CPRA and the Evolution of Data Compliance Risks

Stephen Cavey


November 2, 2020

Although it has been less than a year since the implementation of the California Consumer Privacy Act (CCPA), Californians will once again vote on consumer privacy laws in the November election. Also known as Proposition 24, the new California Privacy Rights Act (CPRA) aims to enhance consumer privacy protections by clarifying and building on the expectations and obligations of the CCPA.

One of the key provisions of the proposed law is the creation of the California Privacy Protection Agency, a new agency tasked with protecting data privacy by implementing and enforcing the CCPA and CPRA. This agency would be able to levy fines of up to $2,500 per violation of the act or up to $7,500 per intentional violation or any violation involving the personal information of minors.

The law also establishes a new personal information category called “sensitive personal information” and gives consumers the power to limit how organizations use and share it. This category includes Social Security, driver’s license, passport and financial account information, as well as precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about a consumer’s sex life or sexual orientation. If passed, the law would take effect on January 1, 2023, and would apply to all information collected on or after January 1, 2022.

The potential amendment to the CCPA just two years after it was voted into law demonstrates just how quickly the compliance landscape is shifting as organizations collect and share ever more consumer data. In fact, the International Data Corporation currently projects that the amount of data created over the next three years will be more than was created over the past 30. With more regulations anticipated in 2021, compliance is also more complex and critical than ever. So how can organizations proactively prepare for the CPRA and other future compliance regulations?

The Tip of the Data Compliance Iceberg

According to an August 2020 poll conducted by Californians for Consumer Privacy, 81% of voters support passing the CPRA. With the potential to have a lasting impact on the compliance landscape, California has become a testing ground for comprehensive privacy laws. And as the world’s fifth-largest economy, California has set an example for other states and countries to follow. In fact, following the CCPA’s passage, the International Association of Privacy Professionals (IAPP) Westin Research Center compiled a list of proposed privacy bills from across the United States and found 17 common provisions. Among these provisions were the right to access collected or shared data, the right for consumers to opt-out, and the right to be notified of a breach.

The CCPA has become a benchmark for organizations looking to achieve compliance, regardless of their location. So far, Maine and Nevada are the only other states that have enacted privacy laws similar to the CCPA, but several states are working through legislation, including New York, New Jersey and Massachusetts. As more states look to pass comprehensive data privacy laws, the challenge for organizations will be understanding the nuances of each law and how they differ from state to state. Organizations that do business internationally must also consider laws like the European Union’s General Data Protection Regulation (GDPR). The compliance landscape is constantly evolving and the penalties for noncompliance are growing increasingly severe. Organizations that have put off larger compliance efforts can no longer afford to take a wait-and-see approach.

In a June 2020 TrustArc survey of 1,500 global organizations, just 14% had completed their CCPA compliance initiatives, 15% had a plan but had not started implementation, and 9% had not started at all. These organizations do not seem to be viewing compliance as an overall business problem—and that is a real danger. The CPRA makes organizations subject to the regulation if they have an annual gross revenue of $25 million or share the personal information of 100,000 or more consumers, households or devices for commercial purposes. This narrows the parameters and makes some companies liable that were not before.

While some of the fines may be considered a drop in the bucket for larger organizations, they could decimate smaller businesses. Especially as organizations look to rebound from the effects of the COVID-19 pandemic, many cannot afford a costly compliance lapse or data breach. As data’s value continues to increase, these organizations need to think of security as an all-encompassing matter that impacts decision-makers, employees, customers and third-party vendors. All of these people and organizations depend on data security, and a data breach or compliance lapse can undo years of trust from consumers and from their own employees.

Prioritizing Data Privacy and Security

As capturing and storing information has become so inexpensive, and today’s economy has become increasingly data-driven, many organizations are willing to hold onto user data without knowing exactly what they will use it for. But now, as consumers and third-party groups force organizations to place a larger emphasis on data privacy, data use and its overall security are becoming ever more critical to business success.

Most businesses with resource constraints find themselves prioritizing revenue-generating activities over security- and compliance-driven initiatives, but due to privacy regulation penalties and compliance maturation, organizations are seeing security’s impact on revenue. Of the 3,950 breaches investigated in Verizon’s 2020 Data Breach Investigations Report, 86% were financially motivated. In addition, personal data was involved in 58% of those breaches, underscoring the true human impact of these incidents. Improving security and compliance is not as simple as hiring a CISO or compliance officer. Gone are the days where sensitive data was limited to Social Security numbers, birthdates and email addresses. It is now about focusing on a broader set of data, understanding how it is collected, and where it is stored, processed and shared across the organization.

Moving forward, it is fair to assume that all new and existing forms of personal information will eventually be regulated in some way. Any organization that collects data will need to be cognizant of what data is collected, from whom, and for what purposes, then make sure there are processes in place to ensure all customer and employee information is stored, secured and managed correctly. While the CPRA only applies to Californian customers, organizations should begin treating every piece of personal data they collect as if it belongs to a California resident. By treating all personal data with the highest level of security, organizations will put themselves in a better position to approach data privacy and security as a business problem, prepare for future regulations and provide them with an overall stronger security posture.

The CPRA offers a unique look at how consumer privacy advocacy groups and governments are working together to bring data security to the forefront of enterprise risks and considerations. Unless forced by regulations, businesses often avoid investing in parts of the business that do not drive revenue, and that is the case with the CCPA and CPRA. Instead, organizations should take the CPRA announcement as an opportunity to develop a strong data management strategy that includes full data discovery across their organization and treats all personal information with the highest degree of security.

Stephen Cavey is co-founder and chief evangelist at Ground Labs.