Just days before the enforcement of the California Consumer Privacy Act (CCPA) began on July 1st, 2020, the California Privacy Rights Act (CPRA) received enough signatures to qualify to be on the November ballot. This ballot initiative, also referred to as Prop 24, was drafted by the non-profit organization Californians for Consumer Privacy, and looks to extend and clarify several of the provisions in existing California privacy law. If this measure is approved, it will have major impacts on any company that works with the data of a California citizen.
CPRA vs CCPA
The new California Privacy Rights Act incorporates the provisions set forth by the California Consumer Privacy Act (CCPA), but imposes new substantive obligations on businesses, grants consumers new rights, and modifies the CCPA’s enforcement provisions. Alastair Mactaggart, one of the main proponents of the ballot initiative that later served as the foundation of the CCPA, believes that the CCPA serves as a great baseline, but thinks that there are additional rights that California residents deserve.
Notable Changes
- Establishes the California Privacy Protection Agency which will serve to enforce the regulation and protect the privacy of Californians
- Defines and establishes a new category of sensitive information, Sensitive Personally Identifiable Information, acknowledging that not all PII is created equal with some categories being more sensitive than others
- Provides consumers with new rights
- Right to Correction which grants consumers the ability to request that a business corrects inaccurate personal information that has been collected
- Right to restriction providing consumers the right to limit a business’s use of their sensitive personal information
- Increases penalties for breaches that involve the data of minors
- Redefines key terms such as the scope of a “business” and what constitutes a “breach”
- Imposes limitations upon the California Legislature to amend the privacy law
Significant Dates
Who Does it Affect?
The CCPA defined a “business” as any entity that operates for the profit or financial benefit of its shareholders that collects consumers’ personal information that does business within the State of California that meets one or more of the following thresholds
- Has an annual gross revenue in excess of $25 million
- Annually buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information
The CPRA adjusts this definition by
- Doubling the threshold from 50,000 to 100,000 for an entity that “buys or sells or shares the information of 100,000 or more consumers or households”
- Removes the criteria for a business’s need for a commercial purpose in the buying or selling of personal information
- Adds the definition of business joint ventures or partnerships composed of businesses in which each business has at least a 40% interest
How Can Businesses Prepare for CPRA Compliance?
While it is widely regarded that the CPRA ballot initiative is likely to pass, businesses should continue to progress and maintain their CCPA compliance efforts. However, they should also monitor privacy developments not only in California but also at the federal level. If the CPRA is not approved, then businesses should prepare for the January 1st, 2021 expiration of the temporary exemptions for employee and business to business information.
In order to adhere to the expanding data privacy regulations, organizations will have to follow common core principles and practices of data privacy and security. In order to do so, they should:
- Leverage the necessary tools in order to maintain an ongoing understanding of where sensitive data (specifically personal information) exists
- Enforce strong Data Access Governance practices to ensure that the right controls are in place in order to prevent unauthorized access to personal data
- Conduct regular risk assessments to minimize and address any risks to personal data
- Deploy monitoring tools in order to detect and respond to threats in real-time
Learn more about how Stealthbits can help organizations comply the CCPA and other data privacy regulations.
Farrah Gamboa is a Director of Technical Product Management at Stealthbits – now part of Netwrix. She is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Since joining Stealthbits in 2012, Farrah has held multiple technical roles, including Scrum Master and Quality Assurance Manager. Farrah holds a Bachelor of Science degree in Industrial Engineering from Rutgers University
Related Posts
- 3 Strategies to Ensure Readiness for DSARs
- Global Compliance Demands: The Singaporean Personal Data Protection Act (PDPA) Reviewed
- South Africa’s Protection of Personal Information Act (POPIA) Compliance
- Lei Geral de Proteção de Dados Pessoais (LGPD Compliance) – What You Need to Know About Brazil’s National Data Privacy Regulation
- What is a Data Protection Impact Assessment (DPIA)?
- EU-US Privacy Shield Revoked: What This Means for EU-US Commercial Data Transfers
- Key Requirements of the NY SHIELD Act and How to be Compliant
- What is the California Consumer Privacy Act (CCPA)?
- What is the NYDFS Cybersecurity Regulation?
- What is APRA’s CPS 234? Part 2
Leave a Reply