In May 2018, General Data Protection Regulation (GDPR) went into effect enhancing individuals' control and rights over their personal data and simplifying the regulatory environment for international business. This had a huge impact on the companies that were storing, controlling, or processing data within the EU. The new regulation called the California Privacy Rights Act (CPRA), is apart of the California Consumer Privacy Act (CCPA), will have a similar impact for organizations, like GDPR.
What is CPRA?
California Consumer Privacy Act (CCPA) of 2019 focuses on California citizens and their data, including:
- The right to delete personal information collected from them;
- The right to know what personal information a business has collected about them and how it is used and shared;
- The right to opt-out of the sale and sharing of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
The California Privacy Rights Act (CPRA) went into effect on January 1, 2023 in the state of California, United States and applies to all applicable California user data collected since January 2022. The CPRA expands upon the California Consumer Privacy Act (CCPA) of 2019 by providing additional protections for California citizens:
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them.
It also extends the data breach definition to include non-encrypted or non-redacted information or login credentials and password combinations is granted unauthorized access, exposing companies to compensation claims by data owners when their data is not properly protected.
Furthermore it introduces new controls:
- New data sub-category: “Sensitive Personal Information” (SPI). SPI includes data concerning race, ethnicity, sex life, sexuality, financial information, union membership, and geolocation.
- New entity type: “Contractor”. Data-stewardship standards for any organizations working with companies that collect data from California citizens (on top of the types introduced in California Privacy Protection Agency), business, service provider, and third party.
- New agency: California Privacy Protection Agency (CPPA) Implement and enforce state privacy laws, investigate violations, and assess penalties.
Three CPRA Takeaways
- Step-up to your responsibilities: Businesses or organizations operating in California or handling such data, are encouraged to review their data privacy practices and policies in light of the introduction of California Privacy Rights Act (CPRA), and make any necessary changes.
- Update your incident lifecycle: Support more scenarios as potential and actual data breach and update severities and procedures accordingly.
- Know your rights: California citizens may want to familiarize themselves with their rights under the CPRA and consider using the self-serve tools provided by businesses to exercise their rights to know, control, and access their personal information.
In conclusion, the California Privacy Rights Act (CPRA) went into effect on January 1, 2023, building on the California Consumer Privacy Act (CCPA) of 2019 by providing additional protections for California citizens. Organizations are encouraged to review their data privacy practices and policies in light of the introduction of the CPRA and make any necessary changes.
To learn more about the fundamentals of data security and how this new regulation may effect you, please visit Data Security 101.