0 likes | 22 Views
Learn all about California Privacy Rights Act
E N D
California Privacy Rights Act ('CPRA') Insights into the proposed legislation © 2022 Tsaaro. All rights reserved.
Overview The State of California Consumer Privacy Act ('CCPA') has been considered a legislation protecting the privacy of the consumers and the rights vested with them in this regard. The California Privacy Rights Act ('CPRA') is round the corner and, has increasingly garnered the attention of organizations processing personal understand if the CPRA is applicable to the activities undertaken by them. Thereby, it is pivotal to understand the law and the essential obligations. The CPRA modifies the previous State of California law on data protection and privacy, the CCPA. In 2020, a statewide data privacy statute was signed However, it will enforceable on July 1, 2023, with retroactive application to January 1, 2022. The bill aims to reinforce State of California's position as the leader in data privacy legislation in the United States expanding the existing CCPA. comprehensive into law. fully become and entities data, to by dramatically Target Audience This whitepaper seeks to analyse the law and compare it to other notable legislative frameworks on data privacy and protection, like the California Consumer Privacy Act and the General Data Protection Regulation. It tries to provide an overview of the proposed law. It will be tailored to a wide range of audience, including senior and mid-level IT management, programme managers, and compliance leaders, to help them comprehend the goals of the CPRA and the obstacles they may encounter in showing compliance with this proposed legislation. It also intends to generate discussion among secondary audiences, such as students and academics, to help them comprehend the complexities of the proposed provisions. bill and its
Introduction The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, was approved by a majority of voters on November 3, 2020, after appearing on the ballot for the state's general election. It builds upon the California Consumer Privacy Act (CCPA) of 2018, which provided the groundwork for consumer privacy legislation. The law will go into effect on January 1, 2023, and it will apply to personal information obtained on or after January 1, 2022. Problem Statement The CPRA is an addendum to the CCPA, adding new sections about privacy protection authority, consumer rights, etc. The proposition establishes additional provisions into the State of California law, allowing consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses’ use of “sensitive personal information,” including precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information. Considering this, businesses and organizations processing personal information would have to look out for the compliance with CPRA and possible repercussions in case of any non-compliance. Structure This whitepaper would be covering the following aspects: Scope of the Bill Key changes brought by CPRA Key topics under CPRA Exemptions under CPRA Who needs to comply with CPRA Rights of consumers under CPRA Comparison with GDPR Enforcement and liability Challenges posed by the CPRA to businesses involved in Data processing Conclusion
SCOPE OF THE BILL The compliance requirements under CPRA are different from the CCPA. All the compliance requirements stem from the definition of ‘business.’ As defined under the CPRA, a 'business' is a legal entity that conducts business in the State of California, acts for financial gain, collects or has collected on its behalf the personal information of consumers, and fits one of the following criteria: 1. As of January 1, of the calendar year, has a gross revenue in excess of $25,000,000 in the preceding calendar year; Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households; or 2. Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information. 3. In addition, the scope of entities required to comply with the CPRA is potentially increased by defining common branding. Common branding is the use of a shared name, servicemark or trademark by two or more businesses un a manner which would lead the consumer in assuming that two or more entities are common owned. Under CPRA, the exchange of information from a business to a firm that uses common branding brings the latter company under the jurisdiction of CPRA. The CPRA introduces two new ways for a business to qualify as an “enterprise”. First, a joint venture or partnership comprised of enterprises in which each business owns at least a 40% stake will result in the joint venture being regarded as a “business” subject to the CPRA. Lastly, any company can self-certify compliance with the CPRA, thereby agreeing to be governed by the law.
