Following approval on 3 November 2020, the California Privacy Rights Act (CPRA) will officially replace the current California Consumer Privacy Act (CCPA) on 1 January 2023. It brings California much closer to the European GDPR standards, introducing substantial new requirements for firms with operations or customers in The Golden State.
As with GDPR, it’ll be those who ready themselves earlier that’ll be best positioned to succeed and gain a competitive advantage. When GDPR was introduced in Europe, too many organisations left vital preparation too late, resulting in a mad and costly rush to become compliant, distracting from everyday operations – and leaving customers and suppliers questioning the competency of these organisations.
So, while the change seems a long way down the road, it’ll be those who set off early who’ll be able to integrate delivery into business as usual rather than costly project work. This will lower implementation costs and enable them to steal a march on the competition. And prompt fulfilment will better protect their consumer data, showcase compliance and offer an opportunity to add value by building customer trust.
The next two years are crucial for leaders to prepare for CPRA. We’ve outlined three key attention areas to act as a framework for a smooth transition in January 2023.
Maximising BAU remediation is paramount. Start identifying any systems and third-parties which hold personal information, and consider if they have the capacity to action the new and modified personal rights set out by CPRA. By finding gaps now, you’re likely to avoid any surprises or delays down the line.
You should also look to begin assessing your organisation, plugging system and third-party gaps, and understanding what might be considered sale or sharing under the new CPRA rules.
Making technical changes to enforce a retention approach is something a lot of firms currently overlook. Going forward, consider how to build this in from the start so you are prepared for new CPRA requirements to inform consumers of the retention period for each category of their personal information, and ensure adherence to this. It’s the approach we took when a multinational pharmaceutical company sought our help to prepare for GDPR and implement a new data privacy framework.
As soon as possible, start working with your legal teams to update the language in your third-party contracts, so new contracts use the right language from the start and don’t need costly remediation closure to the effective date.
Notices will also need to be updated, to reflect new requirements, including retention periods, where sensitive personal information is collected and how it is being used, as well as covering new personal rights. However, as the update to notices will not be required until closer to the time, we recommend organisations start by consolidating to a central notice, enabling easier updating closer to the CPRA effective date.
Organisations processing personal information – presenting a significant risk to the privacy or security of an individual – will be required to conduct annual cybersecurity audits and regular risk assessments. We recommend running a cybersecurity maturity assessment early, using an appropriate framework such as NIST or ISO27001, to identify and prioritise the remediation of any gaps.
It’s also worthwhile risk-assessing some of your known high-risk processes, like those that handle SPI, for example, and ensure the appropriate privacy controls are in place. Look to establish and maintain an inventory of your processes that handle personal information, by making sure your business is ready to provide you with the relevant information required to do so.
Finally, engage with your leadership team and wider organisation about privacy in general, such as the impact on day to day obligations. Open a discussion and consider how workshops and training sessions could help embed the importance of the upcoming change attached to the CPRA. Privacy is a deeply relatable topic affecting every one of us, with better management being beneficial across the board.
It’s worth remembering too that CPRA, just like GDPR, isn’t a one-off exam, but will become an ongoing way of being. This is a chance to get ahead of the pack. Those who strike out early and steady will reap the rewards and avoid the frantic rush. And early investment will maximise BAU delivery, lowering your overall compliance cost while building continued trust with your customers.