California Privacy Rights Act (CPRA) compliance checklist: What you need to know

As high-profile cases and ever-increasing regulations highlight, we are entering a new age of dealing with data that’s causing companies to rethink everything—from how they collect data to storage, retention, access, disposal, and more. The General Data Protection Regulation (GDPR) set the stage for a new era of data protection and privacy compliance and effectively sparked a regulatory movement, beginning with the hasty passage of the California Consumer Privacy Act (CCPA) in the United States. That trend continued in November 2020 with the passage of the California Privacy Rights Act (CPRA).

Since then, we've seen a four more states pass comprehensive privacy laws: Virginia, Colorado, Utah, and very recently Connecticut. All of the laws give organizations time to prepare their information governance and data retention programs to comply with the laws... but that time is rapidly running out. On January 1, 2023, CPRA comes into effect (as does Virginia's law), with the other ones following in mid- to late 2023.

Failure to comply with this increasingly complex terrain of privacy regulations could result in litigation that is damaging, both reputationally and financially. Companies must develop a defensible approach to data privacy regulations and ensure that their e-discovery preservation and information governance programs are up to par.

THE COSTS OF FAILURE

Organizations’ obligations to manage data—and the costs of failure—are growing exponentially. Just look at recent examples from data breaches. A well-known retailer paid almost $70 million in a settlements with banks, states, and class action suits stemming from a single data breach. LA Tan settled a Biometric Information Privacy Act (BIPA) lawsuit, and now there are more than 200 class action suits.

Organizations with gross revenue in excess of $25 million, that collect personal information of more than 50,000 customers (100,000 or more under the CPRA), or derive more than 50% of their annual revenue from selling California resident information will have to comply. At a high level, it’s important to understand the consumer rights granted by both laws:

For an intentional violation, companies will have to pay $7,500 (if it’s considered an accident, it’s $2,500 per violation) to the state of California. What’s considered a violation is still in question; whether the state decides to take a more expansive view is yet to be seen.

In the event of a data breach in which a company is found to have unreasonably allowed data to be accessed and acquired by an unauthorized party, the law now provides for statutory damages that will range from $100 to $750 per data subject. In cases like this, a single lost laptop with unencrypted data could result in a significant legal risk. And whereas the CCPA as originally passed didn't have specific rules regarding data retention, as the GDPR did, the CPRA will augment the CCPA in creating enforcement around organizational retention standards.

Important CCPA & CPRA Regulations & Details

In August 2020, the California AG's office announced that the CCPA regulations were finalized and in effect. In November 2020, California voters again approved a privacy measure. The CPRA augments the CCPA in many ways, most notably to include data retention provisions. That law becomes effective January 1, 2023. In this section, we'll go over the most important regulatory requirements surrounding those laws.

Consumer Notices

There are four main types of consumer notices that companies are now required to provide. These notices must be easy to read, visible enough to grab the consumer’s attention, accessible to consumers with disabilities, and available in languages that are spoken where an organization regularly conducts business.

Consumer Requests

The CCPA requires that organizations offer two methods for submitting requests. One of those must reflect how the business primarily interacts with consumers (an online form, or toll-free phone number, for instance). If the interaction is typically offline, a paper form may also be necessary. Put simply, the law was designed to make it easy for consumers to request their data, which puts the onus on businesses to make it easy for consumers as well.

A few additional steps were also added to the 45-day timeline period for fulling requests, including clarifying that the organization must confirm receipt of an individual’s request within 10 business days, rather than calendar days (the 45-day fulfilment timeline remains calendar days). Now, organizations must:

There’s a two-year recordkeeping requirement that follows this—companies need to have a well-documented process for reporting and tracking. That way, when regulators come knocking, there’s a paper-trail that proves you’ve been doing right by the statute.

Businesses will no longer have to respond to requests to know if:

That last point in particular makes it even more critical for companies to develop a granular data inventory that incorporates CPRA’s record retention obligations and harmonize with legal hold requirements.

Request Verification

Regulations like the CCPA actually create a greater potential for personal data breaches if the business doesn’t have a tightly-knit process to verify the identity of the requestor. Before a company can give up personal data, they have to be able to verify that the requestor is who they say they are! Otherwise, that’s a boatload of privacy and potential legal issues due to an unintentional compromise of personal data. Therefore, companies must establish, document, and comply with reasonable verification methods.