KEY CHANGES UNDER CPRA CONSUMERS' RIGHT TO CORRECT INACCURATE PERSONAL INFORMATION 1 CPRA grants consumers the opportunity to amend erroneous personal information. It states that- A consumer has the right to request that an organisation rectify any erroneous personal information about them. A business that collects consumers’ personal information must notify them of their right to request the correction of erroneous information. A business that receives a verifiable consumer request to update erroneous personal information is required to make commercially reasonable measures to comply with the consumer’s request. 2 UPDATED CONSUMER PRIVACY RIGHTS The CPRA contains a variety of strengthened privacy protections including- A consumer’s right to limit the collection, use, and disclosure of sensitive personal information Additional recourse possibilities for victims of online security breaches such as the theft of sensitive personal data and financial data. 3 LIMITATIONS ON TRACKING The CPRA aims to restrict geolocation tracking by expanding consumer rights. Within a specified radius, consumers will be able to stop businesses from tracking their geolocation for the majority of purposes. 4 ADDITIONAL PROTECTION FOR MINORS Under the CPRA, State of California’s minors, identified as an individual below the age of 16 years, will enjoy greater safeguards than they had under the CCPA. Contrary to its predecessor, the CPRA forbids the sale of an individual’s personal information without permission, and consent may entail opting in rather than opting out. In other words, children are automatically protected by the CPRA, and in some situations, the penalties for noncompliance will be three times as severe as before. Where businesses intend to sell or share personal information of minors under the age of 13, an affirmative consent of the parent/guardian is required, whereas, for minors between the ages of 16, an affirmative consent of minor is considered adequate.
5 EXPRESS INFORMATION SECURITY REQUIREMENTS Businesses must “establish appropriate security measures and processes” to protect personal information against unauthorised or illegal access, destruction, use, modification, or disclosure. However, the CPRA fails to define any specific standard or certification regarding Data Security Requirements and thus stands vague in that respect. 6 ANTI-RETALIATION CLAUSE FOR EMPLOYEES Before employee rights became a concern, businesses frequently resorted to retaliation against employees who opposed the corporation and exercised their legal rights. The CPRA contains a revised and reinforced anti-retaliation provision which states that- A business shall not discriminate against a consumer based on the consumer's exercise of any CPRA-protected right. A firm may not discriminate against a customer on the basis of: Denying a consumer access to goods or services. Charging various prices or rates for various goods and services. Providing the consumer with a different level or quality of goods or services. Implying the consumer will receive a different price or rate for products or services, or a different level or quality of goods or services. 7 RIGHT TO KNOW LENGTH OF DATA RETENTION While the CCPA does not directly address data retention, the CPRA does. It permits enterprises to store personal information only when it is “necessary and proportional” for collecting, processing, and other reasons that are properly declared. According to thelook-back provision, even if a business receives a request to know on January 1, 2023 (the day the law goes into effect), it should be prepared to provide information going back to January 1, 2022. 8 EXPANDED INITIAL NOTIFICATION OBLIGATIONS The CPRA strengthens the disclosure requirements for privacy notices posted at or before the actual collection point. Businesses that collect consumer’s information must: Disclose if collected information will be sold or shared; Identify the sensitive personal information that will be collected; Disclose either the duration of information retention or the criteria used to determine it. Disclose if they do not gather information using a noticeable notification if they do not collect information.
KEY TOPICS UNDER CPRA California Resident The CPRA applies to the personal information of California Residents which is defined in State of California Tax Regulations as- 1 an individual who is in California for other than a temporary or transitory purpose. an individual domiciled in State of California who is outside of the state for a temporary or transitory purpose. Personal Information CPRA defines information as identifies, refers to, describes, is reasonably capable associated with, or is reasonably capable of being linked, directly or indirectly, with a specific consumer or household.” It comprises information such as a person’s real name, alias, mailing address, unique personal identifier, online identifier, Internet Protocol address, account name, social security number, driver's licence number, or passport number, among other identifiers. The personal “information that of being 2 email address, Sensitive Personal Data In addition, the CPRA adds a new subcategory of personal data known as “sensitive personal data.” This subcategory includes 3 Background and Ethnicity (Political opinion, sexual orientation etc.) Genetic/Biometric data, Health data Financial account information Precise geolocation data Contents of mail, e-mail and text messages Government issued IDs.
EXEMPTIONS UNDER CPRA KEY TOPICS UNDER CPRA Medical Information Governed by the Confidentiality of Medical Information Act (the "CMIA") or protected health information ("PHI") collected by a covered entity or business associate governed by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"). Personal Information Personal Information gathered as part of a clinical trial or other biomedical research study. Personal Information obtained by a business concerning an individual as a job applicant, employee, owner, director, officer, medical staff member, or independent contractor. B2B Contracts are exempted. Vehicle Information Informationabout the car or its ownership is retained or shared between a new vehicle dealer and the manufacturer. Credit Information Activity involving the collection, maintenance, disclosure, sale, communication, or use of any consumer credit information.
