CPRA – also known as CCPA 2.0 – introduced more stringent rules around the personal data businesses collect, store, use and disclose for a variety of business-operational or commercial purposes. As of January 1, the full scope of the enhanced privacy law now covers all Californians’ personal information—including all employees that are residents of California.
In addition to heightened expectations, the CPRA also comes with a higher level of enforcement. Prop 24 created the Consumer Privacy Protection Agency (CPPA), an FTC for the state of California. The CPPA is responsible for issuing, implementing regulations, providing interpretive guidance, and administratively enforcing the expanded law.
To ensure CPRA compliance, security teams should understand these major changes to the law, and their impact.
Costs related to data breaches and data privacy may increase. CPRA may increase the financial and reputational cost of data breaches by expanding the CCPA’s private right of action to include email. Plus, with a well-funded enforcement agency (CPPA) in place, the enforcement may drive up the number of penalties
The CCPA allowed Californians to sue an organization (i.e., private right of action) for data breaches resulting from preventable security failures, and the CPRA expands this right to include breaches involving email addresses. The CPRA adds email address to information that, if “subject to an unauthorized access and exfiltration, theft, or disclosure” together with a password or security question and answer, would subject a company to broader litigation risk.
California employees have privacy rights, requiring an audit of HR systems. CCPA employee data exemptions expired on Jan. 1, 2023. With the CPRA giving all Californians new and strengthened existing privacy rights, security teams will benefit from centralized visibility into the internal and third-party systems containing workforce information.
Increased protections around “sensitive personal information.” CPRA defines “sensitive personal information (SPI)” as requiring heightened protection, which means security teams will need to work with privacy teams to prioritize reviews of SPI-holding systems.
Regulators are expected to enforce privacy risk assessments. CPRA requires privacy (and cybersecurity) risk assessments, so security teams should prepare for cross-functional reviews of new or changes in existing business activities.
Data retention and governance becomes more important. CPRA drives data minimization, on principle, and because of an enhanced look-back provision. Well-calibrated retention and disaster recovery policies can help reduce your attack surface.
Control over where personal data lives is more important than ever. CPRA encourages security and privacy teams to uncover hidden data flows, which can reduce hazardous blind spots. Data mappings (and RoPAs) benefit security and procurement teams too.
We’ll see an increase in do-not-share opt-out requests. Data suggests that the volume of DSRs is increasing—specifically DNS and deletion requests—contributing to an overall cost increase of running a privacy program. Privacy costs will continue on an upward trajectory as CRPA goes into effect with expanded rights and business obligations affecting the confidentiality, accessibility, integrity and transmissibility of broadly regulated data.
Organizations need to be prepared on the backend for a surge in effort-intensive requests while minding overlapping retention and breach prevention obligations — their tech stack needs to be in order on all fronts.
For the CPRA and beyond, calibrating your privacy program around a complete view of your personal data processing will be the best way to manage data subject requests, consumer preferences, and risk assessments.
As a security executive, there are a number of ways you can take action today.
Talk across your company and know your data. Privacy requires cross-functional teams going through the details of what’s collected, why, how it’s used, how shared and how best secured. Use a solution that helps you gain control of the systems you use and your data. Knowing what you have is the first step to managing what you actually need. Minimization and informed retention go hand in hand with business continuity.
Review your data disclosure practices and automate what you can. This is important not only to meet access and opt-out rights, but also because unauthorized disclosure of a wider set of data may lead to an actionable data breach. Meet the rising demands of a rapidly evolving data privacy landscape with software that helps you automate processes and build a comprehensive and scalable Privacy Control Center™.
Read the CISO’s Guide to CPRA to review the most important changes for your security team and explore how you can best prepare your privacy and data protection program.