With the passing of California’s Proposition 24 in late 2020, the state updated its groundbreaking California Consumer Privacy Act (CCPA), providing additional clarification around terms and responsibilities. The newly designated California Privacy Rights Act (CPRA) takes the original law and incorporates several changes, establishing a holistic approach to data security and privacy. Most notably, The CPRA established a new agency, the California Privacy Protection Agency, tasked with enforcing compliance. As you navigate what the CPRA means for your organization, you should consider how the law now incorporates security as well as privacy.
The original text of the CCPA focused primarily on consumer rights. However, the CPRA strategically changes Section 1798.100, replacing the language granting consumers rights with “General Duties of Businesses that Collect Personal Information.” The law further expands to include third-party service providers who contract with the primary businesses collecting data.
Most significantly, section 100 incorporates new language stating that businesses collecting consumers’ personal information “shall implement reasonable security procedures and practices.” By changing section 100 and establishing a general duty, the CPRA extends the implied duty listed in the original CCPA.
Additionally, the CPRA reinforces this change by defining “security and integrity” as:
the ability: (1) of a network or an information system to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information; (2) to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions, and to help prosecute those responsible for such actions; and (3) a business to ensure the physical safety of natural persons.
These two changes, although seemingly insignificant on the surface, create several new compliance requirements for businesses that collect customer information. Organizations need to proactively monitor their networks and information systems to detect security incidents. Additionally, they need to help prosecute responsible parties, which requires them to maintain documentation.
The CPRA clarifies the duties that service providers and vendors owe to consumers. Under the CCPA, businesses were required to direct service providers and contractors to comply with consumer requests. The CPRA incorporates language that clearly defines third-party responsibilities.
Across the new legislation, service providers and contractors are required to help businesses with whom they contract to respond to consumer requests. However, the law focuses on the contractual relationship that service providers and contractors have with businesses.
For example, section 1798.130(3)(A) specifically adds the following:
A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer’s authorized agent... to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor. A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business’s response to a verifiable request.
Under the CPRA, service providers and contractors need to respond to businesses but not consumers. Nearly all language in the updated regulation focuses on these contractual obligations, placing the primary burden of responsibility on companies who need to ensure that their service level agreements incorporate the appropriate language.
Under the CCPA, the Attorney General was the only enforcement avenue while the CPRA has created an agency dedicated to enforcing the law. Under the CPRA, the CPPA shares the enforcement responsibility with the Attorney General.
From a practical perspective, establishing an agency removes the litigious red tape and legal arguments that could stall enforcement. By changing from “civil penalties” to “administrative fines,” the CPRA streamlines the process. Typically, agencies are given broad powers to investigate, set standards, and enforce requirements.
This shift accelerates enforcement that would otherwise be stalled through legal appeals and processes.
In regards to encryption, the CPRA makes a slight but important change. Section 1798.150 sets out the requirements for citizens looking to file a civil action. The CCPA, and now CPRA, is the first regulation that allows consumers to sue companies for failing to appropriately protect data privacy.
The CPRA updated section 1798.150, with changes highlighted in bold and italics, is as follows:
1798.150. Personal Information Security Breaches
1798.150. (a) (1) Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
Under the CCPA, the first line read “nonencrypted or nonredacted.” Under the CPRA, the line reads “nonencrypted and nonredacted.” In other words, under the CCPA, organizations could choose to either encrypt or redact, but now they need to do both in order to be safe from a civil lawsuit.
This change reinforces encryption’s importance as a security control. To prevent civil lawsuits, businesses need to ensure that they both encrypt and redact information. Redaction without encryption and encryption without redaction are no longer considered appropriate privacy controls on their own.
While businesses need to comply with the already enforceable provisions under the CCPA, they have a limited grace period before meeting the new CPRA requirements. Most provisions of the CPRA will take effect on January 1, 2023; however, the expanded “Right to Know” requirements will apply to data collected on or after January 1, 2022.
Atakama’s user-friendly encryption solutions enable organizations to establish and enforce encryption across endpoints and file storage locations. When a user opens an encrypted file, our solution sends a one-tap push notification, requiring authorization from a user's device to decrypt the file. Users can also maintain control over files that they send to third-parties, such as contractors, ensuring they always know who accesses sensitive information and maintain control over whether the individual should access the data.
For more information about how Atakama can help your organization protect sensitive consumer information, contact us for a demo today.