The California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”) grant California residents the most comprehensive privacy rights, arguably, in the United States. The CCPA was enacted in 2018, and the CPRA was passed in 2020 as an amendment to the CCPA. In other words, the CPRA does not replace the CCPA; it expands it. Accordingly, the CPRA is often referred to as “CCPA 2.0.”
The scope of data protection is a significant difference between the CCPA and CPRA. The CCPA covers businesses with an annual gross revenue of $25 million, collect data on at least 50,000 households, or obtain at least 50% of their revenue from selling personal information. The CPRA, extends the coverage to businesses that have an annual gross revenue of $25 million, collect data on at least 100,000 households, or obtain at least 50% of their revenue from sharing personal information.
The CPRA also addresses what many saw as significant limitations of the CCPA; one, the absence of a specialized enforcement authority; and two; detailed guidance advising businesses on how to comply with the law. In response, the CPRA created a new agency, the California Privacy Protection Agency (“CPPA”), to replace the California Attorney General’s Office, which was previously responsible for enforcing the law. The CPPA will be responsible for providing compliance guidance as it is expected to have more privacy expertise and resources than the Attorney General’s Office. Moreover, the CPPA will have the authority to pass further regulations, conduct investigations, and impose fines for violations of the CPRA.
The CCPA was passed to provide California residents with certain rights regarding their personal information. It defines personal information as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes the following categories:
1. Identifiers: such as name, address, email address, social security number, driver’s license number, passport number, and IP address.
2. Customer records: This refers to any personal information that is obtained from a customer, such as purchase histories, customer service inquiries, and account information.
3. Commercial information: This includes any information that is used in the course of conducting business, such as transaction histories, product preferences, and purchase histories.
4. Protected classifications: This includes any information that pertains to characteristics that are protected under state or federal law, such as race, ethnicity, gender, and disability status.
5. Internet or other electronic network activity: This includes any information collected through a consumer’s use of the internet or other electronic networks, such as browsing histories and search histories.
A significant addition to the above is the CPRA’s inclusion of “sensitive personal information,” which is defined as information that reveals a consumer’s social security number, driver’s license number, passport number, financial account information, precise geolocation, race or ethnicity, religious or philosophical beliefs, union membership, personal communications, genetic data, biometric information, or health information.
The CPRA also expands the CCPA to provide additional rights to California residents regarding their personal information, such as the right to opt out of the sale of sharing their personal information, the right to access their personal information, and the right to request that their personal information be deleted.
The CPRA introduces a new requirement for businesses to provide consumers with a “notice at collection” that includes more detailed information about the categories of personal information collected, the purposes for which the information will be used, and the categories of third parties with whom the information will be shared. This notice must be provided at or before the time of collection and must be easily accessible to consumers.
This notice at collection requirement is designed to provide consumers with more transparency about how their personal information is being collected and used and to allow them to make informed decisions about whether to share their information with a business. Businesses must ensure that their notice at collection is clear and concise and provides consumers with all the information they need to make an informed decision.
The CCPA gives California residents the right to know what personal information businesses collect about them. The CPRA expands this right by requiring businesses to provide more detailed information at the time of collection or before. For instance, a business must display a privacy policy describing what types of personal information it collects from California residents, including names, addresses, and other identifying information. Moreover, businesses must provide California residents access to their personal information upon request. More specifically, a business must disclose what personal information the business holds about the resident and how such information was collected, sold, or disclosed in the preceding 12 months.
Under the CCPA, businesses are required to provide California residents with the right to request that their personal information be deleted. This right is also known as the “right to be forgotten.” The CPRA builds upon this right and expands it to cover the sensitive personal information category described above.
However, this right to personal information deletion is not absolute. For example, businesses may legally retain certain personal information where the business is legally required to do so. Additionally, businesses may be able to deny a deletion request if the personal information is necessary for the business to provide its products or services to the consumer.
