As organizations and CISOs are budgeting and planning for 2022, readiness and compliance for the California Privacy Rights Act (CPRA) should be high on their list. With that in mind, I think it is a good time to update a post I wrote 2 years ago about the California Consumer Privacy Act (CCPA). That legislation, passed in 2018, was a stark wake-up call to organizations that had previously been collecting, processing and selling consumer data with little oversight. Less than a year after it got into full effect, the state followed up with CPRA to expand and amend the CCPA. These new regulations will go into full effect on January 1, 2023.
CPRA introduces new applicability criteria and stricter regulations than the CCPA, as well as heftier fines for organizations that fail to comply. And although the legislation only applies to data collected on California residents, the business itself does not have to be located in the state. For example, a German company could find itself liable if its website is breached and California customers are affected. The CCPA and CPRA are, in effect, national and global laws for anyone serving California users.
CCPA and CPRA are the strongest consumer privacy regulations mandated at the state level, and they represent an important shift in the regulatory landscape. Lawmakers across the nation are increasingly calling upon businesses to take accountability for the data they harvest. New York, for example, is in the process of enacting its own data privacy legislation. CCPA and CPRA give significantly more power to consumers to demand accountability and transparency for how their private data is handled — and these laws won’t be the last.
Understand the Differences Between CCPA and CPRA
A recent report from Osterman Research revealed that only 23% of organizations are currently compliant with CCPA. If you fall in that bucket, you are already off to a good start!
Here are some key ways in which CPRA amends CCPA that will help you when assessing CPRA compliance:
- Increases the applicability threshold from organizations that buy, sell or share personal information of 50,000-plus California consumers or households to 100,000 or more.
- Established specific requirements on sensitive personal information (SPI) around disclosure, purpose limitation, opt-out and opt-in after a previously-selected opt-out.
- Modified several rights present in the CCPA, including the right of opt-out of third-party sales and sharing, right to know, right to delete, right to data portability and opt-in rights for minors.
- Introduced new privacy rights, including the right to correct information, right to limit use and disclosure of sensitive personal information, right to access information about automated decision-making and right to opt-out of automated decision-making technology.
- Adopted GDPR principles for data minimization, purpose limitation and storage limitation.
- Added login credentials to the type of information for which consumers can take legal action if their data is exposed.
- Established the California Privacy Protection Agency (CPPA) to investigate, enforce and amend the CPRA.
Avoid CPRA Noncompliance and Regulatory Fines
Now here’s the kicker: Even if your business adheres to CPRA, you might not actually be 100% compliant. Why? A less-known but critically important piece of the CPRA — and for that matter, of CCPA and GDPR as well — is that liability for breaches extends to third-party components and services that you introduce to your users. Commonly referred to as “supply chain,” this includes information security companies, payment processors, chatbot operators and any other third-party provider.
More recently, Dunkin’ Brands Inc. faced a lawsuit alleging that the company failed to implement appropriate safeguards to protect consumer data. The brand suffered attacks that gave hackers access to consumers’ Dunkin’ stored value cards, known as “DD cards,” used to make purchases at Dunkin’ stores. As a result of the suit, Dunkin’ Brands agreed to notify and refund hacked customers and pay an additional $650,000 in penalties and costs. This goes to show that even data that may not seem sensitive, such as credentials tied only to relatively low-value DD cards, is still protected under data privacy laws.
Get At The Root: Your Third-Party Vendors
Third-party code makes it much harder to police and audit for CPRA risks. These scripts often undergo changes without your knowledge, making initial security reviews obsolete. One third-party script might refer to another script which refers to another, leading to a veritable supply chain of code that you have no visibility into. A vulnerability far down the line could put the entire chain at risk.
Questions To Ask Your Third-Party Service Providers
In my CCPA post, I suggested a series of questions to ask your third-party service providers. These are still extremely relevant today. Check out my first post for the list, as well as other steps you can take to ensure that your vendors are CPRA-compliant.
Adhering to stricter data privacy regulations may seem nearly impossible given the widespread lack of visibility into third-party code. But having conversations about CPRA with your vendors and putting in place processes to monitor your risk are good business practices that will pay off in the long run — helping you avoid hefty fines, maintain consumer trust and build brand loyalty.