Understanding the CPRA: Protect Sensitive Personal Information and Maintain Compliance

The CCPA/CPRA is a set of regulations designed to give California residents more control over their personal information and how businesses may collect and use it. The California Consumer Privacy Act of 2018 laid out initial guidance, and the California Privacy Rights Act, passed by voters in 2020, amended and expanded the CCPA. In this article, we’ll discuss these important regulations, and the responsibilities businesses have to consumers for CCPA/CPRA rights and privacy practices.

What is the California Privacy Rights Act (CPRA)?

The landmark law began with the CCPA in 2018, securing more robust privacy rights for consumers in California. The basic pillars of the law are centered around consumer’s consent, and include:

• The right to know: Consumers have a right to know exactly what personal information a business collects about them, and how that business uses and shares that data.
• The right to delete: Consumers have a right to have their information removed from a business’s databases at their discretion (with some exceptions).
• The right to opt-out: Consumers can opt-out of the sale or sharing of their personal information by the business.
• The right to non-discrimination: If a consumer exercises any of these rights under the CCPA, they have the right to not be discriminated against by the service providers.

In 2020, additional privacy protections were voted into effect under the California Privacy Rights Act (CPRA), amending the CCPA. They include:

• The right to correct: Consumers have a right to have inaccurate personal information corrected.
• The right to limit: Consumers may limit the use and disclosure of their sensitive personal information.

Organizations that are subject to the CCPA/CPRA must respond to people requesting the exercising of these consumer rights, including delivering notices explaining their privacy practices. The CPRA is not a whole new law, simply an amendment to the existing CCPA, so they are often referred to as one law, or as CCPA/CPRA.

The CPRA also established the California Privacy Protection Agency, an enforcement administration with the power to implement and enforce the CCPA as needed.

Who does the CPRA apply to?

CPRA applies to for-profit businesses and service providers that do business in California and meet at least one of the following thresholds:

• Have annual gross revenues over $25 million.
• Buy, sell, or share personal data of 100,000 or more consumers or households.
• Derive 50% or more of annual revenue from selling or sharing personal information.

Importantly, the CPRA also covers contractors and service providers that process data on behalf of covered businesses, making vendor management and risk assessments an integral part of compliance programs.

What's the difference between the CCPA and the CPRA?

While the CCPA introduced groundbreaking consumer privacy protections, the CPRA strengthened and expanded those rights. Key differences include:

• Scope of Personal Data: CPRA adds a new category for "sensitive personal information," giving consumers the right to limit its use.
• Stronger Enforcement: The CPRA created the CPPA, an independent agency dedicated to enforcement and issuing new privacy regulations.
• Data Retention Rules: Businesses must inform consumers how long their data will be retained and implement formal data retention policies.
• Expanded Consumer Rights: Data correction and sensitive data limitation rights were introduced, increasing privacy management responsibilities.
• Contractual Obligations: CPRA imposes stricter requirements on agreements with service providers, contractors, and third parties, requiring them to follow CPRA standards for data processing.

New CPRA regulation requirements

Compliance now includes several additional obligations beyond the CCPA’s requirements. These include:

• Risk Assessments: Businesses engaged in high-risk data processing must conduct and document periodic assessments of their processing activities.
• Cybersecurity Audits: Certain organizations must undergo regular audits to demonstrate effective security controls.
• Data Minimization & Retention: Only the personal information necessary for the stated purpose may be collected, and data retention periods must be clearly communicated.
• AI Governance: As businesses deploy machine learning and AI tools, CPRA anticipates the need for AI governance frameworks to prevent misuse of personal information.

