With Data Privacy Week upon us, let’s take a closer look at how the California Consumer Privacy Act (CCPA) has sharpened its teeth by putting the California Privacy Rights Act (CPRA) into effect on January 1st of 2023.
Setting the Foundation
First, let’s set the foundation with a simple summation of CCPA. Back in 2018, California was the first state within the United States to bring forth a consumer-focused privacy regulation. What did it initially cover? Well, as a resident of California, you were now empowered with rights to protect your personal information that businesses collect on you. These rights included:
- The right to delete personal information collected from you
- The right to know what personal information a business has collected about you and how it is used and shared
- The right to opt-out of the sale and sharing of your personal information
- The right to non-discrimination for exercising your CCPA rights
Fast forward a couple of years and in late 2020, California voters approved Proposition 24, the CPRA, which amended the CCPA and added additional privacy protections that went into effect January 1, 2023. So what are these additional rights? In addition to the rights listed above, consumers now have:
- The right to correct inaccurate personal information that a business has about them
- The right to limit the use and disclosure of sensitive personal information collected about them
To be clear, CPRA is an amendment to the CCPA and is not a separate, new law.
With these rights in place, businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests exercising these rights as well as providing disclosures to consumers regarding the businesses privacy practices.
Now let’s hone in on one of the most important elements CPRA brings forward…and this is around the term Purpose. Under section 1798.100(c), CPRA requires businesses to collect, use, retain and share consumer personal information only to the extent reasonably necessary and proportionate to achieve the purpose for which it was collected or for a disclosed purposed that is compatible with the context in which the information if collected.
Ok, so let take a closer look at the three main components of purpose as defined within CPRA:
- Reasonably necessary and proportionate
- Businesses should collect strictly "minimum" personal information necessary for the purpose, while accounting for "possible negative impacts on consumers" of the collection and any "additional safeguards" business could deploy to overcome the negative impacts
- Information is processed solely to "achieve the purpose" for which it is collected by considering the "reasonable expectations" of a consumer
- These expectations can be based on the nature of the interaction between the consumer and the business, type of personal information at issue, how the personal information was collected, the disclosures provided to the consumer, and the extent to which a consumer is aware of any service providers or third parties in the transaction
- To determine a "disclosed purpose that is compatible with the context," businesses need to consider whether a consumer's reasonable expectations align with the additional disclosed purpose
- For example, if a consumer provides a financial services business with personal information specific to their brokerage account, the business cannot then use the personal information for any additional lines of business they offer, nor share the information as a means to gather intelligence on the consumer and areas the financial service business would benefit from
Way Forward – Data Minimization
In addition to businesses needing to review their data sharing practices and implement controls that enable consumers to easily opt out of the sharing of their personal information, businesses must put an emphasis on data minimization as a critical factor on how they can support privacy regulations across the board.
The principle of Data Minimization, as defined by the UK’s Information Commissioner’s Office, centers on ensuring the personal data a business is collecting and processing is:
- Adequate – sufficient to properly fulfil your stated purpose
- Relevant – has a rational link to that purpose
- Limited to what is necessary – you do not hold more than you need for that purpose
Therefore businesses should carefully assess their data collection practices and retention to determine whether adjustments are necessary to prevent over collection of consumer personal information. This should include the following:
- Only collect personal data that is actually needed for specified purpose
- Have sufficient personal data to properly fulfil the purpose
- Periodically review data being held and delete anything no longer needed
Looking to better understand how to get started or mature your current privacy program? You can find many great resources on the CyberRes Privacy Compliance Hub. You also might want to check out our Privacy Compliance Webinar Series, four great webinars that help tell our data privacy and protection story. What is the true cost of Data Privacy, and the financial risk carried as a result of a data breach? Find out with our free financial calculator.
Show Your Support for Data Privacy Week (January 22-28)
Data Privacy Week is an annual campaign to raise awareness and promote data privacy and data protection best practices and is sponsored by the National Cyber Security Alliance (NCSA). CyberRes, a Micro Focus line of business, believes so strongly in promoting Data Privacy, that we are Data Privacy Week Champions and urge all organizations to respect data. See why the ever changing compliance laws are top of mind in our Data Privacy Week blog.
Make sure to follow us on Twitter and LinkedIn and by using the hashtag #DataPrivacyWeek. Let us know the steps your org takes for data privacy by logging in or registering and commenting below.
Join our Community | Data Security User Discussion Forum| Tips & Info | What is Data Security?