On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect, regulating the acquisition and use of personal information and data breaches in the state.
The California Privacy Rights Act (CPRA) was signed in November 2020.
The CPRA strengthens the CCPA's protections for residents of California. As a result, organizations' obligations and liabilities regarding data privacy, data security, and breaches have increased. The CPRA, for example, creates a new category of data subject to regulation, modifies which the CCPA covers organizations, eliminates cure periods, and enhances penalties for non-compliance.
The CPRA strengthens the CCPA by establishing a new government body to enforce and comply with the new privacy requirements. Note that CPRA is not new legislation; rather, it enhances the current law that increases consumer safeguards and explains some of the more nebulous ccpa compliance for small business.
Having a separate CCPA agency would result in more firms complying with the law and enforcing penalties. Most significantly, it holds firms liable for what other companies do with the personal information of California residents if the former collects it and shares it with the latter.
Consider the following scenario: the law would require a company to monitor its service providers. For example, ad tech firms that process publishers' data to facilitate ad targeting ensure that they do not add California residents' data to the service provider's database of client profiles unless the company and service provider marked a contract consenting to that use.
As a result, service providers are accountable for assisting companies that collect a person's personal information in complying with requests for that information, such as the deletion of that information.
Consumers gain from CPRA since it allows them to update personal information gathered by a corporation, which benefits both companies and consumers. How? Consider a customer who corrects their purchase history data to cease receiving retargeting advertising after purchasing. The consumer benefits because they no longer receive adverts for that product, and the corporation wins because it no longer wastes money on ads that are no longer
Sensitive Personal Information (SPI) is a subtype of personally identifiable information (PII) that contains data such as login passwords, race, ethnicity, biometric data (from health trackers), and exact geolocation. SPI would be treated differently than standard PII due to the creation of this subcategory, allowing corporations to target non-sensitive information rather than losing access to all personal information for marketing purposes.
There are two adoption processes for all enterprises collecting consumer data. First, as new privacy regulations emerge and we learn more about how they are implemented, we know there are four things that all data-gathering firms must do:
Opt-ins and opt-outs should be honoured as soon as possible. Ensure your company has a mechanism in place to respond to privacy requests rapidly, and err on the side of warning when it comes to consent for data collection.
Increase the number of positive customer relationships. Clients will be conscious of the data you collect and use from them, which is a plus for organizations that value privacy and the correct handling of personal information.
We recommend speaking with your legal team to inquire about your organization's unique policy for CCPA, GDPR, and CAN-SPAM compliance.