GENERAL DUTIES OF BUSINESSES UNDER CPRA Follow the Basic Privacy Principles like Data Minimisation, legitimate purpose, Storage limitation, Accuracy and Transparency, Non-Discrimination and Data Retention (restriction). Businesses must provide notice disclosing the collection of sensitive personal information and the purpose of such collection 1. 2. CPRA requires enterprises to have contractual agreements in place not only with service providers and contractors, but also with third parties to whom the businesses sell or distribute personal information. Businesses shall use adequate security measures to prevent unauthorised access to or disclosure of such information. 3. 4.
WHO NEEDS TO COMPLY WITH CPRA The CPRA applies to any entity organised and operated for profit or financial gain that: Satisfies the definition of business under the CPRA (refer pg. 4) 02 Collects the personal information of consumers 01 Carries on business in the State of California 04 Determines the purpose and means of processing 03 However, a business does not need to comply with CPRA if it's commercial activities take place outside of California. ENFORCEMENT AND LIABILITY The CPRA transfers enforcement authority from the Attorney General of State of California to a new privacy-focused agency, the California Privacy Protection Agency (CalPPA). When facing an enforcement action, businesses will no longer be afforded the CCPA's 30-day cure period before being fined by CalPPA for a violation. In addition, the CPRA establishes an automatic $7,500 fine for violations involving minors' personal information. In addition to the existing private right of action for breaches of unredacted and unencrypted personal information, the CPRA grants consumers a private right of action if an email address, password, or security question and answer that would allow access to an account are compromised.
COMPARISON WITH GDPR Sl. No. Basis of Comparison EU GDPR CPRA 1. Scope / Applicability The GDPR applies to organisations that have presence in the EU or if the data of EU residents is processed irrespective of company’s location. The CPRA extends to businesses that are located in the State of California and to all the businesses that despite not being located in State of California do business in the State. The criteria of businesses has been laid down as well. 2. Data Subject Rights The rights vested with data subjects under EU GDPR are: The rights vested with data subjects under the CPRA are: right to be forgotten, right to opt out from having information sold, right to equal service and price, right to receive information on privacy practices and access information, right to deletion, right to receive information about onward disclosures, right to prohibit sale of information. right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object 3. Obligations of Controllers/ Businesses/ Covered Entities The EU GDPR elaborately lays down the obligations and duties entrusted upon the Controllers and Processors individually in furtherance of ensuring the protection of the personal data so processed. The CPRA does not provide for the obligations and duties of both controllers and processors individually in an elaborate manner. 4. Penalties The penalty under GDPR is defined, and fines and penalties imposed under Article 83 are flexible and scale with the firm. The administrative fines are determined up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. The maximum penalty under CPRA for any violation is $7500. Upon any business not acting upon violation under the CPRA, within 30 days, the business would be liable to civil penalty not more than $2500 for each violation & $7500 for any intentional violation.
CPRA Compliance Toolkit for Businesses 1 Determine if your company is subject to CPRA Take advantage of the CPRA to review and update your CCPA compliance programme. 2 3 Update your personal information database. Determine if sensitive personal information is collected. 4 Establish a method for implementing the right to collect personal data. 5 Establish a procedure a procedure to implement the right to restrict the use and disclosure of sensitive personal information. 6 7 Address compliance requirements for your vendors. Address CPRA's limitations on collection, use and retention. 8
CPRA Compliance Toolkit for Businesses Determine if your company engages in "profiling". 9 Determine if your organisation is subject to new risk assessment and audit requirements for high-risk organisations 10 11 Refresh your current privacy education programmes. 12 Appropriate policies to be drafted for data retention, incident management, etc. as per the new provisions. Determine policies and procedures to be implemented to deal with minors data, considering the new provisions about minors' data in CPRA. 13 Enable opt-outs to stop sharing personal data for behavioral advertising, based on the consumers' activity. 14 Businesses are not permitted to store consumer's personal information on devices when consumer is in California and later collecting such information when the consumer is not in Califorina. 15
RIGHTS OF CONSUMERS UNDER CPRA Right to Delete Personal Information Right to Rectification of Incorrect Information Right to Access Personal Information Right to Limit Sensitive Personal Information Right to Access Information About Automated Decision Making Right to Opt-Out of Automated Decision- Making Technology
CHALLENGES POSED BY THE INTRODUCTION OF CPRA The CPRA expands consumer protections and imposes new obligations on businesses. Some of the definitions have been changed and the mandate of some additional rights has been expanded, for example the right to opt-out of processing. With the enactment of the CPRA, businesses must revise and update their compliance. The CPRA requires entities to provide a 12-month personal data report to residents. In this regard, businesses will need to improve their data mapping procedures. Organizations will also be required to disclose whether they have applied artificial intelligence to any personal data. The CPRA extends its protections to State of California residents in their roles as employees, applicants, independent contractors, and other work-related roles, i.e. HR Individuals. As consumers, HR Individuals will have access to six data rights. These include the rights to access, correct, and delete personal information; the right to opt out of the sale or sharing of their personal information; right to restrict the use of their sensitive personal data; the privilege of not being punished for exercising these rights. As a consequence of this, CPRA compliance challenges may include a review of existing practises and the implementation of modifications to contracts, privacy notices, individual rights response procedures, and other privacy operations. To effectively comply with CPRA requirements, employers can make the following efforts: Develop and document a retention policy that complies with employer data retention requirements; Draft a CPRA-compliant employee privacy policy; Comprehend the information that the organisation collects, the categorization of data, the location of data, and the steps to access, correct, or delete data; Examine existing contracts with service-providers and ensure CPRA compliance; Identify the legal, HR, and technological support responsible for the efforts required to build a privacy compliance programme; Develop procedures for responding to requests from employees.
