What does the CPRA mean for US businesses?
Credit: Securiti

What does the CPRA mean for US businesses?

Acronyms such as the CCPA, GDPR, and CPRA have become all too common today. When the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, the legislation started a conversation amongst businesses dealing with California residents regarding how to adapt and comply with what’s considered one of the harshest consumer-focused digital privacy legislation .

With the CCPA in effect, businesses that fall under the scope of the law have had to make a considerable number of changes in the way their websites and other digital assets collect, process, and share the personal data of California residents. Changes such as amending outdated privacy policies, implementing safeguards, honoring data subject rights, issuing prompt data breach notifications, and more are just some of the requirements.

Goodbye CCPA, Hello CPRA

However, the extension of the CCPA came shortly after its enactment and is known as the California Privacy Rights Act (CPRA) . The CPRA is California’s version of the European Union's General Data Protection Regulation (GDPR) as it takes inspiration from perhaps the most stringent data privacy law as of today. The CPRA was signed into law in November 2020 and will take into effect on January 1, 2023.

Amongst several new provisions, the CPRA includes provisions that allow California residents to opt-out of firms sharing their personal information and imposes hefty penalties on businesses that violate the state's data privacy rules, and establishes a new enforcement agency to govern the law.

Even though the CPRA is a California legislation , it will have far-reaching implications for businesses across and outside the country that deal with California residents. By simply dealing with California residents, the business must ensure they comply with the requirements of the CPRA.

What Does the CPRA Bring on Table for US Businesses?

Although most of the CPRA's provisions will not be implemented until January 2023, and enforcement will not begin until July 2023, beginning January 2022, the law will apply to businesses acquiring information of California residents.

Before a business within the US or outside the US begins to comply with the CPRA, they must ensure the following:

Applicability

Amongst several amendments of the CPRA, these firms are subject to the law:

  • Annual gross revenues greater than $25 million in the preceding calendar year
  • Handling the data of 100,000 or more consumers
  • At least 50% of revenue from selling or sharing data

Suppose a business falls under the category as highlighted by the CPRA. In that case, they must ensure its entire operations comply with the law’s requirements to avoid penalties and reputational damage.

Update Policies & Practices

Under the CPRA, businesses need to develop and/or change processes to allow consumers, employees, and other individuals engaging with the business to exercise their new data privacy rights. Businesses will have to devise opt-out functionality and honor such requests.

Additionally, businesses must update their websites, other digital domains, and privacy policies to reflect compliance with CPRA’s additional requirements. The website should also offer visitors an option to opt-out from the sharing and selling of their personal information.

Improved Security Safeguards

Since the CPRA empowers California residents to reach out to businesses that process or share their personal information without permission and even file lawsuits, businesses should immediately prepare to beef up their security defenses.

The last thing a business wants is to fall victim to a data breach without having the necessary safeguards and exposing the data subject's personal information. In that case, the business would not only face the wrath of the regulatory body but get slammed with lawsuits and massive penalties.

Sensitive Personal Information

Taking inspiration from the EU’s GDPR, the CPRA has announced a new sub-category of personal information called Sensitive Personal Information . It refers to higher-risk, sensitive information about an individual that, if made public or landed in the wrong hands, might cause considerable harm to that individual.

Honor Data Subject Rights

Consumers can prevent organizations from using, disclosing, or exchanging their sensitive personal information with third parties. If a customer requests to access their personal information, the business must disclose the categories of personal information collected, disclosed, sold, and shared with others.

Additionally, businesses need to detail the categories of sources from where the personal information is collected, the commercial purposes for collecting, selling, or sharing, and the categories of third parties with whom the personal information is shared.

Honor Consent of Minors

The CPRA forbids the sale of personal information without the consent of those under the age of 16. Children between the ages of 13 and 16 have the freedom to consent. As for those under 13, their parents need to provide consent. Businesses must ensure that consent is being acquired freely as the CPRA triples its penalty for infractions involving children's personal information under 16.

Conduct Cybersecurity Audits?

According to the CPRA, organizations whose processing of Personal Information "poses a serious risk to customers' privacy or security" must conduct an annual cybersecurity audit. Apart from conducting cybersecurity audits, businesses should regularly conduct Data Protection Impact Assessments to discover vulnerabilities and devise ways to minimize risk at the earliest.

Penalties

Under the CPRA, organizations can be penalized up to $7,500 for intentional violations and $2,500 for unintentional violations. Furthermore, if the organization knew that the personal information belonged to a minor, fines for offenses involving children’s personal information under 16 are $7,500 per infraction.

Why do Businesses Need to Comply with the CPRA?

Among many reasons why businesses need to comply with the CPRA, here are a few:

  • Gaining the trust of consumers
  • Avoiding reputational damage
  • Avoiding penalties from the regulator?

With consumers becoming increasingly aware of their rights, businesses need to respect such rights and ensure they have mechanisms in place to honor the rights of consumers. If a company does not follow these rules, it may hurt how customers perceive them and compel regulatory bodies to take strict action granted by the law.

In light of these considerations, businesses in the US and abroad should closely watch California laws and become familiar with the CPRA's new strict rules and criteria. The sooner CPRA’s regulations are understood and implemented across a business, the faster and less expensive compliance has to be.

Originally published at SecurityMagazine: https://www.securitymagazine.com/articles/97310-what-does-the-cpra-mean-for-us-businesses

要查看或添加评论,请登录

社区洞察

其他会员也浏览了