July 1, 2023, marked the enforcement date of The California Privacy Rights Act (CPRA). Companies have been given sufficient time to implement necessary changes to comply with this data privacy law, which protects residents’ data in the state of California.
Penalties for non-compliance with CPRA can now be imposed by the California Privacy Protection Agency (CPPA). This CPRA compliance checklist helps you make sure that your business processes and practices are in line with CPRA requirements so you can avoid costly penalties and reputational damage.
CPRA: A Brief Summary
- The CPRA expands upon the existing California Consumer Privacy Act (CCPA) to strengthen personal data privacy rights and protections for California residents.
- The CCPA is sometimes informally referred to as the “U.S. GDPR” because it is one of the most comprehensive data protection laws in the United States, similar in scope and intent to the General Data Protection Regulation (GDPR) in the European Union.
- One of the key changes in the CPRA is the inclusion of a new category of sensitive personal information, including biometric data, that businesses must take extra caution to protect with appropriate cybersecurity measures. Customers also have the right to tell companies to limit the use of their sensitive personal information.
- Sweeping new changes also come in the form of increased consumer rights around how companies use data, the right to opt out of the use and disclosure of sensitive personal information, and the right to correct inaccuracies.
Checklist for CPRA Compliance
Does Your Company Need to Comply?
It’s important to first make absolutely sure that your company needs to be CPRA compliant. CPRA applies to for-profit entities doing business in California and collecting Californians’ personal data that also meet at least one of the following three conditions:
- Annual revenue (gross revenue) that exceeds $25 million; or
- Buys, sells, or shares personal information belonging to at least 100,000 households or consumers in California; or
- Makes 50 percent or more of annual revenue from selling or sharing consumers’ personal information.
Map Data Flows
Modern IT ecosystems are a complex mix of different endpoints and operating systems, with data being stored in both on-premise and cloud infrastructures. This complexity hampers compliance unless you specifically make the effort to map data flows and adequately protect all categories of personal information that the CPRA requires.
Data mapping helps you understand how data moves through your company’s IT environment. This mapping includes knowing where data comes from, where it’s stored, how it’s processed, and who has access to it.
By mapping data flows, you’ll more easily identify areas of risk or potential non-compliance. These compliance risks or gaps could include insecure data transfers, unnecessary duplication of data, or unauthorized access to data. You can then put in place appropriate safeguards to address those risks (more on this later).
Understand Data Minimization
CPRA is the first U.S. data privacy regulation to codify the principle of data minimization into law. Interestingly, CCPA compliance did not include this principle, which is a cornerstone element of the GDPR that inspired California’s own version. The data minimization principle requires your business to only collect the necessary and proportionate amount of information for processing purposes.
This principle is regarded as an important way to ensure consumer data protection by eliminating data collection that doesn’t serve legitimate business use. The California Attorney General can directly enforce this principle and serve businesses with fines for violations
Know Your Data Retention Constraints
Another big change with CPRA is the need to justify and disclose your data retention policy (how long you retain consumers’ data). This provision ensures companies can’t hold on to the personal data they collect for an indeterminate amount of time.
While there is no time-specific boundary on data retention, the rule states that you must only retain data for a length of time that’s necessary and proportionate to the purposes of collection. It also requires that you disclose your data retention policy to data subjects at the time of data collection.
Update Website Copy
Along with several new rights introduced by CPRA, there are obligations to inform consumers about their rights and other aspects of your data processing activities. For most companies, this will mean a necessary refresh of website copy to bring them into compliance. In particular, focus on updating your company’s website to include the following:
- Add information to your privacy policy about consumer rights to correct inaccuracies, limit the processing of sensitive personal information, and data portability.
- Put an option on your site like “Do Not Sell or Share” so that customers can easily opt out of the sale of personal information or the sharing of their data with third parties.
- Disclose the categories of sensitive personal information your business collects.
Train Employees on CPRA Requirements
One of the best ways to avoid data breaches and compliance violations is to create a culture of compliance at your company. In practice, this should entail at minimum the training of employees on the main elements of the CPRA.
Those responsible for handling consumer requests (i.e., access requests) can get more detailed training on data subject rights, how to communicate, and data hygiene. Consider bringing in an external data privacy expert to deliver training that actually works.
Structure a Process for Handling Consumer Requests
Consumers can submit a range of requests in relation to various rights under CPRA. Without a structured process in place to handle these requests, you may find that requests get ignored or essential elements get forgotten. For example, there are several steps to properly comply with a deletion request, which include not only deleting information from your own systems but also notifying and instructing third parties like service providers or contractors to delete it. This process could also leverage technology that helps you easily track response deadlines and tick off tasks according to how different requests should be handled.
Review Third-Party Contracts
In addition to the many categories of third parties your company likely deals with, CPRA’s contractual requirements also apply to data shared with service providers and contractors. All such contracts must include provisions for the third party, service provider, or contractor to use data only for specified purposes, and ensure the same level of personal data privacy protection as required by the CPRA. You’ll likely need to review and update the wording of any contracts to include these provisions.
Implement Technical Safeguards to Secure Personal Data
Given the various security risks to data in the modern threat landscape – particularly sensitive data like social security numbers – technical safeguards are critical for compliance. And, where the technology is available, try to automate data security to reduce reliance on manual interventions for compliance.
Various technologies and safeguards to consider include:
- Developing a clear and detailed information security policy.
- Using a cybersecurity framework like CIS Controls or NIST CSF to implement the basic technical measures necessary for securing data.
- Encrypting data in motion and at rest.
- Using a data loss prevention solution that works across multiple operating systems to help map data flows and block unauthorized transfers.
Conduct Periodic Audits and Risk Assessments
Annual cybersecurity audits can pinpoint gaps in protection, vulnerabilities, or other issues that put data privacy compliance at risk. Audits help assess whether your existing policies and procedures comply with CPRA. These audits also determine whether employees are following the required policies and procedures in their day-to-day work. Ideally, engage a third-party company for cybersecurity audits.
More frequently, conduct internal risk assessments in which your own security or compliance team attempts to find areas of high privacy risk. Finally, bear in mind that both audits and risk assessments are mandatory for companies whose processing activities pose a significant risk to consumer privacy or security.
Endpoint Protector is an industry-leading cross-platform DLP solution that helps achieve compliance with CPRA through device control and data encryption.
Frequently Asked Questions
Download our free ebook on
GDPR compliance
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.