Demystifying Proposition 24 (CPRA/CCPA 2.0)
A casual conversation with Zak Rubinstein (Founder & CEO of 1touch.io®) and Odia Kagan (Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP) turned into a mentoring session
In the attempt to strengthen consumer privacy protection, Californian voters approved the ballot measure for California Privacy Rights Act (CPRA) on November 3, 2020, and rightfully so. Proposition 24, also known as CPRA, aims to alter and expand the current California Consumer Privacy Act (CCPA) — the most stringent law for consumer privacy protection in the United States. To me, this means the security and privacy leaders must adapt their privacy programs so that they don’t expose their organizations to loss through fines and reputational damages.
According to Gartner analysts [cited in The State of Privacy and Personal Data Protection, 2020-2022], “the pace of privacy regulations accelerated through 2020 and has raised the stakes for organizations looking to standardize a global policy when handling personal data. There has been a notable increase in the data subject complaints indicating expectations regarding privacy compliance have not normalized and continue to mount. Despite rapid advances in data privacy solutions, there is a significant lag in its adoption, which exposes organizations to expensive manual processes, fines, and potential litigation.”
Well, a couple of weeks ago, I was on a call with Zak and Odia discussing a few items on the planned agenda. I casually started asking questions about regulations diving specifically into CPRA (then, in the ballot) to clear my apprehensions around it. Indeed, we couldn’t get through the meeting agenda, but boy, I loved the conversation as it turned into a mentoring session for me picking their brains. Here’s the snippet of my conversation with them that enlightened me on this regulation and how businesses can prepare.
Arun: Has anything changed since the CCPA became enforceable? Have any companies been penalized yet?
Odia: On the first day the law became enforceable, July 1, the AG issued a “double-digit number” of notices of non-compliance to companies in various industries. To date, no penalties have been made public. The AG states that key points of attention are children’s information, and the Do Not Sell Button. The AG’s office has said that his team is reviewing publicly available websites, reviewing complaints from consumers as well as from competitors. In addition, since the law came into effect (in January) a multitude of class-action lawsuits have been filed against companies.
Arun: How would the CPRA differ from CCPA, and how can businesses prepare for its passing?
Zak: CPRA includes several concepts that are closer to/ borrowed from GDPR. What companies need to do depends on how far along they are in their compliance framework. If they are pretty well into CCPA/ GDPR, then they would likely need to focus on the following concepts:
- Data minimization and data retention limitation (the requirement to collect only the data you need and to retain it, in identifiable form, only for as long as required),
- Profiling and automated processing (demands development of regulations governing access and opt‐out rights concerning businesses’ use of automated decision‐making technology)
- Enhanced penalties for mishandling children’s private information
- Data correction (enable consumers to request correction of inaccurate personal information taking into account the nature and purposes of the processing of it)
- Regular audits and risks assessments for businesses undertaking high-risk processing (to be issued by the new California Privacy Protection Agency
Arun: Several states, including Massachusetts, New York, Hawaii, Maryland, and North Dakota, have passed their own privacy laws in the wake of CCPA. How do these laws differ from each other, if at all? How can companies comply with all of them? Odia: The fact that the US privacy law is still, and at least for a while will continue to be, a patchwork quilt of different laws creates an added challenge for compliance. That is inescapable. However, some things to do are:
- Have a strong information security framework with the right technical, physical, and organizational (policy) safeguards. That will be sufficient for most laws, as the relevant standard in most is “reasonable” protections and
- Have a strong privacy framework which focuses on the universal privacy principles of transparency, purpose limitation, accountability, choice/consent; access/participation, proportionality, fairness, enforcement/redress.
Washington has introduced, for the third time, the Washington Privacy Act. While modeled after CCPA, there are a few additional requirements that companies should keep in mind for the WPA such as (a) adding a right to correction, (b) expanding the right to opt-out, (c) establishing a consumer rights appeal process, (d) ensuring you have data processing agreements with their sub-processors, and (e) conducting data protection assessments for certain processing activities (e.g., sales of personal data, targeted advertising, and sensitive data). While there has been a lot of activity across the country, many consumer privacy bills have either died in committee or have been turned into a study or task force. For example, multiple bills in New York and Maryland all died in committee, while bills in Massachusetts, Hawaii, and North Dakota have all been turned into studies/task forces to research the issue and brief the state legislatures.
Arun: Should U.S. companies be concerned about international regulations like Brazil’s General Data Protection Law (LGPD)? What is required to comply?
Zak: Yes. LGPD has extraterritorial application and applies to companies, wherever they are. That is, (1) If they collect or process data in Brazil or (2) the processing of data is to offer or provide goods or services in Brazil. LGPD is modeled after GDPR and therefore, in many respects, is stricter than CCPA. For compliance with LGPD, US-based companies would do well to focus on:
- Confirming and documenting a legal basis for their processing
- Data Minimization and retention limitation
- Data protection impact assessment
- Cross border transfers – assessing and documenting
- Profiling and the right to review automated processing
- Broader individual rights including, the right of opt-out, right to non-discrimination, and a right to correct.
What does it mean to you?
According to Gartner, by 2023, 65% of the world’s population will have their personal information covered under privacy regulations, up from 10% today. Companies that earn and maintain digital trust with customers will see 30% more digital commerce profits than their competitors. Besides fines and litigations, Subject Rights Requests (SRR) left unmanaged has the potential to cost organizations millions of dollars on an ongoing basis.
First & foremost, define privacy metrics by identifying your organization’s current capacity to address Prop 24. Next, plan to incorporate the demands of the regulation into the organization’s data strategy by adopting new processes, and comprehensive tools and technologies that provide cost optimization, improve productivity and enhance business agility (i.e., data privacy and security cannot afford to be cost centers knowing the plight of businesses today). Remember, a transparent and trustworthy customer experience by ensuring customers that they have control over the use and sharing of their data will be rewarded.
Even though CPRA (and its regulations) take into effect on January 1, 2023 (CCPA remains in effect until then), organizations should be looking ahead and taking all the necessary precautionary measures to be well-positioned for CPRA compliance.
How can we help?
Understanding where an organization’s sensitive data resides helps to understand better how the controls are for managing the risk. With large amounts of data moving across the organization makes it difficult to know where the sensitive data is at any instance of time. 1touch.io empowers enterprises with an AI-based platform for sustainable discovery and management of data in their ecosystem for Privacy, Security, and Data Governance. Our flagship platform, Inventa™, is the cutting-edge data discovery and classification platform that provides automated, near real-time discovery, mapping, and tracking of all sensitive data at an enterprise scale. We automatically discover and analyze all data usage and lineage, even if you have no idea what data you have or where it exists. Inventa provides sustainable data discovery of sensitive data across the enterprise, categorizes, and organizes the information. It assumes zero trust in data input and will determine where to scan in a given environment to support a zero-trust approach. Every company has a different set of security controls that can leverage this data asset information for risk management, controls assessments, incident response, and privacy management.