Bernstein Data

Email
info@bernsteindata.com

Call
Call Us: +1 (646) 893-1663

CPRA vs. CCPA: How Information Governance Helps to Operationalize Requirements in Data Privacy Laws

  1. Home
  2. Blog
  3. CPRA vs. CCPA: How Information Governance Helps to Operationalize Requirements in Data Privacy Laws

Data Privacy, Operationalizing IG

erious,Woman,Government,Worker,Checking,E-mail,On,Laptop,Computer,,Sitting

The new California Privacy Rights Act (CPRA), which becomes fully effective as of January 1, 2023, amends and expands the California Consumer Privacy Act (CCPA). For companies struggling to keep up with the latest data privacy regulations, including CPRA, an information governance (IG) framework provides an efficient approach to assessing and adapting to new and changed requirements. Examining new requirements through the lens of an IG framework breaks the privacy requirements into common operational elements and can go a long way to achieving operationalization and compliance. 

To illustrate the value of applying an IG framework to privacy requirements, let’s take a closer look at what’s new in CPRA vs. CCPA in eight key operational areas — and what organizations can do now to prepare for compliance with the help of information governance. 

CPRA vs. CCPA: An Overview of the New Law 

CPRA expands on certain CCPA rules but also brings in many new requirements similar to those of the EU’s General Data Protection Regulation (GDPR). For many organizations that do business or have customers in California, CPRA introduces challenging operational issues, in areas such as consent, disclosure and access practices, data retention and disposal, and third-party vendor management, among others. 

Although CPRA does not go into full effect until January 1, 2023, the law includes a “look-back period” that starts January 1, 2022. That means consumer data collected from the beginning of next year will be subject to CPRA requirements. 

With this look-back period fast approaching, businesses need to begin preparing now. The best way to do that is to use an information governance framework to understand and operationalize the implementation of obligations of the new rules: 

Looking at what the organization is already doing in eight common operating elements of data privacy laws allows a company to: 

  • Assess the new requirements and where they fit in the existing operational framework 
  • Adapt and improving current policy, process, technology, and governance to comply with CPRA 

The following highlights key changes that CPRA makes to the eight common privacy elements and how an IG framework approach can help companies assess and adapt:  

To comply with these provisions, companies will need to amend their privacy notices to ensure consumers are aware of their new rights and then take action on opt out requests.

Creation and Collection

 Both CCPA and CPRA concern the collection of personal information or PI.  PI generally is defined under CCPA as information that “identifies, relates to or describes” or is reasonably associated with a particular individual or household.  CPRA expands this definition and contains new requirements for the handling of sensitive personal information.  Sensitive PI includes information that is not widely publicly available such as a Social Security or passport number, racial or ethnic origin, account numbers and passwords, health or genetic information, etc.  As we’ll see later, CPRA’s definition of sensitive PI plays a role in what a company can do with this information and how a consumer can restrict its use. 

Assess and Adapt 
Companies currently operating under CCPA should have established processes for the collection of personal data, including how to define it for their company’s operations, how to track and safeguard it and how to ensure that only data that is specifically needed is collected. Under CPRA companies will need to determine whether any sensitive PI is being captured and, if so, how their current operating model must be enhanced to ensure proper governance. 

Notice and Consent 

Both CCPA and CPRA require a notice to be given to the consumer at the time of collection of any personal data. As we’ve discussed, the addition of the concept of sensitive PI to CPRA imposes additional responsibilities on companies, not only to protect this category of data but also to ensure that proper notice is provided to the consumer explaining what they are allowed to restrict in terms of the use of their data.  In particular, CPRA  adds more protections for minors.  Minors must specifically opt-in to the sharing of their information for behavioral advertising purposes. 

CPRA adds concepts that are used in GDPR.  One of these is that of purpose limitation. Purpose limitation means that companies may not collect data for a new purpose that is incompatible with the original purpose for collecting the data, without first notifying the data subject. 

With respect to consent, under CPRA consumers now have the following additional rights: 

  • Right to restrict the use of sensitive PI, including disclosure of sensitive PI to third parties  
  • Right to opt out of the use of automated decision-making technology, including profiling 
  • Right to opt out of the sharing of their information with third parties 

Assess and Adapt 
To comply with these provisions, companies will need to amend their privacy notices to ensure consumers are aware of their new rights and then take action on opt out requests. 