So what does a reasonable verification method look like? There are a few ways. It could be:

Businesses should also avoid gathering more personal information during the verification process. The statute is saying that gathering more personal information—an address, Social Security number, or other sensitive information—creates more privacy issues when it comes to verification. So verifying using existing information is ideal. And the more sensitive and voluminous the information, the more rigorous the verification process needs to be.

Data Breach Provisions

As we covered earlier, the CCPA’s data breach fines range from $100 to $750 per individual, depending on the parameters of the incident. Given the scope of some data breaches, a single incident can be severely damaging in both monetary and reputational terms.

Expanded Enforcement Under CPRA

The CPRA increases the CCPA’s fines regarding the collection and sale of children’s information (under the age of 16), and establishes a new enforcement agency with authority to issue fines. The California Privacy Protection Agency (CalPPA) will have administrative authority in enforcing privacy laws.

Expanded Consumer Rights

Additionally, consumer rights were expanded to include the compromise of an individual’s email address in conjunction with a security question or password that would allow access to that person’s account.

Data Retention & Minimization Requirements

With the enactment of the California Privacy Rights Act (CPRA), there are now hard requirements concerning data retention and data minimization: Businesses will now see requirements similar to those that EU businesses face under the General Data Protection Regulation (GDPR).

With the CPRA, data minimization is now codified into law; storing sensitive personal data that no longer serves a business use will be a penalty. The California Attorney General will be able to directly enforce the failure to minimize consumer data, regardless of whether this failure leads to other violations of the law. The CPRA essentially breaks this down two ways:

DATA MINIMIZATION: Under the CPRA, any information collected must be “reasonably necessary and proportionate to either the purposes for which it was collected or another disclosed purpose” similar to the context under which it was collected. The individual’s data can’t be used in another way without notifying and receiving additional consent from the consumer.

RETENTION OBLIGATIONS: Whereas the GDPR made a point to focus on records retention, the CCPA didn’t include rules pertaining to the length of time an individual’s data could be stored. Storing too much data is common (and vastly increases liability surrounding data breaches), but now businesses will have to find a way to focus on establishing and enforcing new data retention standards.

Cybersecurity Requirements

While some businesses were already required to have cybersecurity measures in place, those who are subject to the CPRA now must “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosures.”

Third Party/Vendor Requirements

The CPRA obligates companies that are contracted by your organization to “provide the same level of privacy protection” required by the law. If the vendor isn’t able to meet its third party obligations under the CPRA for one reason or another, they can let the contracting organization know about it, which will allow the covered business to “take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.” But essentially, third parties aren’t allowed to sell, share, or otherwise disclose personal information for any purpose other than what’s outlined in the contract.

WHY IS DATA RETENTION IMPORTANT?

Upfront, it is cheap to store data. However, when the organization is involved in litigation or, worse yet, a regulatory agency investigation, all of that ESI is now subject to attorney review for responsive documents—an expensive proposition.

Put simply, data you don’t have can’t be breached, and you don’t have to produce it during litigation. Outside of the CPRA requirements pertaining to retention of personal data, there are two other questions to consider:

Leveraging proven retention methods and enforcement models is the most effective way to dispose of unnecessary records and data, while meeting regulatory obligations to avoid unnecessary risks.

You Can’t Afford to Over-Retain Data

The most egregious CPRA violations will hit companies that have over-retained data, which means that having an enforced data retention and deletion program is no longer optional. Most companies vastly over-retain records and information, and an average of 75% of that information contains some form of personal or sensitive data.

As we covered in the prior section, data retention is now codified into California Privacy law. Organizations now face a much heavier regulatory hammer should they experience a breach; not only will fines add up based on the number of data subjects exposed, but also for retaining data beyond its stated business use. Organizations must be extra diligent to ensure that they've established and are enforcing retention standards that are in line with the CPRA.

Preparing for compliance must be a priority CPRA preparation reinforces other Legal Governance, Risk and Compliance (GRC) objectives at your business that relate to data privacy and data management.

Use the following checklist to determine whether your business is affected by the CPRA, and to build action items that move the organization toward compliance.

ARE YOU REGULATED BY THE CPRA?

If you said “yes” to any of these bullets, you’re regulated by the CPRA.

UPDATES TO DATA MANAGEMENT REQUIREMENTS & DATA DISCLOSURES

Establish whether you store the following data:

Ensure the data is used only for disclosed purposes

Ensure that your business has the capacity to respond to a privacy audit

OPT-IN & OPT-OUT INFORMATION

Download the checklist today!