3 Reasons Why Your CPRA Compliance Plan Is Broken… And How to Fix It!

As we prepare for CPRA to go into effect on January 1, 2023, we thought it would be a good idea to look back at a really informative webcast we held earlier this year, Top Reasons Why Your CPRA Compliance Strategy Is Broken, to help you diagnose any issues you might have and set to work on remedying them before your organization ends up like Sephora, making a seven- or eight-figure settlement with the California AG. Featuring Amalia Barthel, co-founder of Managed Privacy Canada, and Peter Stockburger of Dentons, discussing what’s coming with the deadline fast approaching, and what organizations should be doing to get ready.
 

The Arrival of the California Privacy Protection Agency

Inder the CPRA, there is a new enforcement agency in California known as the California Privacy Protection Agency (CPPA), which will have the authority to issue implementing regulations for this new law, and also to enforce the law in conjunction with the Attorney General's office. Made up of five board members, the CPPA released modified proposed regulations for the CCPA and CPRA in October 2022.

You Can No Longer Rely on Time to Cure CCPA or CPRA Violations

Starting on January 1st, the “time to cure” provision, which allowed organizations 30 days after receipt of a notice of non-compliance to cure a violation, is going away. Not only will organizations be subject to enforcement by the attorney general, but also by the CCPA. Stockburger explained, “This new enforcement agency will have the authority to send you a notice of non-compliance and you will have to attend an administrative hearing, defend yourself and potentially be subject to penalties.”

Your Piecemeal Approach Isn’t Sustainable

In addition to CPRA coming into effect on July 1st, governing data on California citizens, so is the Virginia Consumer Data Protection Act, which covers (you guessed it), Virginia citizens. (If you want to learn more about that specific piece of regulation, you can start with our VCDPA checklist.) Of course, these two state laws were preceded by the European GDPR, governing EU citizens’ data. Connecticut’s and Colorado’s state laws are coming into effect on July 1, 2023, and Utah’s follows at the end of the year, December 31, 2023.

If your organization is taking these laws on one by one, rather than comprehensively with a holistic approach… you’re in for a nightmare of constant tweaks, updates, and complicated policies and procedures governing the data for relatively small sub-segments of your consumer base. As Peter Stockburger asked, “Do you really want to just try to knock out California for California residents, Virginia for Virginia residents, think about your GDPR for European residents, or do you want to take a more holistic approach and develop a privacy program and an approach that addresses each of the regulations you may be subject to?”

Complying with Employee Data Requests Is Much More Complicated Than Consumer Requests

One of the rights consumers have in California is to request the data your organization holds on them. The process of complying with data subject access requests (DSARs) is complicated for consumers, since their data may be stored in multiple systems—but that’s nothing compared to the way most organizations store employee data, which will soon be subject to the same requirements for production, transfer, and deletion as consumer data. Amalia Barthel explains, “Well, the thing is with the employees, is that the records are so intertwined and they're everywhere. It is a little bit more difficult to understand what you can and what is actually part of the employee record. What is the employer's right to keep and not actually share further? So it's really about understanding how you are going to extract, to what extent, what are you going to redact part of the employee information and records?”

You’re Probably Holding onto Too Much Data for Too Long

One of the best approaches organizations can take to minimize their risk exposure under regulations like CPRA—and in the case of data breaches, coincidentally—is to make sure you’re retaining only the data you truly need for only as long as you need it. As Stockburger explains, “Ynder the California Records Act, part of reasonable security is minimizing the amount of sensitive information that you have. What the CPRA is doing is it's taking that minimization principle, that proportionate principle, and it's applying to the entire set of personal information that's subject to the CPRA.”

For example, you may keep customer records for longer than the statutory limitation for breach of contract claims of four years in California—perhaps you want to analyze the data for business purposes. Under CPRA’s purpose limitations, you can no longer do that. If you don’t have a legitimate reason to keep the data longer than four years, and you haven’t informed the data subject of your intention to do so, you can’t legally retain it longer than four years. (This is just an example, not intended to provide specific legal advice.) Under CPRA, you can only use, store or process personal information for the original stated purpose under which you collected it.

Learn how you can prepare for CPRA with Exterro’s CPRA Accelerator Program today!