Proper Use 

A second GDPR concept that is now enshrined in CPRA is that of data minimization.  Data minimization means that a company’s collection of data should be limited only to what is necessary and proportionate to the purpose of collecting it.  Companies will need to justify to the consumer why they are collecting certain data and prove that it pertains to the purpose the consumer approved.  

Another GDPR concept now included in CPRA is that of storage limitation, which means that companies must establish retention periods for data types and disclose these to consumers at the time of collection.  PI (especially sensitive PI) must be retained only as reasonably necessary.   

Assess and Adapt 
Existing processes and technology may need to be enhanced to ensure that extraneous data is not being collected. If a company currently does not have specified retention periods for its data types, it will need to institute them. Companies will then need to be more proactive in deleting data so that data is disposed of once it has served its purpose. 

Sharing 

CPRA now applies not only to companies who earn 50% or more of their revenue from selling consumer information, but also those who earn revenue from sharing information. As noted above, CPRA allows consumers to opt out of the sharing of their information with third parties. 

The law adds a new category of “contractors” to the existing CCPA category of “service providers” with whom PI can be shared. Both service providers and contractors must certify that they understand and will comply with contract provisions pertaining to the processing of consumer data, including assisting the business with responding to data subject access requests.  

Assess and Adapt 
Companies using third parties will need to assess their current contracts and enhance them to ensure the contracts specifically cover privacy-related issues and incorporate CPRA’s new requirements. 

Safeguarding 

Both CCPA and CPRA require a consumer’s data to be safeguarded. The addition of sensitive PI under CPRA means that more data (and more types of data) will need to have suitable protections in place to prevent unauthorized breach.  

Assess and Adapt 
Companies will need to reassess current data protection protocols, not only of their own operations, but those of their third-party vendors as well. 

Data Subject Access Requests (DSARs) 

Under CPRA, consumers will have a new right – they may request correction of any of their data held by the company if they believe it is incorrect.  This provision in CPRA will have a direct effect on how a company processes its data subject access requests (DSARs).  

CPRA also provides consumers with the right to access information about whether a company uses their data in automated decision making. 

Assess and Adapt 
Companies subject to CPRA will need to expand their existing response protocols and ensure that they have in place a mechanism to correct a subject’s data upon request. Companies using automated decision making must be prepared to answer these requests and describe what effect this automated decision making has on the data subject. 

Data Breach Management 

With respect to data breaches, CPRA does not materially differ from CCPA, although there is one key change. Consumers can now take action against a company if their log-in credentials (e.g., email address, password, security question, etc.) have been breached.  

Assess and Adapt 
Companies may therefore need to adopt stronger encryption or other additional cybersecurity measures to protect such data. 

Documentation 

The CPRA establishes a new, dedicated organization, the California Privacy Protection Agency (CPPA), to enforce data privacy compliance for the state. In addition to interpreting the law, performing investigations, and imposing fines (which are now higher than those under CCPA), the CPPA may require risk assessments and cybersecurity audits from companies in relation to their data handling policies. 

Assess and Adapt 
To prepare for the possibility of new auditing requirements, organizations need a mechanism in place to document how they have operationalized compliance with the rules established under CPRA.  Looking at current internal risk and audit protocols to see where they can be enhanced to meet CPPA requirements is a good first step to implementing a sound data privacy risk assessment process.  

Ensuring CPRA compliance with the help of IG

An IG program provides a structure for documenting and managing data collection, use, sharing, retention, and disposal policies across the organization. It identifies where PI is stored, making it easier to find the data you need — whether in response to DSARs, audits, or other investigations — and to dispose of it according to regulatory requirements.  

An information governance (IG) program allows you to create an operating model that can expand or adapt in response to evolving data privacy laws — adjusting what you are already doing or, in some cases, putting new data policies and processes in place to meet the requirements of CPRA or other mandates. Instituting a sound framework for operationalizing privacy requirements can go a long way to demonstrating a good faith effort to comply with the law. 

To learn more about how IG can help you operationalize data privacy across your organization, please contact matthew@bernsteindatao.wpenginepowered.com or visit us at www.bernsteindata.com

Tweet
Share
Share

About the Author

Matthew Bernstein

Matthew Bernstein has worked at the intersection of business and technology for more than twenty years, to transform organizations and to define, develop, and operationalize information management standards and solutions.

About Bernstein Data

MC Bernstein Data helps companies achieve their objectives related to Information Governance, including data privacy and protection; regulatory, litigation, and consumer responsiveness; information security; acquisitions and divestitures compliance; records management; data licensing management; and operational efficiency.

Learn More