Proposition 24, also known as the California Privacy Rights Act (CPRA), went into effect in January. Passed by California voters in November 2020, the CPRA increases consumer data privacy protections under the California Consumer Privacy Act (CCPA) by giving consumers the right to correct inaccurate personal information that a business has about them. It also allows consumers to limit the use and disclosure of sensitive personal information collected about them.
This has heavy implications for enterprise businesses, as the CCPA applies to any “legal entity that collects consumers’ personal information, determines the purposes and means of processing consumers’ personal information, and conducts business in the State of California.” To fall under the scope of the CCPA, organizations must either earn more than $25 million in annual gross revenue, derive at least half of their annual revenue from selling consumers’ personal information, or buy, receive, sell, or share the personal information of at least 50,000 consumers, households, or devices on an annual basis.
Organizations have an imperative to stay ahead of changing laws like the CCPA, but safeguarding consumer privacy can vary widely depending on where you operate, the type of data you collect and share, where your consumers are located, and more. Read on to learn how you can leverage state and local guidance alongside existing technology solutions to maintain a secure and compliant infrastructure.
Understanding Consumer Privacy Through the Lens of CCPA
According to Thomas Reuters, regulatory bodies release more than 250 compliance updates every day. So it makes sense that 25% of organizations don’t understand which regulations apply to them or what they need to do to achieve compliance. And while specific requirements can vary depending on the law, the CCPA is a great place to start when trying to understand how consumer privacy is growing and changing in the US.
The CCPA, along with the CPRA, grants consumers six key rights.
- The right to know: Consumers are entitled to know what personal information a business has collected about them and how that information is being used and shared.
- The right to delete: Consumers may request that businesses delete any personal information that has been collected, with certain exceptions.
- The right to opt out: Consumers may opt out of the selling or sharing of their personal information.
- The right to nondiscrimination: Consumers may not be discriminated against for exercising their CCPA rights.
- The right to correct: If a business has collected, stored, or shared inaccurate personal information, consumers may request that businesses correct that data.
- The right to limit: Consumers may limit how sensitive personal information, like their Social Security numbers, or precise geolocation data is used and disclosed.
The CCPA also establishes certain obligations for businesses. For example, businesses must disclose their practices around personal information either before the data is collected or at the point of collection. Businesses are also required to respond to consumer rights requests within 45 days. However, they may extend this response time by 45 days as long as they notify the consumer. Additionally, under the CPRA, businesses must conduct regular cybersecurity audits and privacy risk assessments as well as minimize the amount of data they collect and retain.
Leverage Defense-In-Depth To Improve Data Security, Compliance
Regulations like the CCPA can quickly become overwhelming. Taking a proactive defense-in-depth approach to data security and compliance ensures that organizations have multiple layers of built-in protection throughout all phases of the design, development, and deployment of any security platforms and technologies.
When it comes to data security and compliance, there are four core stages that organizations should be aware of:
- Discovery: Organizations must understand how much data they have, where that data exists, and what kind of information is captured in that data.
- Protection: Once all data has been mapped out, companies can apply sensitivity labels, encrypt data, and enact additional safeguards to secure data against outside threats.
- Risk management: Automated security alerts and multifactor authentication can be used to secure data against insider risks.
- Loss prevention: Finally, companies can leverage AI-driven data loss prevention policies to ensure they don’t overshare sensitive information.
As consumer data privacy continues to evolve, now is the time to establish robust data retention and deletion strategies. Organizations must act quickly if they want to prepare employees for incoming “right to know” requests, while also mapping out consumers’ personal and sensitive information and conducting businesswide risk assessments.
