On March 29, 2024, the California Privacy Rights Act (CPRA) will come into effect, marking a new era of data privacy requirements for businesses operating in California.
The CPRA aligns California’s data privacy regulations more closely with the European Union’s General Data Protection Regulation (GDPR), putting stringent expectations on companies regarding how they collect, use, and protect personal data.
With the deadline for enforcement drawing closer, we’ll look at the actions businesses must take to meet compliance quickly.
Here’s what you need to know.
California Privacy Rights Act (CPRA) overview
The CPRA builds upon the rights given to consumers by the CCPA, introducing several new measures, including:
- The right to opt out of the sharing of personal information, which encompasses any communication of a consumer’s personal data to a third party for cross-context behavioral advertising purposes.
- The right to opt out of certain uses and disclosures of “sensitive personal information.”
- The right to correct inaccurate personal information held by businesses.
- The right to receive enhanced transparency regarding a business’s information practices, including details about data retention periods.
- New rights regarding the use of automated decision-making technology, including profiling.
- Additional rights granted to company employees concerning data collection, use, correction, and deletion of their personal information.
Who does the CPRA apply to?
For-profit organizations operating in California that meet one of the below criteria must comply with the CPRA:
- They generate yearly worldwide earnings surpassing $25 million dollars.
- Half of their global annual gross revenue comes from the gathering and selling of personally identifiable information, either in or outside of California.
Penalties for noncompliance with the CPRA
The CPRA comes with steep fines for non-compliance. Violations deemed accidental will incur fines of up to $2500 per violation, while intentional violations can cost up to $7500 per violation.
Note that ‘per violation’ means per individual record. In the case of a data breach impacting thousands of individuals, this could mean a huge cost in the hundreds and thousands of dollars.
How to become CPRA compliant
The CPRA requires organizations to have deep visibility and control over the customer and employee information they collect, access and store. In order to meet compliance, companies must therefore take a robust approach to data management and follow the below steps.
1. Data mapping
Data mapping is the foundation upon which you’ll build your CPRA compliance strategy. While it can be performed manually, taking this approach is time-intensive and error-prone. Tools exist to automate the process of discovering regulated, sensitive and high-risk data. Read more on building a data mapping strategy in our guide.
2. Data classification
Data classification involves categorizing data based on its type, sensitivity, metadata, and perceived organizational value. It enables organizations to:
- Reduce the risk associated with data alteration, deletion, or theft.
- Adhere to industry standards like the CPRA.
- Implement effective data access controls and establish data protection policies.
- Enhance visibility and control over the data across the organization.
Data classification can be achieved through either manual or automated methods. Manual classification requires people to manually look through and tag sensitive data. In most organizations, the sheer amount of data out there makes this approach unfeasible.
A better idea is to lean on automated classification, which uses artificial intelligence to streamline the process. These solutions use natural language processing and file parsers to identify sensitive information in various content forms.
3. Data protection
Data classification represents your compliance policies. Data loss protection (DLP) puts these policies into action. These tools work by scanning your digital environments for sensitive data in real-time. Once they’ve identified sensitive information, DLP monitors this data continuously to prevent compliance violations.
For example, if an employee attempted to share customer information with an unauthorized third party, the DLP tool would automatically block the action and file a report for your CPRA logs.
While legacy DLP tools created false alerts and blocked users incorrectly, newer DLP solutions harness natural language processing (NLP). This branch of AI boosts the accuracy and precision of DLP, making for a highly reliable compliance tool that requires little need for human intervention.
Moreover, the best of these tools combine proactive data protection with real-time compliance training. When a compliance violation is blocked, the tool will also educate the end user on why their action was risky through an automated prompt. This reduces the likelihood of repeat offenses.
Get CPRA compliant today
The pressure is on for organizations to elevate their data protection strategies before the CPRA comes into force. While gaining visibility and control over data takes time and resources, the return on investment is invaluable, helping companies to avoid costly fines, win customer trust and boost supply chain credibility.
Moreover, the CPRA is just one of many state data privacy laws coming into effect in the coming months and years. By taking proactive action now, organizations will put themselves in an excellent position for the future.
Find out more about how next-generation DLP can help you supercharge CPRA compliance today.
