Data Protection Regulation
Preparing for the Next Wave of U.S. Data Protection Regulations
Zak Rubinstein November 6, 2020
The California Privacy Rights Act (CPRA) has now passed. But how does it differ from the CCPA and what does it mean for U.S. businesses? In an age when consumers are winning the debate on data privacy rights, CPRA spells big changes for tech companies’ approach to data collection. Here, Zak Rubinstein, CEO and founder of 1touch.io, explains the nuts and bolts of the new game-changing privacy law and how organizations can get started on their privacy compliance program.
The EU’s General Data Protection Regulation (GDPR) was the first of many data privacy laws passed in recent years. Some of these laws were created to achieve reciprocity with the EU, while others were driven by consumers’ desire for privacy.
As the regulatory landscape becomes more complex, achieving and maintaining compliance with all these regulations poses a significant challenge for businesses. While many of the new laws have similar goals, the details and requirements can vary significantly from one to another.
The Rise of State-Level Privacy Laws
The California Consumer Privacy Act (CCPA), the most famous U.S. state-level privacy law offers California residents many of the same protections as the GDPR in a state that hosts a significant percentage of tech companies.
However, the CCPA is far from the only state-level privacy law and not even the only attempt at ensuring data privacy and security for California residents. Understanding the U.S. regulatory landscape and how it continues to evolve is essential to ensuring compliance with new requirements.
Learn More: CCPA is Now CPRA — Here’s What’s Changed
The New California Ballot Initiative
The CCPA began as a California ballot initiative before the state legislature took over and passed a (very different) version of the law. The same group behind the CCPA, Californians for Consumer Privacy, has landed a new initiative on the November 2020 ballot, the California Privacy Rights Act (CPRA).
The goal of the CPRA is to build upon the foundation of the CCPA, offering additional protections to Californian consumers and changing the requirements for businesses. The proposed law includes several consumer rights that are familiar from other privacy regulations but missing from the CCPA, including:
- Data Correction: Data subjects have the right to require businesses to correct inaccuracies in the data collected about them
- Restrict Use of Sensitive Personal Data: Data subjects can limit businesses’ use of “sensitive” personal data (a special category under the CPRA)
- Data Minimization: Businesses are required to limit the amount of data collected and data retention periods to what is necessary
- Restrict Use of Precise Geolocation: Data subjects may deny the use of precise geolocation
- Transparency Regarding Automated Decision-Making: Companies must be transparent about how they are using data in automated decision-making processes
- Restrict Sharing of Data with Third Parties: Redefines the CCPA right to opt out of “selling” data to include “sharing” data as well
Beyond providing consumers with these rights, businesses will also need to make other changes to their operations under the CPRA. While the CPRA modifies the definitions of covered businesses (reducing the burden on small businesses), it adds responsibilities for organizations subject to the law. These include implementing data protection by design and default, maintaining records of processing activities, and, for processors of high-impact data, performing regular risk assessments and cybersecurity audits.
Learn More: From Seat Belts to CCPA: Why Regulations Don’t Kill Innovation
State-Level Laws Beyond CCPA
In recent years, Maine and Nevada have passed and signed data privacy laws, and ten other states currently have bills working their way through the legislature. An additional seven states have a task force in place or are engaging in a study.
These privacy laws can vary significantly from one state to another. The CPRA is the most comprehensive law currently in the process, but others provide a number of different protections to their constituents. A comparison by the International Association of Privacy Professionals (IAPP) compares the laws currently in the works based upon the eight rights they grant to consumers and eight responsibilities imposed upon businesses.
Learn More: In Privacy-First Era, MSSPs Can Push the Data Protection Envelope
Preparing for and Achieving Regulatory Compliance
The rights and requirements of the U.S. privacy regulations vary from state to state, but many of the requirements are largely a subset of the stronger regulations like the CPRA and the GDPR. As such, organizations that are compliant with CPRA and GDPR must only make small modifications to meet the specific requirements of new laws as they are passed and go into effect.
All of these laws are designed to ensure the privacy and security of consumer data, so the first and most important step of the compliance process is for organizations to identify the scope of their data collection, storage, and usage.
You cannot properly secure or respond to consumer requests about data that you don’t know you have, and the failure to do so can result in a data breach, regulatory penalties, and/or legal suits. Start your organization’s compliance journey by achieving the data visibility that you need.
Let us know if you liked this article on LinkedIn, Twitter, or Facebook. We would love to hear from you!
CALIFORNIA PRIVACY RIGHTS ACT CCPA CPRA DATA PRIVACY DATA PROTECTION DATA SECURITY GDPR
Zak Rubinstein is the CEO and co-founder of 1touch.io, provider of the Inventa™ AI-based sustainable data discovery and management platform for privacy, security and governance. As a 13-year veteran of the security industry and organizational psychologist by training, Zak led the global sales and SE Training efforts at CheckPoint to help advance field education aimed at selling deeper and wider in targeted markets.As Co-founder, Vice President of Sales and Business Development of Sequoia-backed Indeni, together with a talented team of individuals, Zak spearheaded entry into global markets of the Indeni security solution, bringing instant value to its wide customer base.Zak holds a Bachelor of Science in psychology from Middlesex University, a Master of Science in organizational psychology from Hertfordshire University and a Master of Business Administration degree from Heriot-Watt University.
--------------------