Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/5/2021
10:00 AM
K Royal
K Royal
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What You Need to Know About California's New Privacy Rules

Proposition 24 will change Californians' rights and business's responsibilities regarding consumer data protection.

In November's elections, Californians voted in favor of Proposition 24, which effectively expands the state's data privacy legislation with a new set of rules. At a broad level, the California Privacy Rights Act (CPRA) will succeed the California Consumer Privacy Act (CCPA) on January 1, 2023.

Many organizations may have just gotten comfortable with General Data Protection Regulation (GDPR) or CCPA compliance. They are likely wondering what the CPRA entails and what those changes mean moving forward.

In the coming months, the California legislature will iron out the details about the CPRA. However, the major changes between the CCPA and CPRA have already crystallized. Although this list isn't exhaustive, the following are some of the biggest changes in the regulation.

Related Content:

The Sameness of Every Day: How to Change Up Audit Fatigue

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

A New Enforcement Agency Is Born
The CPRA introduces a new enforcement agency, the California Privacy Protection Agency (CPPA). This agency is akin to data protection supervisory authorities that exist in other countries. The agency will made up of a five-person board, two of whom must be appointed by the California governor. The California State Assembly, Senate, and Attorney General will appoint the remaining members. The CCPA is tasked with investigating CPRA violations, conducting hearings, and issuing sanctions when necessary. The agency will also provide guidance on CPRA's implementation.

Requirements About Sensitive Personal Information
The CPRA introduces the concept of "sensitive personal information." According to the new law, sensitive personal information includes identification numbers, such as Social Security numbers, driver's license numbers, identity card or passport numbers, account credentials, credit card details, geolocation information, communications content in emails and text messages (if a business is not the recipient of the communication), and data elements that align with Europe's GDPR. These elements include religious or philosophical beliefs; union membership; health, genetic, and biometric data; and information related to an individual's sex life or sexual orientation. The CPRA states that consumers have the right to ask a business to not disseminate sensitive personal information.

Consumer Rights With Regard to Data
The CPRA now empowers consumers with a number of rights regarding the data that companies use. The CCPA already includes the right to deletion, whereby consumers can ask a business to delete their personal information it has on file. The CPRA will extend this right to ensure businesses cooperate with deletion requests and allow businesses to keep a confidential record of deletion requests for future reference. The CPRA will also introduce a right of correction, which enables consumers to request that a business correct inaccurate personal information. Under the CCPA, consumers were able to request to see the data a business has collected about them during the 12 months preceding the request. Under the CPRA, consumers can request to see data that businesses collected before the 12 months preceding that request if the business possesses that information.

Consumers Will Have More Say Over Data Collected for Advertising
Many companies use cross-context behavioral advertising, a practice that leverages individual consumer profiles for advertising purposes. Under the CPRA, consumers may opt out of these data collections. This change will also impact how companies present choices to opt out; for example, businesses will not be able to show large, brightly colored "accept all" preference buttons to consumers who view their websites. 

CPRA Extends Data Breach Requirements
When information such as nonencrypted or nonredacted information or login credentials and password combinations is granted unauthorized access, it's considered a data breach under the CCPA. The CPRA empowers consumers to claim compensation or other recourse that a court deems necessary to make up for the breach. If a court finds that a data breach was caused by insufficient data security, it may also seek administrative enforcement against the organization.

What Can Companies Do Now?
The good news is companies have until the Jan. 1, 2023, enforcement date to comply with these (and other changes) introduced in the CPRA. Although businesses don't need to address the CPRA specifically right now, compliance organizations should begin to prepare by taking note of the major changes and thinking about whether their existing privacy programs will be able to easily scale to support them.

K Royal is an attorney and global compliance professional with 25 years of experience in the legal and health-related fields. K has a particular interest in technology along with its challenges and opportunities. On a typical day, she works with GDPR. HIPAA, CCPA, incident ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27886
PUBLISHED: 2021-03-02
rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
CVE-2016-8153
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8154
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8155
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8156
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.