What to Know about California’s New Privacy Act

Without question, 2020 has been an interesting year, and with so much attention paid to the recent U.S. Presidential election, it is easy to overlook an important ballot initiative, Proposition 24, which effectively replaces the relatively new California Consumer Privacy Act (CCPA). For businesses that buy, share or utilize California resident data, this is big.

Consumer demand for privacy rights and protection of personal information continues to drive regulatory reform worldwide. For example, the General Data Protection Regulation (GDPR) mandate in Europe has redefined privacy and data protection efforts, leaving many jurisdictions, including the United States to follow suit.

California is no different. Seeking to enhance and improve on the existing CCPA, Proposition 24, also known as the Consumer Privacy Rights Acts (CPRA), gives consumers greater powers over corporate use of their sensitive personal information. Furthermore, the Act establishes a new regulatory body, the California Privacy Protection Agency, which has oversight and enforcement duties in parallel with the California Department of Justice.

There are many notable provisions in the CPRA; too many to list. However, several novel features move the CPRA closer in line to Europe’s GDPR. Some of the standout provisions include: 
 

• Children’s Privacy – Fines of up to $7,500 per violation can be assessed for misuse of information of children under the age of 16.
• Governance Requirements – New governance requirements will go into effect, including those that impact data storage, retention, distribution and processing of individual records.
• Third-Party Relationships – Data protection provisions must now be disclosed with vendors and partners having access to personal data.
• New Data Categories – The CPRA also creates a new category of data to be protected, “sensitive personal information,” which expands on personally identifiable information (PII) protections to include: individual geolocation data, content of private communications, as well as genetic, health and biometric data.

For many technology, financial and other organizations dealing with big data, CPRA compliance comes down to a three-part test:
 

1. The business has annual gross revenues of $25,000,000 or more;
2. Buys, sells or shares the personal information of at least 100,000 consumers a year;
3. Makes more than 50% of its revenue from selling or sharing personal information.

Under the CPRA, affected businesses are required to submit an annual cybersecurity audit, as well as risk assessments. This means that now, more than ever, businesses need to move from cumbersome email and spreadsheet compliance practices to streamlined and integrated compliance management and risk platforms.

One such solution to this challenge is the MetricStream Compliance Management product that simplifies and strengthens compliance with regulations across organizations, while improving visibility into control effectiveness and ensuring timely issue remediation.

MetricStream Compliance Management, built on the MetricStream M7 Integrated Risk Platform – intelligent by design, helps manage a wide range of compliance requirements, including CCPA, in an integrated manner. Policies, standards, regulations and controls are aligned, eliminating inefficiencies and redundancies. Compliance processes with workflows, self-assessments, surveys, and issue remediation are widely supported.

Key features of MetricStream Compliance Management include:
 

• Regulatory Intelligence – Capture, store, and monitor regulations with reliable and authoritative regulatory content sources. Map regulatory updates to risks, controls, and policies, and stay informed on these updates through automated notifications and alerts.
• Compliance Environment and Process Design – Create a structured and logical internal control hierarchy, including processes, assets, risks, controls and control activities, along with appropriate linkages between these data elements.
• Compliance Assessments and Surveys – Design and document the results of control tests or self-assessments, capture non-compliance issues, and certify the effectiveness of the controls.
• Issue Management – Accelerate issue and remediation processes by automating workflows, notifications and reporting.
• Dashboards and Reports – Gain comprehensive visibility into compliance management processes through graphical dashboards with drill-down capabilities.

CPRA, like GDPR, is here to stay, and for businesses around the world that touch California consumer data, they will have to make substantive changes to their compliance programs. Although the majority of the CPRA provisions do not go into effect until January 1, 2023 a one-year “look-back provision” will govern data collected starting January 1, 2022. As many compliance professionals know, this does not give much time for businesses to modify and update their workflows, policies and practices. Given this short time requirement to compliance, it is fair to say that indeed, we are living in interesting times.