In 2018 California became the first US state to give consumers new tools and rights under the California Consumer Privacy Act (CCPA). In the November 2020 election, voters approved Prop 24, the California Privacy Rights Act (CPRA), which created the California Privacy Protection Agency and goes into effect in 2023.
Many new consumer privacy legislation has emerged over the last few years. All fifty states now have at least some form of consumer privacy legislation, with California, Colorado, Virginia and New York having the most active and comprehensive laws thus far. Given voters' and legislators' growing privacy concerns, changes in state privacy laws will likely continue to evolve rapidly.
In the fall of 2020, ~55% of California voters approved Proposition 24, the California Privacy Rights Act (CPRA), as an expansion of the California Consumer Privacy Act (CCPA). The law becomes operative on January 1, 2023, and covered organizations need to prepare for a couple of critical changes in CCPA compliance for 2022. Notably, when CPRA goes into full effect on JAN 1, 2023, it will apply to all data collected as of JAN 1, 2022.
Effectively, the CPRA brings the CCPA up to par with GDPR and beyond with the consumers' privacy-right-of-action provision. To maintain compliance, organizations should conduct a privacy risk analysis considering new and existing requirements. Based on assessment results, draft or update security controls, privacy policies, protocols, procedures and training appropriately.
Most organizations do not have the internal bandwidth or expertise to develop and manage privacy operations independently. A good consultant can save time and streamline the process by tailoring the privacy scope to fit your organization.
Truvantis has the experience to examine privacy policies, protocols and procedures the same way regulators and class action attorneys do. Our experienced and accredited team has the competence and expertise to drive effective privacy management in your organization.
We have helped hundreds of organizations build robust cybersecurity programs to address the challenges of conveying complex security and privacy concepts with clear policies, procedures, training and outward-facing documentation. Ready to get started? Contact Truvantis to schedule a privacy workshop customized for your organization.
Effective January 1, 2023, the fast-approaching California data privacy law, CPRA, is the latest California state law intended to strengthen consumer privacy rights while considering the operational interests of businesses. The Act's intent establishes that consumers have a right to know, control and protect their personal information. Central to the law are terms that allow legislators to strengthen privacy rights over time while prohibiting any amendments that weaken California's consumer privacy.
In the event of a data breach where an organization is found to violate its duty to maintain reasonable security and privacy procedures and practices, any consumer whose PI or email and password were stolen may institute a civil action to:
CPRA effectively gives consumers the right to opt out of cross-context behavioral advertising. You know the event where you buy something or click on something, and suddenly you are bombarded with items related to your information characteristics.
CPRA applies to PI data collected on and after January 1, 2022. The first thing an organization should do is determine what PI they plan to collect, store or process, which is subject to the new law. Next, conduct an internal privacy assessment and update privacy policies, protocols and procedures as needed. Changes in the law must be included in the collecting and processing all PI as of Jan 1, 2022.
CPRA has an expanded definition of "Personal Definition" which includes:
Any persistent identifier which can be linked to a consumer or family over time and across different services, including but not limited to:
Last month on September 22, the CPPA announced its invitation for public comment as part of its preliminary activities in the rule-making process. The deadline for comments is Monday, November 8, 2021. While the committee welcomes comments on any CCPA/CPRA rules or the rule-making process itself, they specifically ask for commentary on potentially controversial new concepts in the law. Here are a few of the more interesting topics:
Read the full-text https://cppa.ca.gov/regulations/pdf/invitation_for_comments.pdf
The rule-making process is in progress for CPRA. Details still need to be worked out on some of the finer technical details before the due date of July 1, 2022. Following California, Colorado, and Virginia also have active consumer privacy laws. There are active bills in play in Massachusetts, Minnesota, New York, North Carolina, Ohio and Pennsylvania. Much is likely to change on the legal privacy landscape in the coming year. They are all based on the same basic consumer rights principles, each with nuances and exceptions. Other states are sure to follow their proposals.
CPRA new rules apply to the relevant data processing as of JAN 2022. How can your organization prepare? With so many other recent laws emerging, how can an organization effectively address them all at once?
Don't try privacy compliance one regulation at a time. Instead, build a risk-based central privacy program capable of supporting the entire matrix of international, federal and rapidly changing state laws and regulations to which businesses may be subjected. Truvantis can help simplify the problem and tailor your privacy management to only what you need for the scope of your business operations.
Truvantis has the experience to examine privacy policies, protocols and procedures the same way regulators and class action attorneys do. Our experienced and accredited team has the competence and expertise to drive effective privacy management in your organization. We have helped hundreds of organizations address the challenges of conveying complex privacy concepts with clear outward-facing documentation.
We have the expertise to examine from both a technical and legal compliance lens and manage any projects required to fill any gaps. Our team is good at what they do, but they are also recognized leaders in the industry.
We do everything.
Unlike so-called boxed solutions, which only give you checklists, templates, basic instructions and video training, then leave you with the work. Truvantis can also do the hard work for you and simplify nuances of interpreting regulations contextualized for your environment and assessing privacy controls' effectiveness.
We work with your vendors, third-party service providers, stakeholders from IT, information governance, compliance, security, legal and discovery departments. We do everything for you from training, risk assessment, data-flow mapping, document preparation, technology integration to guiding compliance audits.
The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. We can help build a solid central privacy program capable of supporting the entire matrix of international, federal and rapidly changing state laws and regulations to which businesses may be subjected.
Contact Truvantis for more information and to start your pre-audit consultation.