Understanding the CPRA: Protect Sensitive Personal Information and Maintain Compliance
by Aware
The CCPA/CPRA is a set of regulations designed to give California residents more control over their personal information and how businesses may collect and use it. The California Consumer Privacy Act of 2018 laid out initial guidance, and the California Privacy Rights Act, passed by voters in 2020, amended and expanded the CCPA. In this article, we’ll discuss these important regulations, and the responsibilities businesses have to consumers for CCPA/CPRA rights and privacy practices.
Contents
- What is the California Privacy Rights Act (CPRA)?
- What qualifies as “sensitive personal data” under the CPRA?
- Why do businesses need to protect personal information?
- Challenges with protecting sensitive personal data
- Ensure CPRA compliance with Aware
What is the California Privacy Rights Act (CPRA)?
The landmark law began with the CCPA in 2018, securing more robust privacy rights for consumers in California. The basic pillars of the law are centered around consumer’s consent, and include:
- The right to know: Consumers have a right to know exactly what personal information a business collects about them, and how that business uses and shares that data.
- The right to delete: Consumers have a right to have their information removed from a business’s databases at their discretion (with some exceptions).
- The right to opt-out: Consumers can opt-out of the sale or sharing of their personal information by the business.
- The right to non-discrimination: If a consumer exercises any of these rights under the CCPA, they have the right to not be discriminated against by the service providers.
In 2020, additional privacy protections were voted into effect under the California Privacy Rights Act (CPRA), amending the CCPA. They include:
- The right to correct: Consumers have a right to have inaccurate personal information corrected.
- The right to limit: Consumers may limit the use and disclosure of their sensitive personal information.
Organizations that are subject to the CCPA/CPRA must respond to people requesting the exercising of these consumer rights, including delivering notices explaining their privacy practices. The CPRA is not a whole new law, simply an amendment to the existing CCPA, so they are often referred to as one law, or as CCPA/CPRA.
The CPRA also established the California Privacy Protection Agency, an enforcement administration with the power to implement and enforce the CCPA as needed.
Respond to DSAR requests and make informed decisions about data ownership under CCPA, GDPR and more.
What qualifies as “sensitive personal data” under the CPRA?
The following categories are qualified as “sensitive personal information” under the CPRA:
- Government identifiers: Government-issued identification numbers such as social security numbers, driver’s license numbers, state identification card numbers, or passport numbers.
- Account information: Account log-in credentials, financial account numbers, debit or credit card numbers, security codes, access credentials, passwords, etc.
- Geolocation data: Information like IP address, GPS location data, and RF data Exchangeable Image File Format (EXIF) data, which can produce geographic coordinates to determine a physical location.
- Racial or ethnic origin or immigration status.
- Philosophical or religious beliefs.
- Union membership.
- Consumer correspondence: Such as mail, email, and text message contents (unless the business is the intended recipient of the communication).
- Biometric information: Or genetic data that can uniquely identify a consumer.
- Personal information: Concerning a consumer’s health, sexual orientation, or sex life.
Information that identifies, links to, or could reasonably relate to a consumer’s household, preferences, characteristics, or the way that person conducts themselves can be considered categories of personal information.
The CPRA is designed to give consumers the right to limit the use and disclosure of their personal information to what is necessary for businesses to provide their goods and services. These businesses must provide a clear link on their website homepages where consumers may click to “Limit the Use of My Sensitive Personal Information” and exercise their CPRA rights.
Why do businesses need to protect personal information?
There are several crucial reasons sensitive personal information must be protected.
- Trust and customer loyalty: Not only does protecting sensitive personal data help build and maintain trust with customers, but it also safeguards their data in the event of a breach, protecting consumers from identity theft. Consumers are also more likely to engage with companies that protect their information, which fosters positive relationships.
- Legal compliance: Data protection is required by law. More than the CCPA/CPRA, further regulations include the General Data Protection Regulation (GDPR) in the European Union, HIPAA, HITRUST, PCI DSS, and more. Organizations may avoid legal penalties for violations when they operate within the regulatory framework of data privacy laws.
- Minimizing risks and costs: Effective data protection minimizes the risk of data breaches, which can result in fines, legal fees, and the expense of resolving the breach. Businesses may also face significant financial losses from business continuity disruptions.
- Reputation management: When data breaches occur, an organization’s reputation suffers, they lose consumers. Robust data protection measures help prevent breaches and minimize negative publicity that results from mishandling consumers’ sensitive data.
If a breach occurs, the consequences may be severe.
