What businesses need to know about CPRA

CPRA is a new piece of data privacy regulation in California, affecting companies located anywhere who do business with people in California. It passed on the November 2020 state ballot and takes effect July 1, 2023.

This development may appear as overwhelming on the heels of the California Consumer Privacy Act (CCPA), passed in 2018. In fact, the CPRA builds upon the CCPA and addresses a few provisions where the first piece of legislation was lacking. In fact, the CPRA was intended to appear on the 2018 ballot, but was pulled at the last minute in exchange for the less restrictive CCPA.

This is just one of a growing number of privacy regulations taking hold in many states and countries around the world. As consumers learn more about potential risks to the information they share with companies, they are becoming more vocal about their expectations. According to a 2019 Pew Research study, “81% of Americans think the potential risks of data collection by companies about them outweigh the benefits.”

If your company made $25 million in gross revenue in the previous calendar year, you are subject to CPRA. Just about every department leader needs to be familiar with this law, because it impacts product and service development, HR, information security, and records management. It will also require close involvement from the legal and compliance departments.

The law includes multiple disclosure requirements on the use and sharing of personal information, and marketers should be able to demonstrate transparency as to their use of that information and compliance with the law.

For companies that need to adhere to CPRA, there are three important things to know:

1. It creates a new category of personal information called special personal information, that merits special protection. Including:
   

   a. Name

   b. Social Security Number

   c. Email

   d. Birthday

2. There is a “positive” information security mandate, meaning that businesses are proactively required to implement risk-based controls over personal information, rather than merely punishing companies after a breach owing to a lack of such controls.
3. Third parties that have access to a business’s personal information, such as service providers and contractors, are much more closely regulated by the law than they were under the CCPA.

If you start with understanding these three basic components of CPRA, you should be on your way to taking effective action to comply.

As mentioned above, CPRA builds upon CCPA. A weakness of CCPA was that the California legislature could have watered down the requirements of the statute if it became politically expedient to do so. As a constitutional amendment, the CPRA doesn’t suffer from that weakness.

In addition, the CCPA contained some gaps, such as the inability to amend one’s personal information, minimal application to service providers, and no restrictions on marketing abuses, such as cross-context behavioral advertising.

It’s unlikely you will be starting from scratch to comply with CPRA. If a business is compliant with the European Union’s GDPR, they are likely already nearly CCPA compliant. However, you still have some tasks to complete, such as addressing the “do not sell my personal information” mandates. Specifically, you will need to put two links on your website:

• If a business sells or shares consumer personal information (outside of some narrow exceptions), it must put a Do Not Sell or Share My Personal Information link on its website.
• If a business uses or discloses sensitive personal information (also outside of some narrow exceptions), it must put a Limit the Use of My Sensitive Personal Information link on its website.

Your web development team should be able to put these in place well ahead of the deadline.

The time to begin preparing for CPRA compliance is right now. The start date for in-scope information is January 1, 2022. Even if you’re reading this early in the year, the updates to your company’s data inventories and any additional controls needed will likely take the rest of 2021 to complete. Following are some guidelines for your preparations.

Start with a data inventory

Businesses should take a fresh look at the personal information they’re collecting or processing and determine if they truly still require all of it. Under CPRA, you cannot keep data longer than “reasonably necessary for that disclosed purpose.” You will need to assess how long you keep data currently and what you can consider reasonably necessary. In the U.S., businesses have traditionally collected every bit of information they could, even if they didn’t need it all. Today, that unnecessary data is just a liability under modern data protection laws.

A data inventory will, when properly developed and maintained, give data protection professionals the information they need to understand the state of their data protection program at any given time, including unnecessary information.

Tools you will need

Data discovery software tools for searching, categorizing, and managing your data can make the process go more smoothly. Businesses will need technology that enables them to identify in-scope personal information wherever it exists in their information ecosystem. It’s common for businesses to be surprised when they develop a data inventory and discover systems that store or process personal information that they didn’t know about.

You will also need to take a fresh look at your use of personal information, especially with respect to special personal information. Determine what you will need to share with consumers in terms of privacy practices.

Finally, our businesses will have to review the controls in place for protecting personal information. All of this work will require skilled IT, IT security, compliance, and legal professionals working together toward your goal.

In the first two months of 2021, at least a half-dozen new data protection laws were introduced, many of them similar in nature to CCPA. It’s a very good bet that with the CPRA as our default national data protection standard, we’ll see most states move to a similar standard over the next five years. By getting started now with assessing the state of your company data and putting these privacy measures in place, you should be well positioned to handle any future laws that pass in the next few years.

Spirion is the critical first step toward data privacy and security. We build and deliver the most accurate data discovery and classification solutions on the planet to position our customers for unparalleled data privacy, security, and regulatory compliance. Spirion’s data discovery, classification, and protection capabilities help organizations meet numerous compliance regulations, including CCPA and CPRA.