January 28th is Data Privacy Day, an opportunity to generate awareness concerning data privacy topics. This year, organizations must familiarize themselves with the California Privacy Rights Act. The CPRA covers consumer privacy rights and related business obligations for the collection and sale of personal information.
Although the CPRA comes into effect on January 1, 2023, one year from now, it applies to personal information collected on or after January 1, 2022, driving businesses to gain control of their data collection and processing.
Key CPRA concepts
Section 1798.140 of CPRA covers several new or updated definitions.
1.CPRA applies to businesses with over 100,000 consumers, with annual gross revenues of over $25 million, generating at least 50% of annual revenue from selling or sharing consumer personal information (PI). Extending the use of PI for sharing will require more businesses to comply.
2. The protected data has a new category of sensitive personal information (SPI). It includes:
- Government identifiers such as SSN and passport numbers
- Financial account details such as credit or debit card numbers together with the login id and password combinations
- Precise geolocations
- Content of nonpublic communications such as text messages and emails
- Race and ethnicity information, religious or philosophical beliefs, or union membership details
- Biometric information, genetic data, health information
3. Consumers have more rights to control the use of SPI. They include:
- Opt-out requirements for use and disclosure
- Opt-in requirements to facilitate changing previously selected opt-out
- Updated disclosure mandates
- Purpose limitation, storage limitation, and data minimization
4. “Processing” includes automated processes performing on PI.
5. “Pseudonymization” applies to the processing of PI in a manner no longer attributable to a specific consumer without the use of additional information, which is managed for privacy separately.
6. New and expanded consumer privacy rights now explicitly cover automated decision-making. They provide:
- Right to correction of PI
- Right to access information about automated decision making
- Right to opt-out of in automated decision-making technology, including profiling
7. For any verifiable consumer request for deleting the PI, businesses need to notify service providers or contractors to delete it from their records. They also need to notify all third parties to whom the PI is sold or shared to delete it unless this proves impossible or involves disproportionate effort.
8. The updated definition of the unique identifier addresses the changes in technology and privacy concerns. It now covers a consumer, a family, or a device linked to a consumer or family, and includes all forms of persistent or probabilistic identifiers.
While the CPRA effective date is still a year away, it’s time to be proactive and strengthen your governance sensitive data categories.
How Collibra helps
When looking for tools that help achieve CPRA compliance, consider the broader implications and plan for more stringent and more specific privacy laws. Collibra platform is built for governance, quality, and privacy, making you future-ready for any regulations by:
- Providing visibility into the sensitive data in your environment
- Minimizing risks by governing sensitive data
- Ensuring enterprise-wide compliant access to data
The Collibra business glossary is the place to capture and classify personal data assets mapped to their owners, usage, and processes. It acts as a single resource for assessing the impact of the policies and ensuring consistent efforts across the enterprise. Making regulatory definitions part of the business glossary empowers you to manage current and future regulatory requirements.
Collibra offers ML-powered classification of data assets that reduces the manual efforts to identify PI and SPI covered under CPRA. With end-to-end visibility and the full context of PI, it’s easier for you to understand the data risks and improve the effectiveness of governing data.
CPRA mandates regular submission of risk assessments about the processing of PI. Collibra provides integrated, easy-to-use, customizable privacy impact assessment templates, helping mitigate data risks. These templates are built by experts and updated regularly to reflect changes in regulations, judicial interpretations, and industry frameworks.
Maintaining records of processing
CPRA specifies record-keeping requirements of processing of PI to ensure compliance. Maintaining the records also helps businesses prepare for more regulations and scale their privacy program. Collibra platform provides for an audit trail, and you can also initiate a workflow to support documenting what, how, and why PI is used. You can augment the efforts through ML-powered data discovery to gain the full context of data and the associated processes.
As privacy regulations continue to mature across the world, using personal data in a compliant way is becoming a key corporate objective. Collibra helps organizations gain control of personal information under CPRA and also be ready for future regulations.