The CPRA also addresses the issue of data sharing and selling. The CCPA allows businesses to sell and sharepersonal information under certain circumstances, but does not require them to obtain opt-in consent from consumers. The CPRA changes this significantly as it now requires businesses to obtain opt-in consent from consumers before selling or sharing their personal information.
Accordingly, businesses must provide a clear and conspicuous link on their website titled “Do Not Sell or Share My Personal Information” that directs consumers to the opt-out mechanism. Once a consumer submits an opt-out request, the business must stop selling or sharing the consumer’s personal information with third parties. The business must also inform any third parties that received the consumer’s personal information that the consumer has opted out. The third parties must stop using the information for commercial purposes upon such notice.
Under the CPRA, California residents now have the right to request that businesses correct inaccurate or incomplete personal information the business may hold on them. Moreover, if the business has shared any incorrect personal information with third parties, it must inform these parties of the correction request and take steps to correct the information with them as well.
Under the CPRA, California residents have the right to request that businesses restrict the use of their sensitive personal information. Businesses must also ensure that third-party service providers with access to personal information comply with any restriction request.
Overall, the CPRA represents a significant expansion of the privacy protections provided by the CCPA. With its broader scope of coverage, enhanced enforcement, and additional privacy rights, the CPRA is likely to have a more profound impact on the privacy practices of businesses operating in California. As such, businesses operating in California should carefully review their privacy practices and ensure compliance with the new requirements introduced by the CPRA to avoid potential fines and legal liability.
Some key measures that businesses can take to comply with the CCPA include:
1. Updating privacy policies: Businesses should update their privacy policies to ensure that they are in compliance with the CCPA’s requirements for transparency and disclosure.
2. Implementing opt-out mechanisms: Businesses must provide California residents with the option to opt out of the sale of their personal information.
3. Establishing data security protocols: Businesses must implement reasonable security measures to protect personal information from unauthorized access or disclosure.
4. Responding to consumer requests: Businesses must be prepared to respond to consumer requests regarding their personal information, including providing access to personal information and deleting personal information upon request.
In today’s world, privacy has become a critical concern for individuals and businesses alike. With the increasing prevalence of data breaches and cybersecurity threats, protecting personal information has become a top priority for organizations across all industries. For this reason, it is essential to appoint a privacy officer to oversee the organization’s privacy policies and procedures.
A privacy officer is responsible for ensuring that an organization’s handling of personal information is in compliance with applicable laws and regulations, as well as industry standards and best practices. This includes developing and implementing privacy policies and procedures, conducting privacy risk assessments, and providing training and education to employees on privacy-related matters. By appointing a privacy officer, organizations demonstrate their commitment to protecting personal information, which can enhance their reputation and earn the trust of customers and stakeholders.
Advisori privacy officers assist our clients with data protection regulation/legal compliance by doing the following:
1. Conducting a privacy risk assessment: This involves identifying and assessing the risks associated with the processing of personal information. During the assessment process, we identify the types of personal information your organization processes, the purposes for which it is processed, and the risks associated with that processing.
2. Developing policies and procedures: Based on the findings of the privacy risk assessment, we develop policies and procedures that address the identified risks. These policies and procedures outline how personal data is processed, who has access to it, and how it is protected.
3. Providing training and awareness: All employees should be trained on the importance of data protection and the organization’s policies and procedures. Our training programs educate our clients’ employees on proper personal information handling practices to ensure that they remain up-to-date on the latest regulations and best practices.
4. Conducting periodic audits: Our privacy officers can conduct regular audits to ensure that the organization is complying with its policies and procedures. These audits are designed to identify any areas of non-compliance and provide recommendations for remediation.
5. Responding to breaches: In the event of a data breach, our well-experienced privacy officers are able to take immediate action to contain the breach and minimize its impact. This may involve notifying affected individuals, regulators, and law enforcement, as well as implementing measures to prevent similar breaches from occurring in the future.
