In November 2020, California Governor Gavin Newsom signed into law the latest salvo of data-privacy regulation: the California Privacy Rights Act. With CPRA enforcement set to begin in July 2023, are corporations ready to comply?
Doubtful, according to "How to Comply with the CPRA," a white paper released by Osterman Research late last year. (The white paper was sponsored by Micro Focus, which publishes TechBeacon.) The Washington-based market research firm surveyed 129 professionals involved in “developing, approving, enforcing, or reviewing their organization’s policies and practices regarding data protection and management.” Respondents worked for midsize and large corporations. Their responses generally indicated a dubious level of preparedness, even as more and more personal data keeps getting created and collected.
CPRA's Predecessors
A 2017 study cited in Forbes estimated that the world creates 2.5 quintillion bytes (1 billion gigabytes) of data each day. Since then, the world Internet population has grown from 3.7 billion to 5.03 billion, foretelling a dramatic acceleration in data creation.
As more people create more data, governments have placed greater ethical and legal scrutiny on the private corporations that leverage that data for competitive advantage. What rights should users be able to exercise over their personal data? What security mechanisms must corporations have in place to responsibly steward user data? When should they be expected to comply—and what consequences should there be for noncompliance?
CPRA stems from the same ethical questions that motivated preceding regulations. To understand its role, it’s useful to review CPRA’s key predecessors.
The European Union threw the first gauntlet when it adopted the General Data Protection Regulation (GDPR) in 2016. The user-oriented GDPR—which went into effect on May 25, 2018—introduced stringent standards for corporations collecting data from EU users and/or controlling or processing data within the EU.
Given the global nature of data collection, GDPR affects more than just EU corporations. For instance, when Spanish citizens use WhatsApp to exchange personal photos, parent company Meta, based in California, is responsible for ensuring the photos get handled by GDPR standards.
About a month after GDPR went into effect, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law, the first attempt at a US equivalent for GDPR. Like GDPR in the EU, the CCPA applies not just in California, but to certain businesses collecting data from California citizens.
From CCPA to CPRA
The CCPA established four major categories of data-privacy rights for individuals:
- The right to be informed about what data companies are collecting
- The right to request deletion of certain personal information
- The right to opt out of the sale of one's own personal information
- The right to transfer that data to another service
An important element of the CCPA is the right-to-know request, which permits users to inquire about the makeup and location of their data and request that their data be deleted. Organizations must be prepared to give accurate, timely answers and comply with deletion requests.
CPRA overlays CCPA, adding new user rights and granting new powers to new enforcement entities. A few specific highlights:
- The creation of “sensitive personal information” (SPI) as a new category of data. The CCPA introduced “personal information” as a data category; CPRA adds SPI as a subset. SPI includes data concerning race, ethnicity, sex life, sexuality, financial information, union membership, and geolocation.
- The introduction of “contractor” as a new entity type. The CCPA defined three types of entities: business, service provider, and third party. By adding contractor as a fourth entity, the CPRA lays out more specific data-stewardship standards for any organizations working with companies that collect data from California citizens.
- The establishment of the California Privacy Protection Agency (CPPA). The CPPA will assume administrative enforcement powers of both the CPRA and the CCPA—a power that formerly resided with the California attorney general. (The attorney general will retain civil enforcement authority.)
CPRA enforcement will begin in July 2023 and apply to all applicable California user data collected since January 2022. Penalties for noncompliance could be severe. If the CPPA identifies violations, companies have 30 days to fix them or face fines of $2,500 per unintentional violation and $7,500 per intentional violation. One violation is represented by one data record.
To put that in perspective: A 2020 breach of the video-streaming website CAM4 exposed 10.88 billion data records. Even if only 1% of those records pertained to California residents, penalties for the breach could cost $2,500 per record for 108.8 million records, or $272 billion.
Not Ready to Comply
As part of its report, Osterman Research evaluated how prepared organizations are for CPRA compliance. While there are a select few positive indications, the report indicates a general lack of data-privacy maturity and preparation.
This is perhaps best illustrated by the finding that fewer than 25% of organizations claim that they have a “highly mature data-privacy program.” Data-privacy program maturity includes elements such as controlling corporate data (which four-fifths of organizations don’t do), locating data (for which one-third of organizations lack audit processes), and training employees to be CPRA-compliant (for which more than half of organizations don’t have a program).
CPRA unpreparedness also stems from the fact that many organizations are not yet complaint with the CCPA. Only 36% of organizations are fully CCPA-compliant. Of the 64% that aren’t, 1.5% collect data on California residents but have no plans to comply.
Part of the problem is that some organizations rely on point-in-time inventorying of IT and data assets. Point-in-time inventorying gives organizations only a static portrait of their data’s nature and location—an “important but insufficient” capability, per the report. With more users creating more data moving more fluidly through sophisticated processing systems, point-in-time data gives organizations a quickly outdated snapshot. This hinders organizations' ability to comply with right-to-know requests.
The report also highlights email and other corporate messaging tools as major points of vulnerability. Cloud-based email inboxes have anywhere from 50GB to 100GB of storage, representing enormous risk if even one inbox is infiltrated. Email “misaddressing,” where messages and files are sent to an incorrect recipient, is a common source of data leakage. Additionally, organizations have ineffective control over information exchanged via Slack, Microsoft Teams, and unsanctioned cloud services.
Problem Areas
The report highlights critical problem areas that organizations must address to achieve CPRA readiness, including third-party website code, data discovery, and external attack-surface management.
Website code: Liable organizations must ensure that web code created by third parties does not contain vulnerabilities that would subject the organizations to noncompliance. Forty-four percent of organizations have inadequate ability to ensure that third-party code is secure and CPRA-compliant.
Data discovery: This refers to the process of determining what data is being produced by what applications, and which of it falls under CPRA classification. This is an area where point-in-time inventorying presents significant risk. Ongoing data creation requires ongoing monitoring to know what’s being created and how organizations are responsible for handling it.
Attack-surface management. This is the process by which organizations proactively identify weaknesses in their cybersecurity defenses. It is a higher-order ability that depends on a foundation layer of data-privacy program maturity.
Recommended Steps
For organizations aspiring to full CPRA compliance, the Osterman report recommends four steps:
- Understand your responsibilities. Assess how you collect data on California residents, and understand what regulatory consequences your collection methods have. Understand where your data is stored and what agreements you must reach with third parties to remain compliant.
- Track your data’s whereabouts in real time. Determine how your organization handles personal and sensitive personal information after collecting it. Where does it go? Who gets access to it? Is it stored safely? Do you share it with anyone (wittingly or not)?
- Upgrade technological solutions. Stronger forms of antiphishing tools, identity verification for employees and customers, and cloud-security tools will help organizations keep up with new regulations.
- Empower employees. Employees will bear much of the responsibility for keeping their employers CPRA-compliant. As such, they will need extensive training on how to remain complaint in day-to-day activities and how their roles may change.
The report stresses that while California is the first US state to introduce such stringent data-privacy regulations, it is unlikely to be the last. Organizations need to prepare for a changing data-protection landscape that offers much more extensive protections for users. The best way for organizations to do that is to make their data-privacy program maturity a high-order priority.
Keep learning
Understand the newest privacy laws with this Webcast: California’s own GDPR? It’s not alone.
Take a deep dive into the new privacy laws with TechBeacon's Guide to GDPR and CCPA.
- Get up to speed on cloud security and privacy and selecting the right encryption and key management with TechBeacon's Guide.
