In the General Election in November, voters in California approved the California Privacy Rights Act (CPRA) – and every IT leader should pay attention. The new regulations amends the CCPA and give that already strong law even more teeth. In particular, the CPRA expands consumer rights, expands definitions of what types of data consumers can ask to be deleted or corrected, and expands the security responsibilities of IT teams and managers of IT asset systems.
Collectively, the amendments put in place by the CPRA will increase the risks of IT asset management and force many teams to prioritize updating their ITAM, SAM, MDM, etc. technologies to better comply with CPRA mandates. The law’s new provisions do not come into effect until January 1, 2023 but forward-thinking IT organizations should consider the impacts and begin planning for proper compliance.
Here’s a quick rundown of what IT leaders need to know about the CPRA and why it will likely mean they need to improve their IT audit processes.
Altered scope of covered “Businesses”
The CPRA changes the three threshold requirements for affected “businesses” that collect consumers’ personal information.
- Collect gross revenues of $25 million or more across all geographies. This clarifies previous confusion over whether that number included only California.
- Increases number of consumers or households for whom an entity buys, sells or shares information from 50,0000 to 100,000. This means fewer businesses will be affected.
- Covers revenues from either selling or sharing personal information, amounting to half of their annual revenue. This introduces some real ambiguity because the definition of revenue from “sharing” remains unclear.
New category of “Sensitive Personal Information”
The CPRA introduces a new category of personal information denoted as “sensitive personal information.” This category counts many data elements such as a consumer’s identification numbers (e.g., driver’s license numbers, Social Security number, etc.), account log-in credentials, precise geolocation, racial and ethnic information, financial information, personal communications, biometric data, genetic data, health information, and information about sexual orientation.
Enhanced consumer rights
The CPRA awards consumers new rights to limit the use of Sensitive Personal Information, giving them opt-out superpowers.
- Businesses must limit use of this information to only that which is necessary to perform services or provide goods for which the customer is paying. Covered companies will need to apply a “Limit the Use of My Sensitive Personal Information” link on their site.
- CPRA also gives consumers stronger rights to correct inaccurate personal information. If a business, for example, is purchasing consumer information from a credit bureau and it contains errors, the business must be prepared to correct that information in a timely fashion.
Stricter security requirements
This is the hammer that could power more class-action lawsuits. The CPRA introduces stronger requirements for covered businesses to put in place “reasonable security procedures and practices” in order to safeguard personal information. Crucially, the CPRA mandates that third parties, contractors, service providers and contractors provide the “same level of privacy protection” as the covered business. This means that any business covered by the CPRA must also assume the liabilities and risks posed by those doing business with it. The CPRA also puts in place new enforcement and liability measures that will make it easier for consumers affected by security breaches to seek financial damages in court. To add teeth, the CPRA creates a new dedicated agency, the CalPPA, to implement audit, and enforces the CCPA.
Conclusion: The CPRA increases the importance of IT audits and compliance
The CPRA definitely ups the ante with regard to security, privacy and data protections. By extension, it puts additional pressure on IT asset management to provide updated and accurate information on asset ownership, location and status. Further, CPRA affords consumers broader rights to demand that their data be correct or deleted no matter where it resides in the IT portfolio. Most crucially, the CPRA puts additional security responsibilities on IT security teams and simplifies the path to litigation should the CPRA be violated – even extending out to partners and third-parties.
The upshot of these changes is that, if you were thinking that you needed to upgrade your IT management systems to an Enterprise Technology Orchestration system to gain a more accurate picture of your IT estate, the CPRA increases the penalty for not doing so. You can get a more detailed rundown of the implications of CPRA from this excellent Jones Day article.