• After hours Emergency Claims: 650-378-4290 Equine Claims 800-732-6012
  • MyWave Portal
  • Employment
  • Oklahoma City Office
  • News
  • 650-573-1111
  • Home
  • About
    • A Tribute to Our Founder
    • About
  • Services
    • Aviation
    • Employee Benefits Value Added Services
    • Property & Casualty – Claim Services
    • Construction
    • Commercial Insurance
    • Employee Benefits
    • Loss Control
    • Private Client & Personal Insurance
    • Risk Management
    • Surety
    • Workers’ Compensation-Claims Management Services
  • Specialties/Affiliations
    • Agriculture
    • California Craft Brewers Association
    • Construction
    • Couriers
    • Dairy Industry
    • Equine Mortality
    • Farm/Ranch
    • Furniture Manufacturers
    • Grocery
    • Home Health
    • Oil & Gas
    • Plastics
    • RV Dealers
    • Technology
    • Transportation
  • Contact
    • Contact Us
    • California Locations
    • North Carolina Locations
    • Oklahoma City Office
    • Texas Locations
MENU
  • Home
  • About
    • A Tribute to Our Founder
    • About
  • Services
    • Surety
    • Construction
    • Private Client & Personal Insurance
    • Risk Management
    • Workers’ Compensation-Claims Management Services
    • Loss Control
    • Employee Benefits Value Added Services
    • Property & Casualty – Claim Services
    • Commercial Insurance
    • Employee Benefits
    • Aviation
  • Specialties/Affiliations
    • Home Health
    • California Craft Brewers Association
    • Dairy Industry
    • Transportation
    • Agriculture
    • Furniture Manufacturers
    • Technology
    • Equine Mortality
    • Grocery
    • Farm/Ranch
    • Couriers
    • Construction
    • Plastics
    • RV Dealers
    • Oil & Gas
  • Contact
    • Contact Us
    • California Locations
    • North Carolina Locations
    • Oklahoma City Office
    • Texas Locations

[author: Andrew Burt]  NAVEX Global – JDSupra

In November, California voters took a (yet another) sharp turn in the data privacy lane and passed Proposition 24, better known as the California Privacy Rights Act (CPRA). This replaces the California Consumer Privacy Act (CCPA), which itself just came into effect last year. That’s a lot of change in a small amount of time, and it can leave compliance officials with a lot of head-spinning questions: Why did California change its data privacy laws (again)? What do I have to change? How much time do I have?

A Little History

To fully incorporate the data privacy changes within the CPRA, it helps to understand the history behind the push for consumer protections in California. In 2016, real estate developer Alastair Mactaggart and his advocacy organization Californians for Consumer Privacy proposed a new ballot initiative that would transform data privacy protections in California (and, by extension, the nation). This drew concern from tech companies as well as some privacy advocates, who worried an initiative would be difficult to amend. The California Consumer Privacy Act (CCPA), put forward in response to Mactaggart’s proposed 2018 data privacy ballot initiative, represented a legislative attempt to address privacy concerns.

However, the hastily crafted craft ultimately failed to satisfy anyone. It lacked clarity for businesses, disproportionately impacted small businesses, and lacked adequate mechanisms (and funding) for enforcement. So, in 2020 Californians for Consumer Privacy introduced a refined version of its original ballot initiative. According to Mactaggart, the new Act is needed to accomplish 4 key goals:

  • Further protect personal information (PI)
  • Increase fines for violating children’s privacy
  • Create more transparency
  • Establish a new enforcement arm

What’s Changed?

The CPRA, then, reflects an attempt to “fix” CCPA in one of 4 critical areas. This has resulted in several key changes, including:

1. New Enforcement Agency

Arguably the biggest change in the CPRA is the creation of the California Privacy Protection Agency. The CCPA was enforced by the state’s Attorney General, who faced significant resource constraints. Under the CPRA, enforcement will be managed by a separate agency with full administrative power, authority, and jurisdiction. The law also creates a Chief Privacy Auditor to conduct audits of businesses.

2. Sensitive Personal Information

Another major change is the creation of a new classification of PI – sensitive personal information (SPI). This is a subcategory of PI that includes:

  • Social Security, driver’s license, state ID, or passport numbers
  • Financial account information
  • Precise geolocation
  • Racial or ethnic origin
  • Sex life or sexual orientation
  • Religious or philosophical beliefs
  • Union membership
  • Nonpublic communication (including mail, email, and text content)
  • Genetic, biometric, and health data

Any collection of SPI carries additional disclosure, opt-out, and use requirements. Under CPRA, consumers have the right to limit the use of their SPI. Companies must provide a “clear and conspicuous link” on their homepage title “Limit the Use of My Sensitive Personal Information.” This is in addition to the CCPA’s required opt-out link (though businesses can use a single link to execute both functions).

