’ privacy and security measures are subject to assessment to ensure there are adequate capabilities allowing sensitive data to be deleted or returned once a contract is up. Violations can be fined up to $7,500 each.
Similarly, the CPA applies to any organization doing business in or outside of Colorado that processes the personal information of more than 100,000 Colorado residents or that processes the personal information of over 25,000 residents but profits from the sale of personal information. Like the CDPA, an assessment of vendors’ privacy and security measures is required to ensure sensitive information can be deleted or returned once a contract ends. Violations are fined at $2,000 each.
GDPR enforcement, fines, and influence to strengthen
The number of GDPR violations has been steadily increasing since it went into effect in 2018, as have the amounts of its fines. With sufficient time for entities across the globe to acclimate to the GDPR’s stringent requirements, failures to comply will be regarded with less mercy and higher fines.
The GDPR is also spurring increases in global privacy laws and consumer awareness. Like California’s CCPA inspired the rest of the U.S. to propose privacy laws, more than 50 countries have introduced and even enacted their own legislation as a result of the GDPR. This is great as far as the safety of data goes, but it’s also leading to demands for transparency among data-collecting organizations.
As a result, these entities will need to revamp privacy policies for clarity and reevaluate exactly what consumer data they need, because consumers want to know how their personal information is being used while handing over as little of it as possible. This increased knowledge of and interest in data collection and use also means organizations must prepare to fulfill an influx of data subject requests (DSRs). Per legislation like the GDPR and CPRA, entities are required to let consumers know what and why data is being collected, as well as how long it will be kept for, in a timely manner in order to avoid noncompliance violations.
To keep up with the requirements of the GDPR and other global and federal legislation while also meeting consumer data privacy demands, organizations must:
- Evaluate and update your data inventory. In several instances of organizations being sanctioned by EU supervisory authorities for GDPR violations, the offenders did not know why they had collected the personal data in question. Updating your data inventory (especially in light of new definitions of personal data) offers the opportunity to uncover previously unknown personal information and discern why it was collected before a regulator or plaintiff’s counsel asks.
- Draft updates to your privacy “policy.” Your publicly-facing notice of privacy practices is an important mechanism to convey to the public and business partners how you use, share, and protect personal information. However, privacy policies that cite practices that don’t take place or are not enforced are a magnet for regulators who only have to prove such policies are unfair or deceptive, which is a very low bar to clear.
- Review partner agreements. Business partner agreements invariably contain provisions on the sharing, use, and protection of personal information and require a thorough review. The mandates or licenses cited often border on the absurd, including requirements for SOC II reports from companies that don’t offer cloud services, co-controller status for companies that are truly data processors, and certifying an entire company as compliant with some NIST or ISO standard.
Companies to invest more in privacy technology, specifically automation
One of the primary ways organizations can achieve these to-dos is focusing more time and resources into privacy technology. Beyond the added layers of security that tools for enhanced encryption, user access roles, data discovery, classification, and remediation can provide, you’re much better positioned to efficiently maintain compliance. Take data subject requests, for example. Precise discovery and classification for every piece of data in your ecosystem allows for it to be accurately mapped and readily accessible to fulfill DSRs in the timely manner they’re required to be.
Be prepared for what’s next in the world of data privacy with Spirion
Knowing that the future of data privacy is more stringent is one thing, but readily equipping your organization to withstand it is another. Spirion’s suite of intelligent tools automate the vital data discovery and classification processes so you know exactly what information your institution has, where it exists, and which data privacy laws it’s subject to.
Contact us today to learn how our scalable solutions can help you better preserve the privacy of your consumers’ personal information, reduce risk within your environment, and prepare you to take on what’s ahead for data privacy.