CONCLUSION The CPRA is the most comprehensive consumer privacy law in the United States to date, and additional privacy legislation is likely to follow. To ensure compliance with the CPRA, organisations will need to become more intelligent and transparent about the information they collect, on whom, and how they use it. The most effective method for completing these tasks is to plan ahead and determine what resources are required, including internal and external support. Given that data governance and security compliance programmes necessitate time, attention, and effort from all facets of a business, it is prudent to integrate the appropriate technology to ensure compliance. BIBLIOGRAPHY https://iapp.org/resources/topics/ccpa-and-cpra/. https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california- consumer-privacy-act-ccpa/. https://oag.ca.gov/privacy/ccpa. https://www.delphix.com/glossary/cpra-california-privacy-rights-act. https://www.truevault.com/learn/ccpa/how-does-the-cpra-look-back-provision-work. https://www.spirion.com/solutions/compliance/what-businesses-need-know-cpra/. https://www.onetrust.com/solutions/cpra-compliance/ https://www.privacypolicies.com/blog/cpra/. https://www.osano.com/articles/california-privacy-laws-ccpa-cpra. https://secureprivacy.ai/blog/what-is-cpra-and-how-does-it-differ-from-ccpa. https://cpra.gtlaw.com/cpra-full-text/. https://www.cooley.com/services/practice/cyber-data-privacy/cpra. https://www.perkinscoie.com/en/practices/security-privacy-law/california-privacy-rights- act-cpra.html. https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/ https://www.the-future-of-commerce.com/2021/05/27/what-is-cpra-california-privacy- rights-act-basics-overview/. https://medium.com/golden-data/section-by-section-summary-of-the-cpra-c1ac70fc8236. https://cpra.gtlaw.com/1798-155-civil-penalties/
WHY TSAARO? Tsaaro provides privacy and cybersecurity services to help organizations meet regulatory requirements while maintaining a robust security infrastructure. Our industry-standard privacy services include Privacy compliance, DPO-as-a-service, Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few, delivered by our expert privacy professionals recognized by IAPP. Akarsh Singh (CEO & Co-Founder, Tsaaro) Akarsh is a fellow in Information Privacy by IAPP, the highest certification in the field of privacy. His expertise lies in Data Privacy and Information Security Compliance. CONTACT US You can assess risk with respect to personal data and strengthen your data security by contacting Tsaaro. Krishna Srivastava (Co-Founder & Head of Cyber Security, Tsaaro) Krishna is a xKPMG data security consultant and a fellow in Information Privacy by IAPP, the highest cerification in the field of privacy, He has vast experience in Information Security and Data Privacy Compliance. Tsaaro Netherlands Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands P: +31-686053719 Tsaaro India Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer Krishna Chaitanya (CIPM, CISA, ISO 27001 Lead Auditor, OCP, MCSE ) Krishna is an Information Security & Privacy Professional with over 16 years of progressive Information Technology & Databases experience, encompassing 7+ years of Information Security Audit Programs & Data Protection. RingRoad, Bangalore- 560045 India P: +91-0522–3581 Email us info@tsaaro.com