A Brief Overview of the CPRA for Data Security and Privacy Professionals
February 22, 2023 | 7 min. read
The new year brought in new changes to the California Consumer Privacy Act (CCPA) under the California Privacy Rights Act (CPRA). What does that mean for data security and privacy professionals? Here are the pertinent details you need to know. Note: This is just our brief, informational summary, not legal advice. You should consult your attorney for details on your legal obligations.
The California Privacy Rights Act (CPRA) went into effect on January 1, 2023. As an amendment to the California Consumer Privacy Act (CCPA), the CPRA provides additional protections for California residents’ personal information.
Prior to Jan. 1, employees, contractors, emergency contacts, and more, were exempt from the CCPA. Now, any California resident is covered by the CCPA, which means businesses not only have to be concerned about the privacy of their California-based consumers, but also for their California-based employees, contractors, and emergency contacts. In addition, businesses must understand which PII data is employee data versus consumer data.
While the CPRA went into effect January 1, 2023, enforcement will not begin until July 1, 2023, and enforcement will apply only to violations occurring on or after that date. In the meantime, however, the CCPA’s provisions remain in effect and enforceable.
The CPRA expands the definition of personal information. Under the CCPA, personal information is defined as “information that identifies, relates to, or could be reasonably associated with a particular consumer or household.” Under the CPRA, consumers now have the right to limit a business’ use and disclosure of their “sensitive personal information,” thus expanding the scope of data covered by the CCPA to include:
The CPRA also gives California residents several additional rights, including:
The CPRA also requires businesses to conduct data protection assessments and to appoint a data protection officer, if certain conditions are met. These requirements are intended to help ensure that businesses are taking the necessary steps to protect personal information and to respond promptly to data breaches.
Finally, the CPRA strengthens enforcement and penalties for violations of the law. It gives more power to the California attorney general to enforce the law and increase the fines for non-compliance.
The CCPA creates six specific rights for California residents as consumers:
The CPRA creates two additional rights:
It all starts with knowing your data and business operations. Do you operate in California? Do you store any sensitive information on California residents? If you do, where and what measures are taken to protect the data and uphold California residents’ rights under the CPRA?
Understanding what personal data you have and how it’s being used is critical for meeting regulatory requirements like the CPRA. Laminar provides autonomous and continuous data discovery, classification, and protection, enabling businesses to easily monitor for regulated data and enforce security policies in accordance with regulatory requirements. Contact us today to find out how we can help you find and secure your cloud data.
Get notified when a new piece is out