A Brief Overview of the CPRA for Data Security and Privacy Professionals

The new year brought in new changes to the California Consumer Privacy Act (CCPA) under the California Privacy Rights Act (CPRA). What does that mean for data security and privacy professionals? Here are the pertinent details you need to know. Note: This is just our brief, informational summary, not legal advice. You should consult your attorney for details on your legal obligations.

When did the CPRA take effect?

The California Privacy Rights Act (CPRA) went into effect on January 1, 2023. As an amendment to the California Consumer Privacy Act (CCPA), the CPRA provides additional protections for California residents’ personal information.

What other changes were instituted on January 1?

Prior to Jan. 1, employees, contractors, emergency contacts, and more, were exempt from the CCPA. Now, any California resident is covered by the CCPA, which means businesses not only have to be concerned about the privacy of their California-based consumers, but also for their California-based employees, contractors, and emergency contacts. In addition, businesses must understand which PII data is employee data versus consumer data.

When will enforcement of the CPRA begin?

While the CPRA went into effect January 1, 2023, enforcement will not begin until July 1, 2023, and enforcement will apply only to violations occurring on or after that date. In the meantime, however, the CCPA’s provisions remain in effect and enforceable.

How does the CPRA expand on the CCPA?

The CPRA expands the definition of personal information. Under the CCPA, personal information is defined as “information that identifies, relates to, or could be reasonably associated with a particular consumer or household.” Under the CPRA, consumers now have the right to limit a business’ use and disclosure of their “sensitive personal information,” thus expanding the scope of data covered by the CCPA to include:

• Government identifiers (for example, Social Security Number or driver’s license number)
• Financial information
• Precise geolocation
• Biometric information
• Health information (such as health conditions or sexual orientation)
• Racial or ethnic origin and beliefs

The CPRA also gives California residents several additional rights, including:

• The right to correct inaccurate personal information
• The right to limit the use of sensitive personal information
• The right to opt-out of the sharing of this information for targeted advertising
• The right to bring a lawsuit against a business if their non-encrypted and non-redacted sensitive personal information is accessed, exfiltrated, or destroyed without authorization

The CPRA also requires businesses to conduct data protection assessments and to appoint a data protection officer, if certain conditions are met. These requirements are intended to help ensure that businesses are taking the necessary steps to protect personal information and to respond promptly to data breaches.

Finally, the CPRA strengthens enforcement and penalties for violations of the law. It gives more power to the California attorney general to enforce the law and increase the fines for non-compliance.

What rights do California residents have under the CCPA?

The CCPA creates six specific rights for California residents as consumers:

1. The right to know what information a business collected about them, why they collected it, where or from whom it was collected, and, if it was sold, to whom
2. The right to delete personal information collected from them (with exceptions)
3. The right to opt-out of the sale of personal information (if applicable)
4. The right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable)
5. The right to non-discriminatory treatment for exercising any rights under the CCPA (A business cannot lawfully decline to provide goods or services, change the price structure or provide a different quality service or good because a consumer exercised their CCPA rights, unless the personal information is needed for the sale or provision of services.)
6. The right to initiate a private cause of action for data breaches

The CPRA creates two additional rights:

7. The right to correct inaccurate personal information
8. The right to limit use and disclosure of sensitive personal information

As a data security and privacy professional, what should I do?

It all starts with knowing your data and business operations. Do you operate in California? Do you store any sensitive information on California residents? If you do, where and what measures are taken to protect the data and uphold California residents’ rights under the CPRA?

Understanding what personal data you have and how it’s being used is critical for meeting regulatory requirements like the CPRA. Laminar provides autonomous and continuous data discovery, classification, and protection, enabling businesses to easily monitor for regulated data and enforce security policies in accordance with regulatory requirements. Contact us today to find out how we can help you find and secure your cloud data.