Proposition 24, enacted through the recent November elections, is set to change and expand California’s data privacy legislation. The California Consumers Privacy Act (CCPA), the previous legislation and set of rules regarding data privacy, will be replaced by the California Privacy Rights Act (CPRA) on January 1st, 2023. The details of these changes will be worked out over the coming months; however, the broad and major changes are set in stone. Of these changes, there are five major changes that look to have the largest impact on organizations. These changes include a new enforcement agency, the introduction of new concepts such as “sensitive” personal information, and the empowerment of consumers regarding their data and privacy rights.
The CPRA introduces a new enforcement agency, the California Privacy Protection Agency (CPPA)
Known as the California Privacy Protection Agency (CPPA), this new agency will operate similarly to agencies that currently exist in other countries. The CPPA will be tasked foremost with providing guidance on implementing the CPRA and investigating CPRA violations, conducting hearings, and issuing sanctions. The board will consist of five people, two appointed by the governor of California, with the other three selected by the California State Assembly, Senate, and Attorney General.
The CPRA introduces the concept of “Sensitive Personal Information.”
A significant change the CPRA introduces is differentiating personal information from “sensitive” personal information. According to the new law, sensitive personal information includes identification numbers, such as Social Security numbers, driver’s license numbers, identity card or passport numbers, account credentials, credit card details, geolocation information, and communications content in emails and text messages (if a business is not the recipient of the communication). It also includes data elements such as religious or philosophical beliefs; union membership; health, genetic, and biometric data; and information related to an individual’s sex life or sexual orientation. Consumers will now have the right to ask a business not to disseminate sensitive personal information as well.
The CPRA now empowers consumers with several rights regarding the data that companies use.
The preexisting CCPA already included the right to deletion for consumers, but the CPRA takes it up a notch. The CPRA will ensure businesses cooperate with deletion requests and allows firms to keep records of these requests for future reference. The CPRA also introduces a right to correction for consumers, allowing them to request companies to correct inaccurate personal information. Lastly, the CPRA extends consumers’ rights to request data collected on them further than the previous 12-month limit, if companies have that information.
Under the CPRA, consumers may opt-out of certain data collections for advertising purposes.
Many companies use cross-context behavioral advertising, which leverages individual consumer profiles for advertising purposes. Now consumers have the ability to opt-out of these forms of data collection. This also changes how companies present consumers with the option to opt-out. No longer will businesses be able to ask consumers to broadly “accept all” to preferences regarding data collection.
The CPRA empowers consumers to claim compensation or other recourse that a court deems necessary to make up for the breach.
As of right now, when nonencrypted or nonredacted information, such as login information, is granted unauthorized access, it’s considered a data breach according to the CCPA. The CPRA will now allow consumers affected by breaches to claim compensation or recourse necessary to make up for the breach. If courts find that breaches were a result of negligence, they may seek administrative enforcement against an organization.
While these rules are being enacted in California, organizations across the United States should be aware of these changes. A wave of comprehensive privacy regulation is set to hit the US soon (See Figure Below). Nevada and Maine have already signed similar legislation, and about half of the states are at some point in the legislative process. In states where privacy bills are shot down before being signed, they will be reintroduced with mild changes. It’s not a matter of if, but rather when will privacy legislation be introduced.
The good news is companies have until the Jan. 1st, 2023, enforcement date to comply with changes introduced in the CPRA. Bills passed in other states will likely have similar grace periods. The questions now are what is your organization doing currently to prepare itself for this transition; how will these regulations affect your organization specifically, and how will your organization efficiently and adequately navigate these new cyber regulations? Secuvant can answer these questions and more, providing the proper guidance your organization needs to navigate the changing legal environment. We’ve specialized in providing small and medium-sized organizations with personalized cybersecurity services that align with your organization’s goals and budget. Implementation and compliance with new regulations won’t come overnight. Click here to learn more about Secuvant’s superior cybersecurity services, how we can benefit your organization, and to talk to a Secuvant Expert today.
Located in Salt Lake City, Utah, Secuvant is a global leader in integrated cyber threat analytics and risk advisory services, built on a value system of client focus, integrity, accountability, execution, and teamwork. Secuvant’s mission is to provide clients with a Clear Path Forward in their pursuit of establishing an acceptable security risk posture. Secuvant’s success is built upon strict adherence to its values, a functioning world-class advisory board, the unique combination of cybersecurity expertise and industry / vertical specialization, and a team of experts that repeatedly deliver best-in-class managed and advisory cybersecurity and risk services. Secuvant understands Cyber Risk is Business Risk™ and uses methodologies and metrics aimed at minimizing business risk. Services include, but are not limited to, Security Gap and Risk Assessments, Risk Program Management, Executive and Board Cyber Advisory, Penetration Testing, Security Monitoring, Managed Detection and Response and Incident Response services. To learn more, visit www.secuvant.com.
Rippy, Sarah. US State Comprehensive Privacy Law Comparison, International Association of Privacy Professionals, 14 Jan. 2021, iapp.org/resources/article/state-comparison-table/
Royal, K. “What You Need to Know About California’s New Privacy Rules.” Dark Reading, Informa PLC, 4 Jan. 2021, www.darkreading.com/risk/what-you-need-to-know-about-californias-new-privacy-rules-/a/d-id/1339749?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple