Under the California Privacy Rights Act (CPRA), businesses that collect or share personal information of more than 100,000 consumers must abide by data privacy regulations. Furthermore, businesses making $25 million in annual gross revenue between January and December that derive 50% or more of their profits from selling or sharing that collected personal data must also abide by these same requirements.
Data maps are an integral compliance tool for organizations that collect and process personal data. They enable companies to monitor the flow of that information into, through, and out of their systems as well as identify its purpose and origins.
Data mapping can also be employed to guarantee all personal data is safeguarded and privacy risks minimized. This is especially crucial under the CCPA, which sets new requirements for biometric information, education data, geolocation data, and household information.
Furthermore, the California Privacy Rights Act (CPRA) clarifies what “Sensitive Personal Information” is and gives Californians a new right to limit its use. As a result, organizations must update their data maps in order to capture all SPI correctly and limit its usage appropriately.
Conducting a successful data mapping exercise necessitates organizations to assemble an interdepartmental team from different departments processing personal information. This should include IT, legal, HR, marketing and others who handle consumer data.
Data mapping should encompass all areas that process personal information, and be led by a data protection officer or team responsible for data protection and privacy within the organization. A comprehensive map will enable companies to quickly and completely respond to Data Subject Access Requests (DSARs), fulfilling consumer rights under CCPA regulations.
Businesses without a data map will likely face difficulty complying with the CCPA and may face large fines for violations. As the CPRA’s lookback period extends until January 1, 2022, businesses must be more thorough when responding to DSARs and be able to trace back personal information back to its source.
Automated data maps can improve the quality of privacy disclosures, eliminate errors and make it simpler for organizations to meet their Article 30 documentation requirements. This is especially essential in situations where individuals have requested that their information be deleted.
Data maps are the most efficient way to identify what personal information a company has about an individual, what data it collects from them, where it is stored and for how long. They also aid companies in adhering to data privacy laws like CCPA or GDPR.
Identifying Data-Gathering Locations
With the California Privacy Rights Act (CPRA) set to go into effect in 2023, businesses must take proactive steps now in order to guarantee compliance. This law seeks to safeguard personal information of California residents while giving consumers new rights and safeguards.
The California Consumer Privacy Act (CCPA) was strengthened with the California Privacy Protection Agency (CPPA), giving individuals more control over their personal data. Furthermore, it created a dedicated enforcement agency for this law: the California Privacy Protection Agency (CPPA).
If your business offers products or services to California residents and has annual revenue exceeding $25 million from January through December, then CPRA rules apply. Even if your revenue does not meet this threshold, you can still comply with the law by creating a CPRA policy and submitting an annual risk assessment to CPPA.
In addition, the CPRA requires your business to inform employees of their rights to access, correct and delete personal information. Doing this can help avoid data breaches by making it simpler for workers to comprehend how their data is collected and processed.
For instance, if you collect sensitive personal information like race, ethnicity, sexual orientation and health data from employees, then you must give them a notice at collection that outlines their rights and how to exercise those rights. Furthermore, include a link on your company’s website which permits them to limit the use of their sensitive data to certain purposes.
These requirements are in addition to the rights your employees already enjoy under CCPA. The CPRA enhances those rights with additional requirements like disclosing why you’re collecting their personal information, requesting a copy of that data, and objecting to any use or disclosure of sensitive personal information for marketing purposes.
Therefore, companies must conduct an annual CPRA gap analysis and update their policies to comply with the new law. Doing this gives your organization a head start on compliance while decreasing the chance of regulatory penalties.
Developing a CPRA Compliance Team
California’s Consumer Privacy Rights Act (CPRA), passed in November 2020 and taking effect July 2023, requires businesses to create a CPRA compliance checklist in order to remain compliant. The new law builds upon the California Consumer Privacy Act by giving more rights to consumers by requiring businesses to obtain opt-in consent before selling consumer data as well as granting individuals the ability to delete their personal information.
In addition, the CPRA creates the CPPA Privacy Protection Agency which will enforce the law and offer guidance to consumers. Furthermore, CPRA introduces new categories of sensitive personal data that must meet new disclosure and purpose limitation obligations.
CPRA, California’s comprehensive data protection law, affects all companies located within California as well as those who process personal information of consumers within that state. Therefore, it’s critical to identify any gaps in your current data security practices, review existing policies and procedures, and implement new ones accordingly.
To begin, create a data map and inventory of your Personal Information. Doing this will give you insight into how personal information is collected, used, and safeguarded. Furthermore, having this info helps create more comprehensive yet accurate privacy notices to meet CPRA requirements for data subjects to know what information is collected, where it’s being held, and how it is being shared.
Next, you must identify a CPRA compliance team to guarantee your company adheres to CPRA regulations and that all employees understand their roles and responsibilities. This team should include an expert data governance counsel, data owners, IT and risk managers, as well as subject matter experts.
Additionally, getting top-level management support for your CPRA compliance efforts is a wise idea. Doing so will enable you to allocate the necessary resources and budget for the project.
Under CPRA, businesses must promptly respond to “requests to know” and “requests to be forgotten” from customers. Furthermore, you must honor these requests by offering them accessible opt-outs and private information deletion options. Doing this helps build trust with customers and gives them peace of mind that their personal information is safe with you.
Creating a CPRA Policy
On January 1, 2023, the CPRA comes into force and businesses must ensure their data collection, processing, and sharing activities are compliant with the law. To accomplish this goal, companies must take a systematic approach to preparing for this transition period by addressing key areas of compliance ahead of time.
Under CPRA, personal information is defined as any data that identifies, relates to, describes or can reasonably be linked directly or indirectly with a particular consumer or household. Businesses must inventory all types of data they collect from California residents and determine if any falls under the new definition of sensitive personal information. Those businesses collecting this type of data must ensure it’s only used for its intended purpose and show consumers they have control over its usage or sharing with third parties.
Under the CPRA, consumers have new rights to learn how their personal information is being used and to request deletion (right of deletion), access their data, or opt out of selling or sharing it with third parties. This represents an extensive improvement from CCPA protections which only covered identifying information like social security numbers and driver’s license numbers.
Legal guidelines require you to post this notice at the point of collection and make it accessible for customers. Furthermore, explain how they can benefit from their rights under CPRA such as access, deletion, opt-out of profiling or selling their personal information, and limiting its use.
In addition to the above steps, you should be aware of other CPRA requirements that will impact your firm, such as data portability and a right to correct inaccurate personal information. These changes have been mandated by CPRA and require companies to revise their policies accordingly; doing so ensures full adherence to the law while keeping customers’ personal information secure.