Framework for CPRA compliance

Organizations can benefit from a structured compliance checklist to meet CPRA obligations efficiently. A strong framework typically includes:

• Data Inventory & Mapping: Identify all personal and sensitive data, its location, and how it flows through systems.
• Privacy Policy Updates: Ensure privacy notices disclose data access, data retention, and consumer rights in plain language.
• Contract Review: Update agreements with service providers to include CPRA-mandated terms for data processing.
• Privacy Management Technology: Implement privacy management tools for intake and tracking of consumer requests.
• Training & Awareness: Conduct employee education on privacy law obligations and insider threat prevention.
• Monitoring & Reporting: Use dashboards to measure compliance progress and prepare for potential CPPA audits.

What qualifies as “sensitive personal data” under the CPRA?

The following categories are qualified as “sensitive personal information” under the CPRA:

• Government identifiers: Government-issued identification numbers such as social security numbers, driver’s license numbers, state identification card numbers, or passport numbers.
• Account information: Account log-in credentials, financial account numbers, debit or credit card numbers, security codes, access credentials, passwords, etc.
• Geolocation data: Information like IP address, GPS location data, and RF data Exchangeable Image File Format (EXIF) data, which can produce geographic coordinates to determine a physical location.
• Racial or ethnic origin or immigration status.
• Philosophical or religious beliefs.
• Union membership.
• Consumer correspondence: Such as mail, email, and text message contents (unless the business is the intended recipient of the communication).
• Biometric information: Or genetic data that can uniquely identify a consumer.
• Personal information: Concerning a consumer’s health, sexual orientation, or sex life.

Information that identifies, links to, or could reasonably relate to a consumer’s household, preferences, characteristics, or the way that person conducts themselves can be considered categories of personal information.

The CPRA is designed to give consumers the right to limit the use and disclosure of their personal information to what is necessary for businesses to provide their goods and services. These businesses must provide a clear link on their website homepages where consumers may click to “Limit the Use of My Sensitive Personal Information” and exercise their CPRA rights.

Why do businesses need to protect personal information?

There are several crucial reasons sensitive personal information must be protected.

1. Trust and customer loyalty: Not only does protecting sensitive personal data help build and maintain trust with customers, but it also safeguards their data in the event of a breach, protecting consumers from identity theft. Consumers are also more likely to engage with companies that protect their information, which fosters positive relationships.
2. Legal compliance: Data protection is required by law. More than the CCPA/CPRA, further regulations include the General Data Protection Regulation (GDPR) in the European Union, HIPAA, HITRUST, PCI DSS, and more. Organizations may avoid legal penalties for violations when they operate within the regulatory framework of data privacy laws.
3. Minimizing risks and costs: Effective data protection minimizes the risk of data breaches, which can result in fines, legal fees, and the expense of resolving the breach. Businesses may also face significant financial losses from business continuity disruptions.
4. Reputation management: When data breaches occur, an organization’s reputation suffers, they lose consumers. Robust data protection measures help prevent breaches and minimize negative publicity that results from mishandling consumers’ sensitive data.

If a breach occurs, the consequences may be severe.

• Penalties and fines: Non-compliance with data protection laws can mean hefty fines for the organizations responsible. CCPA/CPRA penalties have a cap of $7,500 per intentional violation and $2,500 per unintentional violation. That may seem low, but one piece of consumer data can be a single violation. In the instance of a data breach, where thousands of data points are compromised, the penalties can quickly grow large.
• Lawsuits: Individuals or groups affected by breaches may file lawsuits against businesses that do not protect their data. These legal actions can become expensive and time-consuming, as well as damaging to a company’s reputation.
• Operational disruptions: In some cases, data breaches can spell business continuity problems while the source of the breach is managed. Productivity lost during this time is also costly, as is an additional expense for data recovery and potential system repairs.
• Loss of consumer trust: Breaches can lead to clients canceling contracts or consumers deciding to shop elsewhere, where their data may be more secure. If enough of a company’s business leaves for more secure pastures, it can be detrimental to the business as a going concern.

The consequences and penalties of failing to properly safeguard sensitive personal information can be significant, beyond simply violating CCPA/CPRA. While these regulations are intended to shield consumers’ personal information, they’re also a way for businesses to reassure their customers that they’re operating secure and ethical businesses.

