• Products
    • Products

      • Governance Suite Combine all Spirion products to build a proactive privacy and security posture.
      • Sensitive Data Platform Scan, classify, remediate using SaaS solution
      • Sensitive Data Finder Automate Subject Rights Request processing
      • Sensitive Data Watcher Actively monitor and understand your data
    • Placeholder

      • Sensitive Data Manager Scan, classify, remediate using on-premise solution
    • Learn more

      • Data Privacy Management Framework Our framework outlines key stages of readiness to safeguard sensitive data and sustain compliance.
      • Integrated Solutions Explore how Spirion connects with other security apps and tools.
      • Spirion Marketplace Integrate with other security tools and check out resources that enhance your data protection program.
    • Sensitive data needs one clear protector.

      Discover. Protect. Comply. Spirion has all your sensitive data needs covered.
      See Governance Suite
  • Solutions
    • Industry Solutions

      • eCommerce
      • Finance
      • Healthcare
      • Higher Education
      • Manufacturing
      • Public Sector
      • Telecommunications
    • Security & Privacy Use Cases

      • Accurate data discovery
      • Automated, persistent and purposeful data classification
      • Data footprint reduction
      • What is endpoint security?
    • Compliance

      • Overview
      • GDPR
      • CCPA
      • CMMC
      • CPRA
      • HIPAA
      • The New York SHIELD Act
      • PCI DSS
      • Other
    • Cloud, servers, endpoints - wherever sensitive data lives, Spirion protects it.

      Everywhere is our territory.
  • Resources
    • Insights

      • Blog
      • Case Studies, White Papers, & Research
      • Podcast
      • Upcoming Events
    • Core Expertise

      • What is data classification?
      • What is data lifecycle management?
      • What is data loss prevention?
      • What is data remediation?
      • What is a data privacy management framework?
      • What is sensitive data discovery?
      • A legal overview of CCPA key issues
    • Calculate your risk

      • Reduce the Cost of Data Breach
    • Cloud, servers, endpoints - wherever sensitive data lives, Spirion protects it.

      Everywhere is our territory.
  • Partners
  • Services
    • Services

    • Customer Success
    • Professional Services
    • Technical Support
  • Company
    • Company

    • About Us
    • Become a Partner
    • Careers
    • Newsroom
    • Our approach
    • Privacy at Spirion
    • 15 Year Anniversary
  • Search
  • Customer Portal
  • Contact
Watch demo now
Watch demo now
  • Products
    • Products
      • Sensitive Data Platform
      • Sensitive Data Manager
      • Sensitive Data Finder
      • Integrations
  • Solutions
    • Industry Solutions
      • eCommerce
      • Finance
      • Healthcare
      • Higher Education
      • Manufacturing
      • Public Sector
      • Telecommunications
    • Security Use Cases
      • Accurate data discovery
      • Automated, persistent and purposeful data classification
      • Data footprint reduction
    • Compliance
      • CCPA
      • GDPR
      • HIPPA
      • PCI DSS
      • Other
  • Services
    • Customer Services
      • Customer Success
      • Professional Services
      • Technical Support
  • Resources
    • Core Expertise
      • Data Classification Tools
      • Data Lifecycle Management
      • What is data loss prevention?
      • Sensitive Data Discovery
    • Case Studies, White Papers, & Research
    • Blog
    • Podcast
  • Partners
  • Company
    • About Us
    • Become a Partner
    • Careers
    • 15 Year Anniversary
    • Newsroom
    • Privacy at Spirion
  • Customer Portal
  • Contact
Watch demo now

What businesses need to know about CPRA

  • What is CPRA?
  • Who needs to be up to speed on CPRA?
  • What are the key things to know about CPRA?
  • How does CPRA compare with CCPA?
  • Is a company already set if they comply with similar regulations?
  • How long will it take to prepare for CPRA?
  • What does the future hold for data privacy legislation?
  • How can Spirion help companies comply with CPRA?

Getting up to speed on the California Privacy Rights Act (CPRA) and making a plan for your company’s compliance should be near the top of your 2021 to do list. Spirion has put together this guide to take you through the information you need to start taking action now to prepare for CPRA.

What is CPRA?

CPRA is a new piece of data privacy regulation in California, affecting companies located anywhere who do business with people in California. It passed on the November 2020 state ballot and takes effect July 1, 2023.

This development may appear as overwhelming on the heels of the California Consumer Privacy Act (CCPA), passed in 2018. In fact, the CPRA builds upon the CCPA and addresses a few provisions where the first piece of legislation was lacking. In fact, the CPRA was intended to appear on the 2018 ballot, but was pulled at the last minute in exchange for the less restrictive CCPA.

This is just one of a growing number of privacy regulations taking hold in many states and countries around the world. As consumers learn more about potential risks to the information they share with companies, they are becoming more vocal about their expectations. According to a 2019 Pew Research study, “81% of Americans think the potential risks of data collection by companies about them outweigh the benefits.”

Who needs to be up to speed on CPRA?

If your company made $25 million in gross revenue in the previous calendar year, you are subject to CPRA. Just about every department leader needs to be familiar with this law, because it impacts product and service development, HR, information security, and records management. It will also require close involvement from the legal and compliance departments.

The law includes multiple disclosure requirements on the use and sharing of personal information, and marketers should be able to demonstrate transparency as to their use of that information and compliance with the law.