- Penalties and fines: Non-compliance with data protection laws can mean hefty fines for the organizations responsible. CCPA/CPRA penalties have a cap of $7,500 per intentional violation and $2,500 per unintentional violation. That may seem low, but one piece of consumer data can be a single violation. In the instance of a data breach, where thousands of data points are compromised, the penalties can quickly grow large.
- Lawsuits: Individuals or groups affected by breaches may file lawsuits against businesses that do not protect their data. These legal actions can become expensive and time-consuming, as well as damaging to a company’s reputation.
- Operational disruptions: In some cases, data breaches can spell business continuity problems while the source of the breach is managed. Productivity lost during this time is also costly, as is an additional expense for data recovery and potential system repairs.
- Loss of consumer trust: Breaches can lead to clients canceling contracts or consumers deciding to shop elsewhere, where their data may be more secure. If enough of a company’s business leaves for more secure pastures, it can be detrimental to the business as a going concern.
The consequences and penalties of failing to properly safeguard sensitive personal information can be significant, beyond simply violating CCPA/CPRA. While these regulations are intended to shield consumers’ personal information, they’re also a way for businesses to reassure their customers that they’re operating secure and ethical businesses.
What data lives in your collaboration tools? Find out with our free online calculator then get your no-obligation, customized report.
Challenges with protecting sensitive personal data
Protecting consumers’ sensitive personal information is a complex undertaking, particularly in today’s fast-paced digital landscape. These are some common challenges organizations may encounter when undertaking compliance adherence.
Lack of awareness of personally identifying information (PII)
Many businesses struggle with gaining complete oversight of the PII they possess, including where it’s stored and how it’s used. Lack of visibility can leave gaps in PII protection.
Cloud migration complications
Businesses may lose track of or access to data they’re migrating, resulting in:
- Incomplete data transfers.
- Orphaned data in legacy systems.
- Inconsistent security measures between on-premises and cloud systems.
High volumes of data
Collected data collection can grow exponentially. The challenges this presents include:
- Implementing security measures across all data sets.
- Efficiently managing and monitoring the data.
- Properly classifying and handling the data.
Poor data governance practices
With large data sets and high storage volumes comes difficulty overseeing data governance, which can lead to:
- Inconsistent data mapping between departments.
- Insufficient quality controls of the data.
- Lack of clear roles and responsibilities for data management.
Insecure data sharing in communication platforms
Many businesses use collaboration tools to unify diverse workforces. Communications in these tools can involve data sharing that doesn’t adhere to acceptable use policies for data security. This results in:
- Accidental exposure of sensitive information.
- Difficulty tracking and controlling data flow.
- Greater risk of data leaks through unsecured channels.
Evolving regulations
As the digital world evolves, so do the data protection regulations that govern it. Keeping up with regulatory changes across many jurisdictions can be a challenge, particularly for organizations that operate globally. Continuing employee education can help mitigate exposure, but it’s an ongoing process.
Insider threats
Every employee and contractor with access to PII and other sensitive data is an endpoint for a potential breach or exposure, either though malice or negligence.
Third-party risk management
Keeping data secure when contracting with vendors and external partners who have access to sensitive data can be a challenge, particularly when access involves multiple devices.
Balancing security with usability
Implementing strong security measures while maintaining user-friendly systems and workflows is a constant challenge for many organizations. Information security officers must balance their data protection measures with the need to limit shadow IT.
Addressing these challenges requires a multi-faceted approach to data protection, including regular employee training, technological solutions, and a workplace culture of security awareness.
Ensure CPRA compliance with Aware
Aware offers real-time compliance for complex collaboration ecosystems that closes the gaps many legacy platforms leave open. Organizations can ensure CCPA/CPRA compliance with Aware through robust information governance, monitoring from a centralized platform, and industry-leading NLP and federated search to support internal investigations.
With Aware’s data governance and compliance monitoring solutions, companies can maintain ongoing compliance with data-sharing practices that:
- Integrate with your existing collaboration tools without impacting end user experience.
- Save time and resources with proprietary AI/ML models that ensure fewer false positives, reducing alert fatigue.
- Allow IT and security teams to customize rules and policies to track violations.
- Automatically address violations with real-time employee coaching.
- Preserve the content surrounding a policy trigger so you can understand the full context.
- Use role-based access controls (RBAC) and audit trails to prevent violations.
- Help limit and lower reliance on shadow IT solutions.
By partnering with Aware, you can ensure your data security meets all CCPA/CPRA and other necessary regulations. Request a demo to get started today!