Cybersecurity insights from industry experts.

As Consumer Privacy Evolves, Here's How You Can Stay Ahead of Regulations

Businesses must leverage state and local guidance — along with technology — to maintain secure, compliant infrastructure.

Microsoft Security, Microsoft

April 18, 2023

4 Min Read
Privacy concept: Silhouette of large person with magnifying glass watching man on computer

Proposition 24, also known as the California Privacy Rights Act (CPRA), went into effect in January. Passed by California voters in November 2020, the CPRA increases consumer data privacy protections under the California Consumer Privacy Act (CCPA) by giving consumers the right to correct inaccurate personal information that a business has about them. It also allows consumers to limit the use and disclosure of sensitive personal information collected about them.

This has heavy implications for enterprise businesses, as the CCPA applies to any "legal entity that collects consumers' personal information, determines the purposes and means of processing consumers’ personal information, and conducts business in the State of California." To fall under the scope of the CCPA, organizations must either earn more than $25 million in annual gross revenue, derive at least half of their annual revenue from selling consumers' personal information, or buy, receive, sell, or share the personal information of at least 50,000 consumers, households, or devices on an annual basis.

Organizations have an imperative to stay ahead of changing laws like the CCPA, but safeguarding consumer privacy can vary widely depending on where you operate, the type of data you collect and share, where your consumers are located, and more. Read on to learn how you can leverage state and local guidance alongside existing technology solutions to maintain a secure and compliant infrastructure.

Understanding Consumer Privacy Through the Lens of CCPA

According to Thomas Reuters, regulatory bodies release more than 250 compliance updates every day. So it makes sense that 25% of organizations don't understand which regulations apply to them or what they need to do to achieve compliance. And while specific requirements can vary depending on the law, the CCPA is a great place to start when trying to understand how consumer privacy is growing and changing in the US.

The CCPA, along with the CPRA, grants consumers six key rights.

  • The right to know: Consumers are entitled to know what personal information a business has collected about them and how that information is being used and shared.

  • The right to delete: Consumers may request that businesses delete any personal information that has been collected, with certain exceptions.

  • The right to opt out: Consumers may opt out of the selling or sharing of their personal information.

  • The right to nondiscrimination: Consumers may not be discriminated against for exercising their CCPA rights.

  • The right to correct: If a business has collected, stored, or shared inaccurate personal information, consumers may request that businesses correct that data.

  • The right to limit: Consumers may limit how sensitive personal information, like their Social Security numbers, or precise geolocation data is used and disclosed. 

The CCPA also establishes certain obligations for businesses. For example, businesses must disclose their practices around personal information either before the data is collected or at the point of collection. Businesses are also required to respond to consumer rights requests within 45 days. However, they may extend this response time by 45 days as long as they notify the consumer. Additionally, under the CPRA, businesses must conduct regular cybersecurity audits and privacy risk assessments as well as minimize the amount of data they collect and retain.

Leverage Defense-In-Depth To Improve Data Security, Compliance

Regulations like the CCPA can quickly become overwhelming. Taking a proactive defense-in-depth approach to data security and compliance ensures that organizations have multiple layers of built-in protection throughout all phases of the design, development, and deployment of any security platforms and technologies.

When it comes to data security and compliance, there are four core stages that organizations should be aware of:

  • Discovery: Organizations must understand how much data they have, where that data exists, and what kind of information is captured in that data. 

  • Protection: Once all data has been mapped out, companies can apply sensitivity labels, encrypt data, and enact additional safeguards to secure data against outside threats.

  • Risk management: Automated security alerts and multifactor authentication can be used to secure data against insider risks.

  • Loss prevention: Finally, companies can leverage AI-driven data loss prevention policies to ensure they don’t overshare sensitive information.

As consumer data privacy continues to evolve, now is the time to establish robust data retention and deletion strategies. Organizations must act quickly if they want to prepare employees for incoming "right to know" requests, while also mapping out consumers' personal and sensitive information and conducting businesswide risk assessments.

Read more Partner Perspectives from Microsoft Security.

Read more about:

Partner Perspectives

About the Author(s)

Microsoft Security


Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights