ASG Perspectives

Blog > November 2020 > CPRA: The New Privacy Act You Need to Heed

CPRA: The New Privacy Act You Need to Heed

Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA or “CCPA 2.0”) adds new teeth to the California Consumer Privacy Act (CCPA). With CCPA, California was the first state in the US to pass a privacy rights law that expanded the definition of “personal data” and allowed for penalties on businesses that handle California resident data even if the business itself isn’t located in California.

What changed?

Like most companies, your team is probably still struggling to understand CCPA. It only became enforceable in July and is still being fleshed out by regulators. CPRA includes both consumer-friendly and business-friendly changes to CCPA.

Consumer-focused changes

  • Creates a new California Privacy Protection Agency (CPPA) – focused on enforcement, issuing new rules and education, this agency replaces the attorney general’s office as the statute’s enforcer
  • Prohibits “sharing” of personal information (PI) – CCPA only references “selling” of PI, so most companies assumed it didn’t apply to them.  This loophole is now closed; in particular, for “cross-context behavioral advertising,” which means targeting of ads based on the consumer’s web browsing activities
  • Expands PI definition - A new Sensitive Data subcategory includes location data, race, religion, sexual orientation, government identifiers (e.g., SSN), biometric data, and account logins. If your business collects this data, you will have additional requirements for activities such as data minimization and managing opt-out preferences
  • Requires risk assessment and audits - Businesses performing “high risk processing” will be required to meet an annual set of risk assessment and independent audits, including a cybersecurity audit
  • Demands businesses correct inaccurate PI upon request – Businesses must investigate and / or correct any inaccuracies that consumers bring to their attention
  • Creates new obligations for opt-out links - Consumers now have a right to opt out of the sale and sharing of their personal information
  • Enables consumers to opt out of profiling via automated decision-making technologies – This new limitation refers to the use of AI/machine learning algorithms to make business decisions about consumers or employees. Consumers can also request access to “meaningful information” about the logic used in these algorithms
  • Establishes Data Retention requirements - Businesses must inform consumers of the length of time they will retain personal data and cannot retain information longer than specified
  • Expands penalty scope - in another consumer friendly change, CCPA now includes additional penalties for privacy violations involving a minor, removes “right to cure” 30-day grace period, expands data breach liability to include emails with passwords and/or security questions

Business-Friendly Changes

  • Extends Moratorium on B2B and HR data by one year - Amends CCPA to extend the moratorium on business related data until January 1, 2023
  • Expands some Exemptions – Data considered to be trade secrets or that is used for security and fraud analysis may be exempt
  • Allows Loyalty Clubs - Businesses can continue to provide rewards clubs
  • Clarifies Important Definitions - The definition of “de-identification” has been softened to align with the FTC’s definition.
  • Includes Third-Party Considerations – Contractors and service providers must support businesses in meeting their privacy obligations
  • Raises Covered Businesses Threshold – Small businesses that buy, sell or share PI of up to 100,000 California consumers/households are exempt

As with CCPA, consumers must opt out of data sharing. This provision is likely to limit the number of requests, due to the inconvenience of opting out of all of the web sites they visit.

ASG Automates Data Privacy Compliance

CPRA takes effect Jan. 1, 2023, but consumers will be able to view and request the previous 12 months of data, dating back to Jan. 1, 2022.  Until then, organizations must continue to comply with CCPA.

Once the new agency (CPPA) is in place, new regulations are expected. A federal privacy law and / or additional state laws are also anticipated.  In this evolving regulatory landscape, it is essential to establish a comprehensive and agile data privacy program.

ASG enables you to effectively manage and govern data within your company with two “privacy aware solutions: ASG Data Intelligence™ (ASG DI) and ASG Mobius Content Services.

ASG Data Intelligence – A Metadata-Based Data Governance Approach

It starts with building an automated “as is” data inventory by collecting metadata from the data sources inside and outside the business.  CPRA, CCPA and other data compliance programs require the ability to quickly locate all PI to respond to data consumer requests or opt outs, conduct risk assessments, or manage audit requests. A data inventory automates the scanning and identification of PI across the data estate by carrying forward the tagging of critical data, data privacy and quality information. That way, organizations know exactly what information they have and where it is in the organization on an ongoing basis.

Organizations can then couple their data inventory with data lineage capabilities to trace data from its origin to where it delivers value, including transformations along the way. To this “information supply chain,” business semantics, including business glossary definitions, context, business rules, policies, data ownership, and other valuable insights can also be embedded. Traceable data is trusted data, as organizations can fully understand where information comes from, how systems process the data and how it’s used.

By implementing this data intelligence approach, organizations can understand their entire ecosystem, proactively seeking out dark data, tackling compliance and pivoting quickly as data privacy regulations like the CPRA and GDPR continue to grow.

Operationalizing Privacy Compliance with ASG Content Services

To comply with CPRA, enterprises need to gain visibility and transparency into where sensitive and personal information resides within their documents, content and records. However, most currently lack the ability to identify where that information exists within content. Even if they could, most organizations are unable to associate personal information within records to a specific person – making it nearly impossible to adhere to consumer requests for deletion.

ASG Mobius Content Services (Mobius), in partnership with BigID, delivers these capabilities at scale. Organizations can use Mobius to not only locate personal information anywhere in the enterprise – across potentially billions of documents – but they can also automate the classification, access and governance for the records containing sensitive information. This includes rules-based retention, redaction and auditability of access – all with 95% accuracy, thanks to machine learning/artificial intelligence capabilities.

In today’s regulatory world, information governance can’t be business as usual. Organizations must elevate their strategies to prioritize and operationalize privacy compliance. ASG helps our customers enhance visibility and transparency so they know where risk resides – and we equip them to mitigate that risk with policy-based governance.

Posted: 11/10/2020 8:00:00 AM by Dihan Rosenburg
Filed under :CCPA, CCPA_2.0, CPRA, data_privacy