All eyes were on California as the California Consumer Privacy Act (CCPA) went into full enforcement in July 2020.
The Consumer Privacy Rights Act (CPRA) became law in November 2020, which will go into full enforcement in January 2023, adding some new data privacy requirements (like the right for consumers to ask the company to correct their data) and clarifying others. California now has the most comprehensive consumer data privacy laws of any state in the U.S. In 2020, we saw many CCPA related class-action lawsuits representing consumers who wanted to exercise their data privacy rights under CCPA. The three most common triggers for lawsuits under CCPA were a data breach suffered that exposed consumer data, unauthorized access to consumer data, and alleged false claims made by companies about consumer data uses.
The CCPA, now and soon, CPRA will put even more pressure on companies to identify data and be transparent with consumers and regulators about data sale, data protection, and other data uses. In 2021, businesses can embrace more mature data management control by leveraging data intelligence to locate and classify data to comply with CCPA and prepare for the more stringent parts of the CPRA, like the consumer data correction right. This article will describe three data management strategies that companies can use to better plan for CCPA and prepare for CPRA, specifically: reducing risk by embracing data governance, practicing data minimization, and implementing systems to manage data subject access requests (DSARs).
1. Embrace Data Governance
Data governance is not a new concept; however, it has gotten more attention from companies due to the U.S. passing more data privacy and data protection regulations recently. Data governance is a higher priority now because businesses need to be able to search their data to understand the data they have and eliminate redundant, obsolete, or trivial (ROT) data that may have a high-risk if breached. Using advanced tools like the Aparavi Platform to gain data intelligence and data analytics is an excellent way to leverage the heavy lifting capabilities of technology to find and take action on data quickly. Although data governance of unstructured data may not have been a top priority in the past, it is certainly a higher priority now, knowing that data governance could reduce the risks of things like data breach by decreasing an organization’s data footprint.
2. Practice Data Minimization
Data minimization is a concept that started in the European General Data Protection Regulation (GDPR). The purpose of data minimization aligns data uses to a legal basis for data transfer and data handling. For example, under the CCPA and CPRA, businesses must be able to explain which categories of consumer data that they collect from individuals, and allow those individuals to see, change or delete their personal information upon request. In addition, the company cannot exceed the data uses that they outlined to their customers, and they cannot collect more information than necessary to complete the business purpose.
Minimizing data is essential for businesses to understand why they’re collecting data, what data is being collected, and either delete (under CCPA) or edit (under CPRA) the data if requested. Using data minimization is an excellent opportunity for businesses to remove that data from that environment to better align data with specific purposes and reduce their overall data risk.
3. Implement Systems to Manage Data Subject Access Requests (DSARs)
Data subject access requests or (DSARs) are requests that consumers make to businesses related to data the companies hold about them. For example, under the CCPA, companies must provide a link or button on their website to allow customers to request information about their data, request data deletion, or stop data sales. When the CPRA goes into full effect in January 2023, businesses will also need to provide a mechanism by which individuals can ask for data edits and data corrections. Although this new CPRA addition to the law may seem minor, it is a considerable undertaking for businesses who have not had either the staff, technology or processes in place to be able to edit and correct consumer data. The CPRA will take a rethinking of how companies collect data about consumers and the amount of data needed to fulfill their business needs.
In 2021 businesses will have an opportunity to increase their data maturity while reducing risks of complying with the CCPA and the CPRA with savvy data practices.
Interested in learning more about the new CPRA? Watch this webinar, CCPA 2.0