California passed new legislation that will have significant impact to organizations across the United States. Here are the most important things you need to know (and do):

10 Big Impact Areas

1) The CPRA takes effect January 1, 2023 with due dates starting January 1, 2022

The CPRA takes full effect beginning January 1, 2023, providing organizations two years to implement compliance measures. However, there is a “lookback” for privacy activities starting January 1, 2022. Further, organizations must submit risk assessments to the state on January 1, 2022. This means there is much work to be done immediately.

 

2) Risk assessments must be submitted to the state on January 1, 2022

Organizations must submit risk assessments to the state by January 1, 2022. The risk assessment is a play-off of the GDPR concept of a privacy impact assessment. Here is a blog post or whitepaper explaining more about PIAs.

Note: CPRA indicates that, similar to GDPR, this requirement will apply to “high-risk” processing. Organizations should still consider, at a minimum, an analysis of whether processing activities may be high-risk and completing a preemptive PIA.

 

3) Organizations must complete Independent Cybersecurity Assessments

Organizations must complete independent cybersecurity assessments on an annual basis. While it is unclear what qualifies, California has previously defined the “reasonableness test” defining CIS Top 20 as an acceptable minimum baseline. We expect other cybersecurity certifications like ISO 27001/27701 would also qualify. There are some questions as to whether an independent function inside the organization (e.g., internal audit) could fulfill this requirement.

 

4) Organizations must implement more stringent 3rd Party contractual agreements

Business to business agreements must include at least two unique provisions: 1) Agreements must limit the use of data to defined and specified purposes, and 2) Agreements must include a right to audit clause. We expect a large uptick in contractual addendums, similar to the “Data Protection Addendum” under GDPR.

 

5) CPRA Establishes California Privacy Protection Agency (CPPA)

The CPPA is the United States’ first state level privacy enforcement agency. In other words, the CPRA is likely to have real enforcement.

 

6) Establishes the concept of data “sharing” and specifies new restrictions

The CPRA expands on CCPA to include the concept of “data sharing”. Specifically, this impacts organizations that share user data with other organizations for purposes beyond the original intent of gathering. This significantly reduces an organization’s flexibility with how they use the data of their user base.

 

7) Limit Use of Sensitive Personal Information

Defines sensitive personal information, similar to GDPR (including geolocation, genetic data, race, account credentials, identification numbers) and establishes more stringent requirements for this sensitive personal information. Specifically, the CPRA limits the use of data and establishes more stringent notice requirements to customers (for example, notices on websites that data will be collected, how it will be used, and how long it will be retained).

 

8) New Notice requirements at the point of data collection

Defines notification requirements if data is to be sold or shared. Further requires notices when data will be collected, how it will be used, and how long it will be retained.

 

9) Data retention should meet “need-based” limitations

Similar to the concept of data retention limitations in GDPR, CPRA requires that organizations store data no longer than required to meet the intent of the specified purpose. In short, organizations will need to formally document 1) Their purpose for data collection, and 2) Why they need to retain data for specified periods and how they determine the periods.

 

10) Automated decision making and profiling restrictions

Borrowing from GDPR, CPRA indicates that the CPPA will develop regulations to impose more stringent requirements related to automated decision making and data subject profiling. For example, if an organization is leveraging automation to build customer profiles to drive decision making (such as hiring, lending decisions, etc.) the organization will likely be required to provide transparency into the decision making process, have manual override processes, and dispute procedures. Check out our whitepaper on automated decision making.

New Exemptions

1) Exemptions for Small Businesses

CPRA provides important exemptions for small businesses. This refocuses efforts and enforcement to larger organizations capturing more than data on more than 100,000 households.

 

2) Extends CCPAs exceptions related to employees, job applicants, and B2B contacts through Jan 1, 2023

CPRA extends existing data exceptions related employees, job applicants, and B2B contacts. This essentially provides a two-year implementation timeline for organizations to comply with CPRA’s new requirements.

 

Questions about the new CPRA requirements? Want to discuss how CPRA fits into your overall privacy program? Contact us here to continue the conversation.