CCPA 2.0 compliance is necessary for businesses in the state of California. Learn about future privacy regulations under consideration at the federal or state level for the upcoming November 2020 ballot.
Considered as the second coming of the California Consumer Privacy Act (CCPA 2.0), the California Privacy Rights Act (CPRA) has significant momentum to qualify for the November 2020 ballot in California. The preliminary polling has received sufficient signatures and will likely get the approval of voters. Californians for Consumer Privacy started the initiative for this move and secured 931,000 signatures from Californians. When all CCPA compliance steps are followed, it is projected that the provisions of the CPRA will possibly take effect on January 1, 2023.
New regulations call for thorough preparations. There are inherent expectations for the upcoming CCPA 2.0, particularly amendments to consumers’ privacy rights in California and businesses located here. The CCPA 2.0 is also set to answer the ambiguities and unintended effects of the previous CCPA. For the best CCPA implementation guide, we’ll walk you through everything you need to know.
New Obligations and Rights
The CCPA compliance steps you need to take starts with charting the new provisions of the CPRA. Awareness will help companies evaluate their present situation and adapt the changes without any unnecessary interruption.
Sensitive Data Opt-in Consent
Under the existing CCPA, there is a “Do Not Sell My Personal Information” link available to data providers. The upcoming CPRA has a similar link with more details: “Limit the Use of My Sensitive Personal Information.”
But what is the parameter of the term “sensitive personal information”? This covers an individual’s account log-in credentials, sexual orientation data, Social Security Number, and financial account information, among other personal information sources. CCPA 2.0 gives consumers the power to limit the disclosure and use of said sensitive personal information.
Stricter Penalties and Fines for Child Data Protection
There is a legally enforced opt-in for minors under 16 before any business can share or sell their data. The fines are very stiff. Any intended violation for mishandling the child’s data can face a penalty that is thrice the amount of an ordinary fine. From the typical $7,500 fine, the amount can skyrocket up to $22,500.
Codification of Fair Information Practice Principles (FIPP)
Several crucial fair information practice principles are seeing codification in the upcoming CPRA. These include the following:
- Use limitation
- Data quality
- Data minimization
FIPPs protect the right to correct erroneous personal information. They can also prevent the retention of sensitive personal information for longer than necessary for a reasonable time, together with the obligation to delete unneeded data.
The CPPA 2.0 also has a new private right of action that lets data users bring an action if their personal data account does not meet reasonable security, causing unauthorized access or unwarranted disclosure of vital information such as passwords, email addresses, or financial data.
This new regulation provides the right to limit the use of “sensitive personal information” for any other purpose than what it was initially intended or collected for.
The California Privacy Protection Agency
The CCPA 2.0 will oversee the creation of the first government organization with the primary task of protecting the privacy and digital rights of Americans. It will be called the California Privacy Protection Agency (CCPA). Its additional duties include informing the public about privacy risks and giving businesses and consumers guidance about their privacy rights.
The CPPA will also have the power to issue and enforce administrative fines for violations of the privacy provisions. The standard penalty is $2,500 for every violation and can range up to $7,500 if it is intentional.
The California Privacy Protection Agency, together with the California Attorney General, can impose audits and risk assessments for companies involved in consumers’ data processing. These agencies can create regulations for an annual independent cybersecurity audit, dependent on its risks and size.
Disclosure Requirements for Profiling
The General Data Protection Regulation (GDPR) of the European Union has a disclosure requirement for “profiling.” This same regulation is mirrored in the California Privacy Rights Act.
If a business undergoes personal information processing in a way that allows the prediction of characteristics, this is an indication of profiling. With this data, it is possible to predict specifics such as behavior, health, location, economic disposition, work performance, etc.
The CPRA will put new regulations in place to oversee consumers’ opt-out rights when dealing with these businesses. Users can make requests for access to these businesses and these organizations are compelled to include meaningful information. These include the decision-making process behind the profiling process and these data’s outcome, especially for consumers.
Contractual Cooperation Obligations between Third Parties and Service Providers
In California, businesses that share vital personal information with contractors, third parties and service providers must enter into a contract with data recipients. Those who will receive these personal data must have the same privacy protection as provided in the CPRA.
Additionally, service providers and contractors are required by law to cooperate with the business if there are verifiable consumer requests from users, particularly in the deletion of personal data collected about the consumer.
Upgrades and Clarifications
Better Mark for Applicability
The earlier CCPA law defines a “business” as a financial entity with 50,000 users. The new CPRA will amend this policy to 100,000.
Additionally, the term “devices” will be removed. Businesses do not need to consider the number of devices they interact with. This amendment is required to remove confusion in what defines a “business.”
Extension of Moratoria for B2B and Employee Information
Under the present CCPA, businesses do not have to respond to requests to delete information from their employers when it comes to employee-related information. Business to business information is also excluded from the current provisions.
