The California Privacy Rights Act (CPRA)—a more stringent update of the California Privacy Protection Act (CCPA)—goes into effect January 1, 2023, adding in employee data and business-to-business data under its scope of privacy protection.
A panel of practitioner experts breaks it all down in our recent Remote Sessions webcast, "Countdown to CPRA: What Information Security Professionals Need to Know Now," now available on-demand.
A few other key notes: the CCPA remains in place and updates to its regulations go live January or February 2023; and on July 1, 2023, civil and administrative enforcement will begin, including the period from Jan. 1 on.
Scott Giordano, General Counsel and VP of Corporate Privacy at Spirion, leads the discussion, which includes:
- A comparison of the CCPA and CPRA with other state privacy protection regulations, including the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Protection Act, and Utah Consumer Privacy Act
- Describing the dual-enforcement aspect of the CPRA and CCPA, with the California Attorney General and California Consumer Protection Agency having oversight and enforcement power
- How penalties are assessed and how much each penalty assessment is
Tim Moran, CIO/CTO and Founder of Media, Entertainment & Technology, provides great insight into what cybersecurity professionals can and should be doing to meet the requirements of the old and new legislation, including:
- Multi-factor authentication (MFA): Network Software as a Service Messaging, Cloud, VPN and any administration access, single sign-on
- Training for employees (awareness)
- Privacy training, specifically
- Well documented policies and standards for employees (data handling)
- Enterprise endpoint protection and remediation (anti-malware, anti-virus software)
- Endpoint encryption for all laptops
- Intrusion detection and response
- Cyber insurance (critical)
- And more (listen in for the full list)
"I think the real problem here, the big challenge for businesses, is going to be around data governance," Moran says.
He described a common scenario in which a consumer goes to a company website and provides personal information for a purchase or inquiry for more information. That data then goes through marketing and other avenues within the business, so how does the business track all the movement of that data, and when it comes to deleting that data (especially if the customer requests them to do so), how does the business ensure complete deletion of that data occurs?
Veronica Torres, Worldwide Privacy and Regulatory Counsel at Jumio Corporation, says retention of data is an important aspect to consider and one businesses can often forget. There is no reason for a business to keep consumer data for 25 years, so it must think about what is reasonable and "where you don't need it anymore, delete it," she adds.
Torres also reviews access and deletion requests, which includes a consumer's "right to know" what is being done with their data, and the introduction under CPRA/CCPA of a new right to "data deletion."
Also joining the webcast panel is Orson Lucas, Principal at KPMG, who underscores some key areas businesses should focus on and prioritize with the looming deadline for the CPRA:
-
Focus on clear visibility into your data environment, which includes data mapping and data discovery.
-
Deploy technologies and tools that help you scale data management in a manageable way.
-
Pay attention, as Torres said, on data retention schedules to determining what data you are retaining, why, and for how long.
Watch the webcast for the complete list and more details, as well as to earn CPE credit for taking in the entire session.
