Over the past couple of years, California has led the charge dedicated to protecting the privacy of its residents; implementing far-reaching legislation designed to both guide and mandate how businesses should protect the data of the state’s citizens.
July 2020 brought the official start of enforcement of the California Consumer Privacy Act (CCPA), a privacy legislation designed to control and limit what organizations can do with the data of California residents. With many businesses serving customers in California, the CCPA is far-reaching and, as with Europe’s own privacy law, the GDPR, brings potentially crippling penalties for non-compliance and data leakage.
But as is always the case with new legislation, the initial language is never perfect, allowing for the creation of loopholes or confusion around its application.
What is the California Privacy Rights Act (CPRA)?
In November, Californians voted and approved Proposition 24, officially titled the Privacy Rights and Enforcement Act Initiative. The CPRA initiative is not necessarily a new law, but an initiative designed to expand and build upon the already existing CCPA.
CPRA provides broader power to consumers over how their data is used by businesses by allowing them to instruct organizations to limit the use of sensitive data and to prevent businesses from holding their data for longer than necessary. With 55 percent of state voters approving the proposition, many companies now face both legal and technical challenges –specifically with regards to their online properties.
A new enforcement agency
While the CCPA had good intentions, it quickly became apparent that enforcing and litigating all cases would be difficult with limited government resources and untested language.
However, the CPRA changes this with the creation of a new government agency dedicated solely to handling enforcement and compliance of privacy laws. As with the GDPR, the CPRA has a dedicated a group specifically focused on privacy, meaning that more organizations will be penalized for non-compliance and lawsuits against even small businesses will be brought.
An expansion of privacy responsibility
One of the biggest impacts the CPRA brings is the increased responsibility an organization has with respect to their customers’ privacy. With the passing of Proposition 24, businesses are now firmly responsible for not only what they do with customer data themselves but also what any third party they choose to do business with does with it – in the event they have shared such data.
For example, where an organization includes advertisements from a third-party provider on their site, the organization now has much stricter requirements to ensure that the advertisement provider is not storing customer data. Ultimately, this means that any business who utilizes third-party services on their website, such as analytic trackers, telemetry monitoring, virtual assistants and shopping carts, are required to understand, monitor and control all data flow to them and will be subsequently held responsible for any data leakage.
Get ready for the CPRA
The introduction and passing of the CPRA demonstrates how seriously data privacy and protection is being taken in California and also sends a lear message of its intention to penalize businesses for lack of compliance.
The CPRA will go into effect on January 1, 2023 and will apply to information collected on and after January 1, 2022. Until this time, the CCPA will continue to be the presiding privacy legislation.
This means that organizations have some time to ensure that their services such as websites, portals, internal systems and third-party relationships are compliant, but one of the biggest challenges with this is a lack of visibility into customer data flows.
Ensighten enables organizations to control the flow of customer data from their website to any third-party service provider, prevent data leakage and ensure website compliance in line with the CCPA and CPRA.