– Protecting the organization from data breaches and fines;
– Building trust with customers and stakeholders;
– Staying ahead of changing privacy regulations; and
– Enhancing the organization’s reputation.
Any business collecting or processing personal information should be aware of the crucial role a privacy officer plays in protecting personal data and complying with data protection regulations. By taking these steps and implementing best practices, the business is minimizing the risk of data breaches and protecting the privacy of individuals. In addition to the legal and regulatory benefits that a privacy officer provides, by appointing a privacy officer and following the steps outlined above, organizations demonstrate their commitment to safeguarding individual privacy. This, in turn, helps build trust and confidence in your organization, which can ultimately lead to increased success and growth. So, consider appointing a privacy officer for your organization today and invest in protecting the privacy of your customers and stakeholders.
Contact us at info@advisori.com to learn more.
The first pillar of a strong data protection/privacy program is an effective data discovery and classification capability. Bottom line is, you have to know your assets in order to properly protect them.
In addition to the data protection benefits of data mapping, this exercise is often required by law. For instance, the EU’s General Data Protection Regulation (GDPR) requires covered entities to create what is known as a “Record of Processing Activities (ROPA).” More specifically, Article 30 of the GDPR requires a “data controller” to “maintain” a ROPA that identifies the following elements:
The bottom line is, the ROPA is an important undertaking as it gives companies a complete inventory of their data processing and provides an overview of precisely how personal data is being handled. From a practical standpoint, an accurate, updated, and comprehensive ROPA helps companies remain legally compliant, thereby helping them avoid sanctions, fines, or penalties that might be otherwise imposed under the GDPR.
Advisori understands that the development and maintenance of a ROPA, even for the smallest enterprise, is a significant undertaking. However, as data privacy laws grow and evolve, (e.g. GDPR, CCPA/CPRA) we believe that best practices dictate that even for those companies not required to build a ROPA, that doing so would aid in overall risk mitigation. As specified above, the process of building the ROPA requires a company to investigate and discover, with precision, the types and volumes of the data they hold and related data-processing activities, cross-boarder data transfers, and data retentions schedules. From there, companies must document their legal basis for collecting and processing all personal data they hold. Finally, they must accurately document what they are doing to protect such personal data.
We provide our clients with the necessary people, process, and technology to efficiently build and just as importantly, maintain an accurate, comprehensive, and current ROPA. Our DPOs have extensive experience building and maintaining ROPAs for business in all industries, operating around the world. Moreover, Advisori has partnered with Securiti.ai to provide our clients with the most advanced data mapping automation technology in the industry. Combining this technology with our mature and robust data mapping processes, our DPOs start with the creation and dissemination of user-friendly electronic assessments custom-tailor for our clients. These assessments allow us to quickly and efficiently identify business assets, vendors, and institutions holding or processing personal data. From there, we scrutize company assets for a precise and current data inventory and map these assets to processing activities. Where appropriate, we further assess this asset for privacy risks, which we then quantify and document, thereby allowing us to implement effective risk mitigation strategies.
When considering what a ROPA really is, one might surmise that this knowledge already exists organizationally and is readily available. That may be true for some companies; however, this critical information is typically siloed and lives within multiple knowledge bases, which are neither centrally maintained nor refreshed on a regular basis. Therefore, from a company perspective, automated data discovery and ROPA development just makes good business sense, irrespective of whether or not a regulatory body mandates it. Also, as consumers grow increasingly savvy and more “data-privacy conscious,” the smart play is to get in front of this now.
Contact the Advisori Team: we can get this process underway, and give you the people and tools you need to maintain compliance.
This fall begins a new journey for businesses transferring personal data outside the European Economic Area (EEA). On June 4, 2021, the European Union’s executive branch, the European Commission (“EC”), released their highly anticipated new and updated Standard Contractual Clauses (“SCCs”). The EC’s new SCCs are the result of the Court of Justice of the European Union’s (“CJEU”) Schrems II decision, which ultimately invalidated the “EU – US Privacy Shield” – a mechanism designed to regulate the flow of personal data from the European Economic Area (EEA) to “third countries” such as the United States.
