As the amount of digital data continues to grow, so have the number of laws designed to regulate it. Much like the GDPR and other digital privacy laws, the California Consumer Privacy Act (CCPA) was established several years ago to increase transparency, access, and control over a consumer’s personal information. Now, just a few years later, new legislation -The California Privacy Rights Act (CPRA) - is taking effect.
While the CPRA has “California” in its name, its implications stretch beyond this state’s borders. Similarly to how GDPR operates, companies don't need a physical presence in California for the law to apply to them. Since the CPRA protects the personal data of California residents - regardless of where the data is collected or stored - any company that collects data from or about consumers based in California is subject to CPRA mandates.
Further, CPRA compliance regulations apply to data stored on-premises AND in the cloud. And when it comes to cloud data in particular, it can be challenging to monitor and know what security risks impact it. Below, we outline several steps to take now to ensure your cloud data is CPRA compliant and how Own can help support these efforts.
What's the difference between the CCPA and the CPRA?
As an amendment to the CCPA, the CPRA expands privacy policies in CCPA, such as the requirement that businesses disclose details about which personal information they collect and allow consumers to opt out of the sale of their personal data.
However, the CPRA goes beyond the CCPA in three main ways:
- More consumer rights. The CPRA grants consumers several rights that are not included in the CCPA, such as the right to correct inaccurate personal information within a company's records. CPRA also gives the right to opt out of automatic personal information processing or analysis.
- Broader definition of personal data. Whereas the CCPA applied to a relatively narrow set of data defined as personal information, the CPRA takes a more expansive approach by adding a new category of data called sensitive personal information, or SPI. This includes genetic and biometric information, race, ethnicity, and employment history.
- Mandatory risk reporting. Under the CPRA, companies must perform regular audits and risk assessments to demonstrate that they have taken steps to ensure that their data management practices comply with CPRA requirements.
Steps to making sure your data is CPRA compliant
Maintain granular security controls
Since the CPRA grants individuals various rights regarding how their data is used, one-size-fits-all data protection policies aren’t sufficient for maintaining CPRA compliance. Instead, companies need a granular way to manage data that allows them to modify data policies across various cloud environments where data is stored.
Review data classification tools
Because the CPRA adds new categories to the list of personal data that must be protected, teams should start by identifying which data is considered personal and sensitive. After identifying this data, you can classify it based on internal data classification policies. If you use automated data discovery or classification tools, you should also update the policies that control them.
Perform regular audits
As mentioned above, in addition to internal audits, companies must generate reports proving CPRA compliance efforts and submit them to the CPRA compliance agency. These reports must demonstrate that reasonable data protections are in place.
For these reasons, you’ll need to develop your own auditing processes if you don’t already have them in place and make sure that the audit reports they generate are sufficient for CPRA regulators.
Review data retention policies
While CPRA doesn’t provide specific data retention restrictions, it does state that your retention “shall be reasonably necessary and proportionate to achieve the purposes” for which it was collected, processed, or for another disclosed purpose.
With thousands (or more) of records entering and leaving your cloud environments daily, it’s critical to have an official data retention policy on record. Your data retention policy should look holistically at all the data entering your cloud environments and should define the data you're retaining, the data’s sensitivity level, and which regulations specify minimum or maximum retention periods.
Protect and secure your data
The CPRA requires businesses to implement and maintain “reasonable security procedures,” meaning that they must protect any data they do hold from being destroyed, modified, or falling into unauthorized hands.
Various events, including data breaches and human errors, can lead to incident response situations under CCPA and CPRA. For example, even incorrectly updating or mistakenly deleting data requires notification under CCPA and CPRA.
A robust data protection plan will allow your company to quickly and confidently go into incident response mode when a breach occurs, a critical capability to satisfying California requirements. This includes the ability to quickly pinpoint what data was affected and recover it quickly.
How Own supports CPRA compliance efforts
Own can help you achieve CPRA compliance within your critical SaaS platforms like Salesforce, Microsoft Dynamics 365, and ServiceNow when paired with a well-designed compliance strategy. In addition, Own’s security processes have passed Salesforce security reviews, comply with SOC2 Type II requirements, and is ISO certified.
Below are some of our product features that are particularly helpful for ensuring CPRA compliance:
- Demonstrate operational effectiveness and improvements to security controls over time
- Provide downloadable reports with different security risk lenses
- Analyze and adjust permissions & access to data to ensure fulfillment of the principle of least privilege
- Deliver real-time, evidence-based reports and audits to satisfy external regulations
- Classify data sensitivity level and tag fields for compliance with CPRA
- Optimize the implementation & maintenance of encryption at rest to ensure compliance with reasonable security procedures and practices
- Allow for flexible retention policies of backups tailored to your organization’s CPRA retention requirements
- Backups have the highest-grade security with a hardened cloud infrastructure, total encryption with keys (allow users to bring their own Keys or Key Management System), role-based access controls (and other user-based security protocols)
- Ensure immutable, accurate, and reliable data and metadata backups with precision restore capabilities
- Ensure proactive alerting and communication of data changes, corruption, or deletion
- Empower users to forget and rectify records with tools that make it easy to locate and edit requested personal record data
- Define archiving policies that include what specific data to be archived, how frequently data archiving activities occur, and how long archived data is retained. If internal or external requirements change, the data retention policy can quickly and easily be updated, automatically adjusting the retention period on all applicable records.
- Apply litigation holds for specific records to prevent change or deletion in the event of any investigation
- Assign role-based access controls and granular permission sets to ensure users are granted the right level of access to archived data and functions.
- Own delivers secure, high-availability storage with server-side encryption backed by a key management service. Customers can also add-on the optional service to use their own keys or key management system (BYO KMS) to encrypt and decrypt data their archived data.
- Easily manage right to be forgotten requests by defining purge policies to immediately remove records or the Right to Be Forgotten software development kit (SDK).
Request a demo today to learn more about Own and how we can help you achieve CPRA compliance.