Challenges with protecting sensitive personal data

Protecting consumers’ sensitive personal information is a complex undertaking, particularly in today’s fast-paced digital landscape. These are some common challenges organizations may encounter when undertaking compliance adherence.

Lack of awareness of personally identifying information (PII)

Many businesses struggle with gaining complete oversight of the PII they possess, including where it’s stored and how it’s used. Lack of visibility can leave gaps in PII protection.

Cloud migration complications

Businesses may lose track of or access to data they’re migrating, resulting in:

• Incomplete data transfers.
• Orphaned data in legacy systems.
• Inconsistent security measures between on-premises and cloud systems.

High volumes of data

Collected data collection can grow exponentially. The challenges this presents include:

• Implementing security measures across all data sets.
• Efficiently managing and monitoring the data.
• Properly classifying and handling the data.

Poor data governance practices

With large data sets and high storage volumes comes difficulty overseeing data governance, which can lead to:

• Inconsistent data mapping between departments.
• Insufficient quality controls of the data.
• Lack of clear roles and responsibilities for data management.

Insecure data sharing in communication platforms

Many businesses use collaboration tools to unify diverse workforces. Communications in these tools can involve data sharing that doesn’t adhere to acceptable use policies for data security. This results in:

• Accidental exposure of sensitive information.
• Difficulty tracking and controlling data flow.
• Greater risk of data leaks through unsecured channels.

Evolving regulations

As the digital world evolves, so do the data protection regulations that govern it. Keeping up with regulatory changes across many jurisdictions can be a challenge, particularly for organizations that operate globally. Continuing employee education can help mitigate exposure, but it’s an ongoing process.

Insider threats

Every employee and contractor with access to PII and other sensitive data is an endpoint for a potential breach or exposure, either through malice or negligence.

Third-party risk management

Keeping data secure when contracting with vendors and external partners who have access to sensitive data can be a challenge, particularly when access involves multiple devices.

Balancing security with usability

Implementing strong security measures while maintaining user-friendly systems and workflows is a constant challenge for many organizations. Information security officers must balance their data protection measures with the need to limit shadow IT.

Addressing these challenges requires a multi-faceted approach to data protection, including regular employee training, technological solutions, and a workplace culture of security awareness.

Impact of CPRA

The CPRA has far-reaching effects on both businesses and consumers. For businesses, it raises expectations for data governance, formalizes GDPR compliance-like principles (such as data minimization), and elevates privacy to a boardroom issue. For consumers, it means increased transparency, stronger control over personal data, and the ability to limit how organizations use sensitive personal information.

In practice, CPRA compliance helps reduce the risk of breaches, supports risk assessments, and aligns businesses with global privacy regulations, making it easier to operate across jurisdictions. While meeting these obligations requires time and investment, it also builds trust and improves long-term customer relationships.

Ensure CPRA compliance with Mimecast

Mimecast Aware offers real-time compliance for complex collaboration ecosystems that closes the gaps many legacy platforms leave open. Organizations can ensure CCPA/CPRA compliance with Aware through robust information governance, monitoring from a centralized platform, and industry-leading NLP and federated search to support internal investigations.

With Mimecast's data governance and compliance monitoring solutions, companies can maintain ongoing compliance with data-sharing practices that:

• Integrate with your existing collaboration tools without impacting end user experience.
• Save time and resources with proprietary AI/ML models that ensure fewer false positives, reducing alert fatigue.
• Allow IT and security teams to customize rules and policies to track violations.
• Automatically address violations with real-time employee coaching.
• Preserve the content surrounding a policy trigger so you can understand the full context.
• Use role-based access controls (RBAC) and audit trails to prevent violations.
• Help limit and lower reliance on shadow IT solutions.

By partnering with Mimecast, you can ensure your data security meets all CCPA/CPRA and other necessary regulations. Request a demo to get started today!