Under Article 45 of the General Data Protection Regulation (“GDPR”), personal information can only be lawfully transferred to third countries that the EC has determined to have “adequate” privacy safeguards. Currently, this list of countries is just 13 and the U.S. is not one of them due to U.S. government surveillance laws. Instead, to facilitate commerce, the European Union and U.S. government agreed to the Privacy Shield framework. Until the CJEU’s Schrems II ruling, U.S. companies could self-certify under the Privacy Shield framework, allowing them to receive personal data transfers from the EEA. Prior to the Schremes II decision, the Privacy Shield and SCCs were the most commonly used data transfer mechanisms by U.S. companies.
Standard Contractual Clauses (SCCs)
SCCs are standard sets of contractual terms and conditions approved by the EC to which both the data “exporter” and data “importer” of EEA personal information must agree to before personal data can be transferred outside the EEA to third countries without adequacy decisions. SCCs have been in existence since 2001 and were amended first in 2004 and then again in 2010. The old SCCs were separate agreements: one for data transfers from controllers to controllers and one for data controllers to data processors. Many will find the new SCCs more user-friendly as they are contained in one document consisting of four “modules” for transfers from controller to controller; transfers from controller to processor; transfers to processor to processor; and transfers from processor to controller.
In addition to the new SCCs format, this new version incorporates Article 28 of the GDPR (the old SCCs were developed under the General Data Protection Directive – the GDPR’s precursor). Article 28 sets forth “technical and organisational measures” required for the transfer of personal information from controllers to processors and from processors to sub-processors. Under the new SCCs, the parties no longer need additional data processing agreements for data transfers to data processors.
Transfer Impact Assessments
While the CJEU did uphold the use of SCCs, the Court warned that the use of this data transfer mechanism was not sufficient – data controllers are still required to conduct a data Transfer Impact Assessment (“TIA”) – a case-by-case assessment of all cross-border transfers to ensure that the data protection requirements set forth in the SCCs can actually be met. Article 14 of the SCCs lays out the TIA criteria such as considerations of: 1) the “specific circumstances of the transfer (e.g., categories and format of personal information, the number of individuals involved, type of data recipient, the purpose of processing, etc.); 2) the data laws and practices of the third country of destination; and 3) any supplemental data safeguards needed to ensure compliance with the SCCs data protection requirements such as any additional contractual, technical, or organisational safeguards needed. Also critical to compliance, the data exporter must document its TIAs and make them available to the relevant supervisory authority when requested.
Supplemental Measures
Should the TIA conclude that the recipient third country’s legislation impinges on the effectiveness of the Article 46 GDPR data transfer mechanism, data exporters must identify and rely upon supplementary measures, as mentioned above, to ensure that personal information is sufficiently safeguarded. For instance, the data exporter may install technical safeguards like data encryption or pseudonymization. The data exporter may also add additional contractual safeguards on the data importer such as requiring additional technical safeguards or requiring it to submit to audits. Finally, the data exporter may rely on organizational measures to enhance data transfer protections such as data transfer policies and procedures and data minimization/purging policies.
New SCCs Enforcement Timeline
The old SCCs were repealed on September 27, 2021, meaning that all new cross-border data transfers must now be governed by the new SCCs. All existing SCCs will remain in effect until December 27, 2022 (and must be updated by that date).
How Advisori Can Help
Advisori has seasoned professionals who know the GDPR, understand the Schrems II decision, and have completed cross-border data inventories, data TIAs, and SCCs for EAA exporters and U.S. importers of personal data.
SCCs Related Services
Please contact us at info@advisori.com to learn more.
United States
1640 Boro Place, 4th Floor
McLean, Virginia 22102
(703) 977-1617
United Kingdom
18 Soho Square
London, W1D 3QL.
+44 20 8138 9983
Copyright 2023 Advisori.com