What are the key things to know about CPRA?

For companies that need to adhere to CPRA, there are three important things to know:

  1. It creates a new category of personal information called special personal information, that merits special protection. Including:

    a. Name
    b. Social Security Number
    c. Email
    d. Birthday
  2. There is a “positive” information security mandate, meaning that businesses are proactively required to implement risk-based controls over personal information, rather than merely punishing companies after a breach owing to a lack of such controls.
  3. Third parties that have access to a business’s personal information, such as service providers and contractors, are much more closely regulated by the law than they were under the CCPA.

If you start with understanding these three basic components of CPRA, you should be on your way to taking effective action to comply.

How does CPRA compare with CCPA?

As mentioned above, CPRA builds upon CCPA. A weakness of CCPA was that the California legislature could have watered down the requirements of the statute if it became politically expedient to do so. As a constitutional amendment, the CPRA doesn’t suffer from that weakness.

In addition, the CCPA contained some gaps, such as the inability to amend one’s personal information, minimal application to service providers, and no restrictions on marketing abuses, such as cross-context behavioral advertising.

Is a company already set if they comply with similar regulations?

It’s unlikely you will be starting from scratch to comply with CPRA. If a business is compliant with the European Union’s GDPR, they are likely already nearly CCPA compliant. However, you still have some tasks to complete, such as addressing the “do not sell my personal information” mandates. Specifically, you will need to put two links on your website:

  • If a business sells or shares consumer personal information (outside of some narrow exceptions), it must put a Do Not Sell or Share My Personal Information link on its website.
  • If a business uses or discloses sensitive personal information (also outside of some narrow exceptions), it must put a Limit the Use of My Sensitive Personal Information link on its website.
  • Your web development team should be able to put these in place well ahead of the deadline.

How long will it take to prepare for CPRA?

The time to begin preparing for CPRA compliance is right now. The start date for in-scope information is January 1, 2022. Even if you’re reading this early in the year, the updates to your company’s data inventories and any additional controls needed will likely take the rest of 2021 to complete. Following are some guidelines for your preparations.

Start with a data inventory

Businesses should take a fresh look at the personal information they’re collecting or processing and determine if they truly still require all of it. Under CPRA, you cannot keep data longer than “reasonably necessary for that disclosed purpose.” You will need to assess how long you keep data currently and what you can consider reasonably necessary. In the U.S., businesses have traditionally collected every bit of information they could, even if they didn’t need it all. Today, that unnecessary data is just a liability under modern data protection laws.

A data inventory will, when properly developed and maintained, give data protection professionals the information they need to understand the state of their data protection program at any given time, including unnecessary information.

Tools you will need

Data discovery software tools for searching, categorizing, and managing your data can make the process go more smoothly. Businesses will need technology that enables them to identify in-scope personal information wherever it exists in their information ecosystem. It’s common for businesses to be surprised when they develop a data inventory and discover systems that store or process personal information that they didn’t know about.

You will also need to take a fresh look at your use of personal information, especially with respect to special personal information. Determine what you will need to share with consumers in terms of privacy practices.

Finally, our businesses will have to review the controls in place for protecting personal information. All of this work will require skilled IT, IT security, compliance, and legal professionals working together toward your goal.

What does the future hold for data privacy legislation?

In the first two months of 2021, at least a half-dozen new data protection laws were introduced, many of them similar in nature to CCPA. It’s a very good bet that with the CPRA as our default national data protection standard, we’ll see most states move to a similar standard over the next five years. By getting started now with assessing the state of your company data and putting these privacy measures in place, you should be well positioned to handle any future laws that pass in the next few years.

How can Spirion help companies comply with CPRA?

Spirion is the critical first step toward data privacy and security. We build and deliver the most accurate data discovery and classification solutions on the planet to position our customers for unparalleled data privacy, security, and regulatory compliance. Spirion’s data discovery, classification, and protection capabilities help organizations meet numerous compliance regulations, including CCPA and CPRA.

Ready to get started?

Schedule a personalized demo with one of our data security experts to see Spirion data protection solutions in action.

Watch demo now
Discover, protect and comply.

Protect sensitive information with a solution that is customizable to your organizational needs. When your job is to protect sensitive data, you need the flexibility to choose solutions that support your security and privacy initiatives.

Governance Suite →

Industry Solutions

Not knowing where sensitive client financial data resides and failing to take the right security precautions can be a costly mistake for your organization. Find out how Data privacy is treated in your sector.

Read more →

  • Products
    • Sensitive Data Platform
    • Sensitive Data Finder
    • Sensitive Data Watcher
  • Solutions
    • Industry Solutions
    • Security Use Cases
    • What is sensitive data discovery?
    • What is data loss prevention?
    • What is data classification?
  • More
    • Insights
    • Services
    • Company
    • Newsroom
  • Need Help?
    • Contact Us
    • Customer Portal
    • 646-863-8301​​​​​​​​​​​​​​​​​​​​​
LATEST BLOG POSTS
  • Spirion and Thales Group Partner to Deliver Sensitive Data-Centric Encryption
  • The Analyst View: Key takeaways from Forrester’s Now Tech: Data Discovery and Classification Report
  • Spirion Launches Scan Coverage to help organizations find hidden pockets of data vulnerability

© 2022 Spirion, LLC. All Rights Reserved

  • Legal
  • Privacy
  • Sitemap