December 14, 2021
What is California Privacy Rights Act (CPRA)?
Passed in November 2020, the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023. An extension of the California Consumer Privacy Act (CCPA), the CPRA adds additional protections for consumer data, increased fines for violations — $7,500 per intentional violation and $2,500 for unintentional ones — and significantly increased enforcement options.
To make matter worse, despite the law going into effect on January 1, 2023, it retroactively applies to all personal data collected from January 1, 2022. As a result, at time of writing, companies only have a few weeks to ensure their compliance with the new regulation. Companies based outside of California are not exempted either, as the law applies to all companies that do business in California or have customers within the state.
In order to prepare for the CPRA, it is important to clearly understand the basis of the new legislation, how it builds on its predecessor, and the specific ways it will impact your business.
CCPA: The Foundation of the CPRA
California was the first US jurisdiction to pass a comprehensive privacy law when the CCPA went into effect on January 1, 2020. In many ways, the CCPA was similar to the EU’s GDPR, giving consumers the right to know when their data is being collected, what that data includes, and if that data is being sold or shared with third parties.
Beyond simply knowing how their data is being handled, the CCPA also provided consumers a measure of control over their data. Under the CCPA, users can find out what information the data companies have collected about them, prevent the sale of their personal data, and ask that a business delete it. Significantly, consumers cannot be discriminated against for choosing any of the above options.
The CCPA applies to any business that meets any one of several criteria, including annual gross revenue greater than $25 million, makes more than half of its revenue selling customer information, or trades the personal information of at least 50,000 customers.
Despite the CCPA being a ground-breaking piece of legislation, lawmakers believed it still left holes that could be exploited, leading to the adoption of the CPRA.
How the CPRA Builds on the CCPA
The CPRA introduces a number of additional protections, as well as improved enforcement. As part of the new regulation, the California Privacy Protection Agency will be created to help enforce the CPRA, in cooperation with the California Department of Justice.
In terms of protections, the CPRA includes the same provisions that give consumers the right to know what data is being collected, access the data businesses have collected, limit that collection, and ask that companies delete the person’s data. It also continues to protect customers from reprisal for exercising their rights.
One of the main areas where the CPRA goes beyond the CCPA is when it comes to protecting minors. Businesses must get permission from consumers younger than 16 before collecting and using their data. In order to collect the data of consumers under 13, businesses must get permission from the parent or guardian. The fine for violations pertaining to minors’ data was raised to as much as $7,500, or triple the previous limit.
The new regulation also makes a greater distinction between identifiable data and “sensitive personal information.” Such information could include “race, religion, sexual orientation, health, precise geolocation, etc. The only exception is when a business delivers a product to a consumer which the consumer him/herself requested, and when the information would be used in a way reasonably expected by an average consumer.”
Unfortunately, many companies currently hoover up vast quantities of data without a thought about how much of it constitutes “sensitive personal information.” Similarly, the vast majority of data collection is done primarily for the benefit of the company doing the collection. In contrast, the new regulation makes it clear that even “sensitive personal information” collected with the consent of the consumer must still be used in a way the consumer would want it to be used — in other words, in a way that benefits them.
In addition to including provisions for consumers to benefit when companies use their data, the CPRA provides a way for them to take action when their data is not adequately protected, including opening the door to civil litigation. The regulation states that it “permits private right of action in the event of negligent data breach, i.e. if a business has not redacted or encrypted consumers’ personal information and suffers a data breach.”
To put that in perspective, some of the biggest data breaches, including the Equifax breach, have been because hackers were able to access unencrypted data. In fact, the 2021 Thales Cloud Security Study shows a whopping 83% of companies currently leave over half of their sensitive cloud data unencrypted.
Under the CPRA, each one of these businesses are open to steep penalties and civil litigation if their business involves California citizens.
What the CPRA Means for Businesses
Much like the EU’s GDPR, the CPRA puts a tremendous burden on businesses to properly handle customer data. As mentioned at the outset, there are a number of factors that come into play, including the fact that the law doesn’t just apply to businesses based in California. Instead, the CPRA, like the CCPA, applies to all companies that do business in the state, regardless of where they may be based.
The CPRA’s increased liability clauses — where customers have the right to take legal action against companies that fail to adequately secure their data — adds additional challenges for organizations. Specifically, the CPRA opens the door to legal liability if a company “has not redacted or encrypted consumers’ personal information.”
Unfortunately, many data breaches involving unencrypted data are often the result of a simple misconfiguration error. As companies continue to collect vast databases of information, it can quickly overwhelm internal IT departments and undermine their ability to keep up with compliance requirements.
As a result of the increased liability, companies that collect and use customer data must take the necessary precautions to keep that data secure and safe, especially in the event of a data breach. This can be especially challenging for companies that outsource data analytics. Such data must be stored in a manner that meets the legal requirements involving redaction or encryption, while at the same time remaining accessible enough for an outside firm to be able to work with the data.
Some of the most common and effective methods of securing data are encryption, tokenization, and masking, each with advantages.
Strong encryption makes data completely unreadable to anyone without the decryption key, making it an excellent option for sharing data with third parties.
Tokenization replaces specific data with alphanumeric substitutes, or tokens. While relatively secure, this method of protecting data does not lend itself to easy sharing since the database containing the original data and the tokens it was replaced with must be shared as well.
Masking involves scrambling specific information in such a way that it cannot be linked to a specific identity. The masking can be permanent or dynamic depending on the application and scenario. This method is particularly useful in scenarios where data needs to be accessed and analyzed. Unlike encryption, however, masking does run the risk of reidentification, meaning it may be possible for a bad actor to overcome the masking and link data to individual identities. This is especially the case with basic masking techniques. In contrast, MENTIS has developed a method of Dynamic Data Masking (DMM) that involves advanced data substitution, making it possible to analyze data while adding significantly improved protection against reidentification.
How a Data Security Company Can Help
Given the high stakes involved with the CPRA, and the wealth of challenges that come with remaining complaint, many organizations are turning to data security companies to help them properly secure their data.
Mage has a long history of helping organizations deal with these challenges, providing the means and technical support needed to secure customer data and ensure compliance with even the strictest regulations.