Maksim Kabakou - stock.adobe.com
Data compliance rules are complicated already. But IT operations teams now face greater challenges due to recently enacted compliance mandates.
The California Privacy Rights Act, or CPRA, carries broad ramifications for both California-based companies and organizations around the globe.
Read on for a primer on what the CPRA means for IT ops engineers and how to prepare to meet CPRA compliance.
What is the CPRA?
The CPRA is a California state law that voters approved in the November 2020 elections. CPRA compliance requirements take effect on Jan. 1, 2023. At that time, it will replace the CCPA, California's current digital privacy law, which went into effect in January 2020.
How is the CPRA different from the CCPA?
The CPRA retains most of the CCPA's privacy regulations, such as the requirement that businesses disclose details about which personal information they collect, and allow consumers to opt out of the sale of their personal data.
However, the CPRA exceeds the CCPA in three main ways:
- Additional consumer rights. The CPRA grants consumers several rights that are not included in the CCPA, such as the right to correct inaccurate personal information within a company's records. CPRA also grants the right to opt out of automatic personal information processing or analysis.
- Broader definition of personal data. The CPRA contains a broader definition of which types of data are considered personal, and therefore subject to regulation. In addition to overseeing personal data, such as addresses and customer records -- which the CCPA also protects -- the CPRA imposes mandates around data like religious affiliation and union membership.
- Audits. The CPRA requires companies to perform audits on their data security controls on an annual basis and to submit yearly risk assessment reports to the California Consumer Protection Agency, a new agency that California will create for CPRA enforcement.
Because the CPRA, like the CCPA, protects the personal data of California residents -- regardless of where the data is collected or stored -- any company around the world that collects data from, or about, consumers based in California will be subject to the CPRA mandates. Companies don't need a physical presence in California for the law to apply to them.
The CPRA compliance regulations also apply to data stored on any type of infrastructure, whether on premises or in the cloud. Thus, while retaining data on premises might simplify some of the CPRA mandates on data sharing and auditing, avoiding the cloud doesn't avoid CPRA entirely.
Although the CPRA doesn't go into effect until 2023, IT teams face a complex process to meet its new requirements. IT teams should start planning how they intend to comply with the CPRA well in advance -- the earlier, the better.
Maintain granular controls over data
Because the CPRA gives individual consumers a variety of rights over how their data is used -- or not used -- IT teams need highly granular controls over the data they store and manage. They must create and enforce rules that define how each individual data item they maintain can be used.
For example, an IT team might not use one database entry or object in a storage bucket for automated processing or analysis if a consumer makes a request to this effect. IT teams must be able to flag that data to ensure that its use is appropriately restricted, even if other data in the same database or storage bucket is not subject to the same restrictions.
Consequently, managing data sets collectively will not work well under the CPRA, because it's not possible to apply the same rules to an entire database or storage pool. Teams will need highly granular data management rules.
Enable data updates and modifications
Along similar lines, the CPRA rules regarding the right to correction of inaccurate data require IT teams to provide companies with data updated reliably and efficiently on a granular basis. They must either give consumers direct access to the tools they need to modify personal data they deem incorrect, or they must establish a process by which consumers can request corrections. Regardless, this mandate requires a new level of flexibility with existing data.
Modify data classification rules
Because the CPRA adds new categories to the list of personal data that must be protected, IT ops teams must expand the policies they use to identify which data is considered personal. If they use automated data discovery and classification tools, they must update the policies that control them. If they attempt to discover sensitive data manually, they must ensure engineers are aware of all types of data covered by CPRA compliance regulations.
Understand how data is used
Most existing compliance rules, including the CCPA, HIPAA and GDPR, focus primarily on controlling how data is stored and shared. The CPRA extends its mandates to include controls over how data is used, especially with regard to automated processing and analysis.
Under the CPRA, IT teams can't simply ensure that data is stored securely and shared in ways that meet compliance rules: IT ops engineers must also know which applications use any personal data that exists within their organizations' infrastructure. They also must know whether those applications perform actions that affect CPRA compliance.
Perform regular audits
Because of the CPRA's mandate on cybersecurity auditing and reporting, IT teams that previously performed security audits only for internal benefit must adjust to a more rigid auditing schedule and requirements checklist. Audits must generate the CPRA-mandated information and occur at least once per year.
Although the CPRA is similar to the CCPA in many respects, its broader scope means that meeting CPRA compliance rules requires more than the tools and processes that IT teams already have in place for CCPA compliance. They must think more openly and make greater use of automated data discovery and management tools to meet the expansive and complex requirements of the CPRA.