These exceptions will expire on January 1, 2021. The upcoming CPRA will extend these exemptions until January 1, 2023, citing “the differences in the relationship between employees or independent contractors and businesses compared to the relationship between consumers and businesses.”
Continuation of Loyalty and Discount Programs
There is uncertainty for businesses when it comes to the requirement of not discriminating against consumers for exercising their opt-out rights with programs that are based on their personal information.
This ambiguity will be corrected in the upcoming CPRA. The CCPA 2.0 does not prohibit discounts, premium features, loyalty rewards and club card programs.
But these programs will only be allowed if they are aligned with the regulations of the CCPA.
Removal of Cross-Context Behavioral Advertising in the Sale Category
Cross-context behavioral advertising is a form of advertisement that focuses on the personal information obtained by that consumer’s activity across businesses other than the one which the consumer has interactions with.
Under the CCPA, cross-context behavioral advertising is a type of “sale.” But the CPRA will clarify this as a type of “sharing” of personal information.
Cross-context behavioral advertising will also be differentiated from “advertising and marketing services.” This is because this form of advertisement does not fall under the qualification of a business purpose under the upcoming CPRA.
Effect on Businesses and People
The significant impact of the upcoming CPRA (CCPA 2.0) is that businesses may need to reassess the original CCPA covering them because they collect information from over 50,000 users, devices, or households.
If you have made steps to comply with the original CCPA, you just need to tweak it just a little more to meet the requirements of the new CPRA (CCPA 2.0). The deadline is July 1, 2023. But it is best not to procrastinate and review the data inventory of your company the soonest possible opportunity you can. Failure to comply can result in very bothersome fines that can affect your financial flexibility moving forward.
Protection of Sensitive Data
The critical step that businesses must ensure is to isolate data categories that will be considered “sensitive” under the upcoming CPRA (CCPA 2.0). Suppose this sensitive data is blended with other data and is not systematically parsed. In that case, there may be challenges to the “Limit the Use of My Sensitive Personal Information” request under the CPRA.
Businesses must build a rationalized data privacy framework that is in harmony with multiple laws and jurisdictions. It is best to identify leaders within the company that will manage these privacy programs. Perform a risk assessment on your present state environment and prioritize gaps for policies, notices, privacy impact assessments, data subject rights responses and security controls. Record the privacy operations and the maintenance needed to align with businesses.
Clear Establishment of Data Privacy Policies
For better information dissemination, quickly establish enterprise policy about user data privacy and support. The CPRA enforces that businesses must not retain personal information for longer than is necessary, or for longer than the disclosed purpose. This upcoming regulation will also require companies to notify customers about the length of time needed to retain this personal information.
The task ahead is very challenging, especially with the deadline of January 1, 2023, fast approaching. The example of the General Data Protection Regulation in Europe shows that it takes significant coordination and effort to maintain data retention policies across different platforms.
More vigorous enforcement is crucial. Businesses and organizations must create mechanisms that will oversee compliance with the requirements of the upcoming CPRA to make sure that the privacy programs are highly secure.
Steps of securing your data privacy program include:
- A comprehensive data inventory sorts all data categories, including the new “sensitive personal information” under the upcoming CPRA. It must also include types according to the purpose and use of personal information.
- Establishment of contracts with third parties or service providers that have access or collection of this personal information. These must limit the use of this personal information to what is reflected in the data privacy agreements. These privacy notices must include the new privacy rights under the CPRA (CCPA 2.0) and made available to the public.
- Internal audits and privacy risk assessments must be put in place to prepare for the enforcement of the CPRA. It is essential to find gaps and vulnerabilities that will protect you from fines, agency investigations and breaches.
Guidance for Compliance
RSI Security is fully equipped with experience and expertise to assist you in complying with the requirements of CCPA 2.0. Our organization shall evaluate your company’s security and privacy policies to ensure that everything is personal data defense and consumer rights protection.
Our comprehensive services for compliance assessment and advisory will help prevent data breaches and personal data loss. Any possible gaps in practices that may compromise your compliance will undergo corrective actions so that your company is CCPA compliant and ready for an audit anytime.
Refer to RSI Security if you need the following CCPA 2.0 services:
- Audit and assessment services (including physical, technical and administrative safeguard check for the personal data environment)
- Personal data mapping and inventory
- Privacy by design program
- Privacy impact assessment
- Incident and data breach response planning
- Network penetration
- Testing vulnerability
- Scanning enterprise
- Privacy risk assessment
- Personal data security training and awareness
There is an absolute boon for your company once we have helped you with all the compliance requirements for CCPA 2.0. Your organization will have security and assurance that it is always ready to face any government surprise audit. The personal data environment of your company will also get a boost in protection. This will translate to better trust and reputation ratings among your clients and industry.
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.