The CCPA, California Consumer Privacy Act, has been legally enforceable since July 1st of last year. It is the first significant privacy law in the US pertaining to consumer control of personal data. And, even though it hasn’t even been a year since the official legal enforcement of the CCPA started, Californians have already voted for the follow-up act, called the California Privacy Rights Act (CPRA).
So, why are these CPPA modifications significant, and how does the CPRA differ from the CCPA? More importantly, how will the changes to the CPPA affect data privacy enforcement? On this page, we’ll discuss all of the new amendments to determine how the CPRA would change the CPPA.
What is the New California Privacy Law (CPRA)?
In November 2020, the new California Privacy Rights Act was approved by voters 56% to 44%. Although the existing CCPA legislation was supposed to help the state pass a stricter privacy law, the new law brings about more stringent legislation, closer to one of the GDPR than the existing CPPA.
The new regulations’ main goal under the CPRA is to toughen privacy requirements and reduce the overall risk in other points stated by the previous law. The new legislation will go into effect on January 1st, 2023, and legal enforcement will begin six months after that. This means that from this point, businesses have two years to prepare for the new legislation piece.
CPRA vs. CPPA. What is the difference?
There’s a common misconception in the public that the CPRA is an entirely different law, which isn’t the case. The main difference between the old version and the new one is stronger consumer protection and more precise CPRA compliance questions for businesses. With that in mind, this new legislation is an expansion of the existing law. To comply with the CPRA, companies will have more responsibilities than they had under the CPPA.
The CPRA is often looked at as the CCPA 2.0. However, if you’ve had the chance to read through the rules and guidelines, you’ll also notice that this legislation draws close similarities with the General Data Protection Regulation (GDPR). It features similar elements that you can find in the GDPR compliance guidelines, although the CPRA requirements and definitions are a bit broader.
Differences aside, the crucial similarity between the two that everyone should take note of is that the compliance isn’t only limited to the state of California. It extends worldwide and covers every California resident, regardless of their exact location at the time. If your website doesn’t block California residents from accessing it, compliance is required for it.
CPRA enforcement and penalties
A new significant change is the introduction of the California Privacy Protection Agency, an independent watchdog organization established by the CPRA. The primary mission of the CalPPA is to ensure businesses and consumers are well-informed about their rights and obligations stated under the CPRA provisions.
The CalPPA will replace the attorney general’s office as the main regulatory body controlling CPRA rules’ implementation. As for the penalties, they will be tripled for violations regarding minors under the age of 16 (penalty increased to $7,500). Moreover, consumers’ private right of action will be expanded to cover email address breaches that occurred in combination with a password and security question and answer permitting account access.
While all of this might seem overwhelming to take in for the average business owner, companies that have already prepared for the previous law will feel a minimal impact from the new CPRA privacy rules and guidelines.
Businesses that are already in compliance with the previous requirements, especially with the GDPR, won’t have to make any significant changes. On the opposite side of the spectrum, companies that haven’t implemented any changes as of yet will have a tough road ahead of them.
The most significant alteration businesses will have to make revolves around the minimization of personal information. Under the CRPA, companies will also have to meet more stringent data-sharing requirements. They must offer their California customers the opportunity to opt-out of the opportunity of having their personal information sold to third parties. Of course, this stringent data policy will also result in extra costs for data collection for businesses.
Tips to Become Compliant Under the CPRA
When news of the CCPA modifications first dropped, many businesses were disturbed by the perceived significant changes to the original CCPA compliance requirements. And, while new legislation brings big and significant changes, these changes aren’t necessarily bad.
Businesses that have previously undertaken the necessary CCPA compliance steps are in an excellent position to comply with CPRA requirements as well. Here are some tips that will help you ensure CPRA compliance:
- Identify all Sensitive Personal Data - The new CPRA rules introduce a new term, “sensitive personal information”. This is a very broad term that covers almost all of your identifiable personal data, including genetic and biometric data.
- Enforce a Stronger Deletion Policy - The amendment requires all businesses to delete their users’ personal information after it has served its purpose. Aside from ensuring CPRA compliance by regularly deleting data, you’ll also be protecting your business, as the less data you have, the less you can lose if a security breach occurs.
- Review Third-party Agreements - The new legislation also puts a strong emphasis on data privacy obligations to contractors, service providers, and other third parties. Most significant of which require that all sales, shares, and disclosures of personal information are made pursuant to a contract.
- Identify Whether There are New Exceptions - Aside from the CPRA compliance tips above, there’s one more thing to keep in mind. The new law adds partial exemptions that weren’t included in the previous one. These include certain exemptions for household data, educational and test records, and other specific personal data.
- Implement MFA for Logins - The CPRA rules particularly highlight login credentials. To comply with this new change, the best way to go about it would be to implement multi-factor authentication to ensure that login credentials don’t automatically provide access to the user’s account and personal data.
Get ready for CPRA with Hideez
Despite concerns that the CPRA might be too robust and complicated to comply with, it does provide a reliable mechanism that can keep businesses in control and safeguard sensitive user information. It is a welcome regulation that will undoubtedly help improve global cyber resilience in the future, and Hideez can help you with CPRA compliance.
Our cybersecurity experts developed a comprehensive authentication solution for enterprises that can ensure much stronger information security, plus internal and external policy compliance for businesses in all industries.
Hideez FIDO hardware tokens can streamline the MFA process and provide a passwordless login experience for employees. With the press of one button, they can input one-time passwords automatically without the need to take out their phones, run applications, find their accounts, and endlessly input passwords. Besides, one Hideez Key can store up to 1,000 passwords, lock/unlock PCs with a proximity sensor, and open RFID-enabled office or other doors going well beyond possession of the 2nd factor, providing an all-in-one digital key for employees.