As enterprise risk management leaders take stock of the year ahead, the raft of imminent new privacy laws and regulations present a risk that organizations simply cannot afford to ignore.
On January 1, 2023, the California Privacy Rights Act (CPRA) will officially go into effect, expanding the rights of consumers over how their private data can be used and, in turn, intensifying the compliance obligations for businesses that operate in the state or have customers who are residents. While it is not the only state law coming into effect in the new year, it merits particular attention as it has the broadest impact.
The CPRA can be thought of as a “version 2.0” of the landmark California Consumer Privacy Act (CCPA). In 2018, the CCPA enshrined many of the same privacy rights for California residents that the General Data Protection Regulation (GDPR) conferred on individuals in the European Union. In addition to expanding the scope of the CCPA, the CPRA also adds some teeth to its enforcement action via the establishment of the California Privacy Protection Agency, which puts California—the fifth largest economy in the world—on par with the EU as the standard bearer of consumer privacy protection.
From GDPR to CPRA: New Rights Engender New Risks
The United States was once considered a privacy laggard by its European counterparts, and while it still lacks a comprehensive federal data privacy law, the passage of the CPRA demonstrates that a growing number of state legislatures are pushing ahead with their own data privacy frameworks.
Since coming into force in May 2018, the GDPR has remained one of the world’s most comprehensive data protection laws and has served as a standard for the crafting of many of the privacy and data protection laws in other jurisdictions, including the CCPA and the CPRA. While the scope of the GDPR applies to “data subjects” who are in the European Union, any company with business or operations in the EU has found themselves subject to the law and facing potentially significant risk exposure.
As expanded by the CPRA, the CCPA endows consumers with specific rights, including the right to access their personal information, the right to have certain of their personal information deleted upon request, the right to correct or cure inaccurate information, rights of data minimization and purpose limitations, and the right to opt out of certain uses of their personal information.
Businesses that have run afoul of GDPR and the CCPA have come to appreciate that the penalties of noncompliance can be significant. While large fines have become almost commonplace in the EU, California’s attorney general issued the first CCPA fine in August. The state fined cosmetics retailer Sephora $1.2 million for violations including failure to clearly disclose certain uses of personal information, and failure to allow customers to opt-out.
The CCPA and CPRA grant individuals and employees the ability to request to access, modify or delete the personal data that a company holds on them. This creates significant potential operating overhead and cost. Simply processing these requests manually can be an expensive proposition, with Gartner estimating that it costs an average of $1,400 to respond to a single request.
Beyond the risk of financial penalties, there is also the reputational harm that can come from a data protection violation. While these damages can be hard to quantify financially, they represent a very real and potentially existential risk to the business as customers may well consider taking their business elsewhere if they find out that their personal information was significantly mismanaged.
Preparing for CPRA Compliance
Whether your organization has already built out a mature privacy program or is just getting started, consider these four guiding principles to ensure compliance with CPRA and other data privacy regulations to come:
1. Compliance Begins with Real-Time Data Mapping. Think of data mapping as the backbone to your privacy program. A robust data mapping capability serves as your data inventory and describes what items of personal information are held and processed, and where those activities take place within your systems. An accurate and comprehensive data mapping process enables an organization to respond to individual requests more efficiently to access, correct or delete their personal information, and can help facilitate a prompt response during a data breach incident since the organization can quickly determine where its data is and what might have been compromised. Without an evergreen, real-time data mapping capability, all it takes for a firm to be unable to fully comply with a CPRA rights request—or to have a much more difficult road in responding to a data incident—is for an employee to store individuals' personal information in an unexpected location.
2. Aspire to be Data-Driven Instead of Human-Driven. Because data is being generated and replicated at such a rapid pace, it is simply not possible to maintain an accurate and up-to-date record of where all your data lives without some level of automation and real-time integration with other systems where personal information is stored. Just as other key operational functions have worked hard to unify disparate data sets into a “single source of truth,” risk leaders will require a similar ability to ingest and consolidate their data records and risk metrics so they can analyze and report on it in a timely and systematic fashion.
3. Do Not Ignore Unstructured Data. Much of the data companies collect is derived from interactions between people or is put into computer systems where it is not in a field or location that clearly identifies its nature, such as in an "general" or "comments" area of a record rather than a "name" or "address" field. This is referred to as "unstructured data," meaning data that is not already categorized, analyzed or stored in a specifically structured database location. Whether it is videos, audio files, emails, PDFs or conversations via messaging apps, the sheer volume and growth of unstructured data represents another daunting challenge for risk and governance teams as the ability to identify, locate, and furnish a data request within the mandated time frame will require both a mature workflow and one that works in concert with a computer-aided or automated data discovery capability.
4. Implement a Training Program on CPRA Responsibilities. According to a 2021 Osterman Research survey, more than half of respondents reported not yet having a training program in place to ensure that employees are equipped with the tools and knowledge to comply with CPRA requirements. Building a mature data practice begins and ends with the people who are entrusted with managing the data. As such, they need to know both what they are allowed—and not allowed—to do with personal information within the framework of the CPRA, and how they can manage those uses in practice. Understanding their responsibilities also allows teams to assess whether appropriate technology needs to be procured, and how to adjust implementation to facilitate compliance.
Just as the GDPR has done for individuals in Europe, laws like the CPRA are already helping to raise consumer awareness around data privacy. Increasingly, American consumers will choose to do business with those brands that have demonstrated they can be trusted stewards of customers’ private information. As we approach the January 1 CPRA implementation date, risk leaders will need to understand the changing regulatory landscape for how personal information can be used, stored and managed so they can properly prepare for the CPRA's requirements and those of other state or even federal laws on the horizon.