3. Covered Businesses

The CPRA makes several changes to which businesses are covered. On one side, it expands coverage to include all businesses that share personal data, whether they receive monetary compensation or not. However, it also increases the CCPA collection threshold from 50,000 consumers/households to 100,000, and it removes devices from this count. Also, commonly controlled businesses or those that share common branding are no longer covered unless they also share consumers’ personal information. These changes will provide relief to many small businesses.

4. Required Audits

Another major component of CPRA is the requirement that companies processing high-risk data perform annual cybersecurity audits. Audit results would be submitted to the California Privacy Protection Agency. This mirrors the GDPR, which requires such companies to perform data protection impact assessments (DPIAs).

5. Right to Opt-Out

CPRA also expands the CCPA’s right to opt-out to include the sale and sharing of personal information. This includes the transfer of PI to a third party for “cross-context behavioral advertising.” This clarification was made to affirm that companies must provide a right to opt-out of third-party sharing for advertising purposes, including through cookie-based collection on websites and apps.

6. Right to Access, Delete and Correct

In addition to opt-out, Californians now have several additional data rights, including the right to have their PI deleted and corrected. Businesses will also be required to notify third parties of these requests if they shared the data in question.

Like under GDPR, consumers now have the right to access information about how companies use automated decision-making technology, specifically with regards to profiling. This includes “meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.” However, CPRA goes even further, giving consumers the right to opt-out of any form of automated decision making (GDPR only gives consumers the right to not be subject to decisions made solely by automated processes).

7. Increased Penalties and Liability

As MacTaggart noted, the CPRA increases fines for privacy violations regarding minors. Companies that misuse the PI of those under the age of 16 can be fined $7,500 for each violation. The Act also eliminates the 30-day cure period that companies had to fix compliance violations. CCPA’s Right of Action

Looking Ahead

These are just a few of the changes CPRA is making to the world of data privacy compliance. The full nature and scope of the Act’s impact will continue to evolve as the state of California readies for enforcement. The clock is ticking; enforcement begins January 1, 2023. But if the evolution of CCPA has taught us anything, it’s that decisions made in the time in between will shape the data privacy space for years to come.

In the meantime, here are some actions you can take:

Determine if CPRA Applies to Your Business

Because of the coverage changes, some businesses that weren’t subject to CCPA will be impacted by CPRA, and vice versa. Recalculate your collection estimates, removing devices from your count. If that number is less than 100,000, you may well be exempt. Do you share common branding with other businesses but not PI? Then you might no longer be covered. Conversely, not receiving monetary compensation from sharing personal data no longer excludes you.

Implement a Data Security Plan

This is a smart practice even if you aren’t covered by CPRA. Implementing best practice security frameworks, creating policies, and establishing performance metrics can help keep your data safe and protect your business from increasing fines.

Conduct Audits

Like GDPR, CPRA now requires organizations managing “high-risk” PI to perform annual cybersecurity audits. Make sure you know the types of data your company stores, how it flows throughout your organization, and the impact of a potential breach.

Get CCPA Compliant

Finally, it’s important to remember that CCPA is still in effect, and will be for some time. Make sure that your organization is taking all the proper steps to remain in compliance – regulators will be, too.

Learn More About Data Privacy Management

View original article at Risk & Compliance Matters

info@andreini.com

650-573-1111

  • Home
  • About
  • Services
    • Aviation
    • Employee Benefits Value Added Services
    • Property & Casualty – Claim Services
    • Construction
    • Commercial Insurance
    • Employee Benefits
    • Loss Control
    • Private Client & Personal Insurance
    • Risk Management
    • Surety
    • Workers’ Compensation-Claims Management Services
  • Specialties/Affiliations
    • Agriculture
    • California Craft Brewers Association
    • Construction
    • Couriers
    • Dairy Industry
    • Equine Mortality
    • Farm/Ranch
    • Furniture Manufacturers
    • Grocery
    • Home Health
    • Oil & Gas
    • Plastics
    • RV Dealers
    • Technology
    • Transportation
  • Contact
  • PRIVACY POLICY
  • After Hours Emergency Claims: 650-378-4290
  • My Wave Portal
  • Employment
  • After Hours Equine Claims 800-732-6012
corporate office

220 West 20th Avenue
San Mateo, CA 94403

(650)-573-1111
(650)-378-4361 – FAX

Contact: Mike Colzani

other offices
  • BAKERSFIELD
  • MODESTO
  • OXNARD
  • SAN RAMON
  • SANTA ROSA
  • SOUTH COAST METRO
  • STOCKTON
  • VISALIA
  • OKLAHOMA CITY
  • TEXAS
  • NORTH CAROLINA

Copyright © 2021 Andreini & Company LICENSE #0208825 PRIVACY POLICY

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.