Compliant with CCPA? Awesome! Time to start thinking about CPRA!
The California Privacy Rights Act (CPRA) is a new privacy initiative that has been placed on the November 2020 California ballot. If passed, this new law will give consumers even greater power to take control of their personal information. It will also, according to the Californians for Consumer Privacy website, “expand consumer rights, create more transparency, and establish an enforcement arm to protect these rights.” The enforcement arm will be independent of the California Attorney General.
While many companies have implemented CCPA compliance processes, recent surveys reveal that many of those processes are highly manual and therefore less efficient and error prone. These same surveys indicate that companies are exploring automating these processes to enhance efficiency. This means now is the time to understand how the new CPRA could impact those processes so that you can get ahead of the game.
A Quick Recap of the California Consumer Privacy Act
- Grants consumers the right to:
- Know what information a business has collected on them.
- Say “no” to the selling of their personal information.
- Request deletion of their information.
- Obtain a copy of their personal data in a portable format.
- Grants the California Attorney General the right to enforce compliance with the law.
- Grants California Consumers a ‘private right of action’ to sue businesses that fail to secure their data.
For a complete overview and more blogs about the CCPA, please check out our blogs here.
A Quick Preview of the California Privacy Rights Act
The CPRA grants greater rights and covers more data, but applies to fewer businesses.
The CPRA grants consumers the right to:
- Restrict the use of ‘sensitive’ personal information.
- Correct (rectify) errors or omissions in their data.
- Limit the amount of data collected.
- Limit how long their data can be retained.
- Opt-out of advertiser’s use of their geolocation data.
- Override privacy restrictions in emergency situations.
The CPRA also:
- Provides transparency around consumer profiling and automated decision making.
- Restricts the onward transfer (from collector to third parties) of personal information
- Requires high-risk businesses (data processors) to:
- Perform regular risk assessments
- Perform regular cybersecurity audits
- Establishes the California Privacy Protection Agency to protect consumers.
- Appoints a Chief Auditor with the power to audit the data practices of businesses.
And finally, the CPRA prevents the law from being weakened by the California legislature.
The CCPA applies to any business anywhere that does business in California and is a for-profit business that generates at least $25 Million in annual revenues, or derives 50% of its revenues from selling consumer information, or holds records on at least 50,000 California consumers or households.
The CPRA imposes the same criteria but doubles the number of California consumer records processed from 50,000 to 100,000, effectively exempting many smaller businesses.
How Milestone Can Help
Milestone would like to help you leverage your investment in ServiceNow to prepare for any possible new requirements. For example, the introduction of a Privacy Protection Agency having both auditing and enforcement powers adds a whole new dimension to your privacy program, a dimension that the ServiceNow Governance, Risk, and Compliance (GRC) suite of applications is ideally suited to address. With the ServiceNow GRC Policy & Compliance application, for example, you can implement a robust privacy compliance solution to not only monitor compliance but to also demonstrate compliance to auditors by providing evidence of performance captured at the time of performance.
Contact us today to learn more about how you can use ServiceNow to ensure your organization remains continually compliant and audit ready.
To learn how you can use ServiceNow to ensure your organization remains continually compliant and audit ready, please reach out to our GRC team at firstname.lastname@example.org.
Disclaimer: the author is a technologist, not an attorney. Nothing in this article constitutes or should be construed as legal advice. Always check with your legal, compliance, and privacy teams when designing, implementing, or optimizing any privacy compliance processes or programs.
About the Author
Mike DeAndrea, GRC Practitioner and Advisory Solution Architect, Milestone
With more than 20 years of applied expertise in Governance, Risk, and Compliance, Mike helps Milestone customers understand how they can leverage the power of ServiceNow to meet their regulatory compliance needs in the shortest time. Mike has extensive experience both as a practitioner and a consultant. As a practitioner, he managed the compliance efforts of a large enterprise-wide IT operations department of a multi-billion-dollar, multi-national company for several years. As a consultant, Mike has been helping high-profile customers deploy GRC solutions in ServiceNow for over five years. He maintains a number of ServiceNow and industry certifications, and specializes in designing compliance solutions that are not only effective but also highly efficient, that minimize the time to value, and that drive down the cost, burden, and impact of compliance on your organization. Connect with Mike on LinkedIn.