By Edward Kost on Thursday, 06 April 2023
Category: Compliance

CPRA (California Privacy Rights Act) Compliance Guide

The California Privacy Rights Act (CPRA) is a privacy law that was passed in California in 2020. It strengthens the security standards of the California Consumer Privacy Act (CCPA), making California's consumer privacy laws more aligned with the General Data Protection Regulation (GDPR). The CCPA gives California residents the right to know what personal data is being collected by companies and whether it will be sold or disclosed to other parties.

The CPRA comes into effect on January 1, 2023 but government enforcement action won't take place until July 1, 2023.

Ideally, your organization should have achieved compliance by January 1, 2022, since the CPRA's look-back provision covers all information collected on or after January 1, 2022.

Whether you're assessing CPRA compliance gaps in your current compliance strategy or creating a framework for a compliance plan, this article will help.

Who Must Comply with CPRA?

The CPRA applies to all for-profit organizations that have generated $25 million in revenue globally or in the previous calendar year with at least one employee in California.

What's the Difference Between the CCPA and the CPRA?

The CPRA increases the violation conditions of the CCPA by broadening consumer rights and strengthening the enforcement of provisions of the CCPA. In other words, it's much easier to break the rules of the CPRA than the CCPA.

The primary differences between the two regulations are summarized below:

New Sensitive Personal Information Category

The CPRA introduces a new category of sensitive data -Sensitive Personal Information (SPI). This new category expands the CCPA's definition of "personal information" to include all of the following:

Broadened Provisions

CCPA provisions that have been broadened in the CPRA are as follows:

Strengthened Provisions

CCPA provisions that have been strengthened in the CPRA are as follows:

Broadened Notification Provisions

The following notification provisions have been expanded in the CPRA:

Other CPRA Requirements

Other regulatory requirements under CPRA include:

The following provisions mirror the sensitive data safeguards of the GDPR.

New CPRA Regulation Requirements

The following provisions are new CPRA requirements that differ from the CCPA:

6-Stage Framework for CPRA Compliance

Compliance with the data privacy standards of the CPRA can be achieved with the following framework:

1. Implement a Risk Assessment Solution

To meet CPRA's requirements for regular risk assessments of processes involving sensitive customer data, an ideal risk assessment solution should be capable of creating custom questionnaires to address unique data processing queries.

Because the CPRA was born from the CCPA, CCPA compliance establishes a compliance foundation for the CPRA. If you still need to implement a CPRA compliance program, you could scope the required effort by performing a high-level gap analysis against the security standards of the CCPA.

2. Identify All Processes and Assets Storing Personal Information

To determine the degree of security controls required to meet CPRA's data security standards, you need to identify the types of personal information your business collects and the different processes and assets that utilize them.

With a complex digital ecosystem, this effort can be challenging, but it is possible with digital footprint mapping.

Your digital footmaping efforts should extend to the third-party vendor network to identify all third-party vendors with access to personal data. This will allow you to adjust your third-party risk assessment efforts to prioritize vendors with the highest degree of sensitive data access and, therefore, the highest potential of suffering compromise - an effort supporting the CPRA's requirement of focusing on entities representing a "significant risk to consumers" if compromised.

The process of prioritizing high-risk vendors is known as "Vendor Tiering."

3. Review and Update Third-Party Contracts

Update all third-party vendor contracts to include a stipulation to action all consumer personal data deletion requests promptly. Also, update contracts to include stricter data security requirements for all third-party vendors with access to personal data.

4. Design Internal Procedures for Actioning Data Deletion Requests

To prevent personal data deletion requests from being overlooked, design internal processes for actioning all requests and monitoring their completion. Having a documented data deletion process in place will help you fulfill requests from California residents to delete their personal information quickly, ensuring compliance with the data deletion provisions of the CPRA.

5. Deploy Security Controls Across the Cyber Attack Pathway

To minimize the chances of suffering a data breach, security controls should be developed across each stage of the cyber attack pathway - a sequence of cyberattack events common to most data breach attempts.

For best results, your security control strategy should be based on one of the most styles of cyberattacks - ransomware attacks.

6. Monitor Security Postures of all Third-Party Vendors

The CPRA expects all third parties (including service providers and contractors) with sensitive data access to have sufficient security measures in place to withstand data breach attempts.

Each third-party vendor's risk of suffering a data breach can be measured with security ratings - a quantitative measurement of an organization's security posture. With a security ratings solution, you can easily monitor the cybersecurity postures of all your third-party vendors from a single-pane-of-glass view and track deviations in real-time.

Leave Comments