On November 3rd, California voted to ratify Prop 24 ballot initiative that expands and extends the regulations originally set down in the California Consumer Privacy Act (CCPA), which has been in effect since the start of this year. The amended legislation now known as the California Privacy Rights Act further extends what was the first state data privacy law in the US.
The repercussions of this legislation are significant. Firstly, when it comes into effect on Jan 1, 2023, CPRA as it is currently written will apply to businesses with more than $25m in revenues that have customers in California, the most populated state in America.
Secondly, the expanded provisions included in CPRA will more than likely set the stage for similar state-level laws. After all, California is often the trend setter in state legislation. Where California goes, the nation follows.
Thirdly, CPRA will compel covered companies to build, implement, and maintain a new approach to how they deal with what is often one of their key business assets: their consumer data.
Specifically, CPRA expands CCPA in a few key areas:
- Broadened scope of protected data
- Expanded set of consumer rights
- Breach liability for combinations of data
- Data minimization provisions
- A dedicated enforcement agency
Let’s drilldown into each of these in more detail:
Broadened scope of protected data
Beginning in 2023, CPRA will expand the scope of protected data covered under CCPA by including both “personal information” and “sensitive personal information” (SPI).
In addition to identifiers like Social Security numbers, addresses, and driver’s license numbers, CPRA will also include specific protections for SPI that the statute defines as health data, precise geometric location, and contents of communications (mail, email, SMS) alongside special category information like religious belief, racial or ethnic origin, and sexual orientation.
Expanded set of consumer rights
Furthermore, CPRA will expand consumer rights to allow Californians to correct personal information, know how long their data is being retained, opt-out of advertisers using precise geolocation, and limit the usage of sensitive personal information to purposes that are consistent with the consumer’s indicated preferences.
Breach liability for combinations of data
The law also extends liability for data breaches where information combinations (email address and password, credit card number and SSN) are exposed in a data breach. CCPA had included a data breach liability provision, but did not extend liability beyond what was already defined in the state’s existing data breach law.
Data minimization provisions
CPRA includes a data minimization provision - a significant first for US privacy laws. The data minimization provision compels businesses to better understand where they are keeping sensitive data, how long they've had that information, and what data they are retaining.
A dedicated enforcement agency
CPRA also increases the ability of the California state government to enforce these laws by creating the California Privacy Protection Agency. Previously, enforcement of CCPA was through the California Attorney General’s office - which obviously deals with a broad set of matters other than potential privacy violations.
Putting PI (& SPI) into the right context
The expanded provisions in combination establish significant operational challenges for businesses. Companies subject to CCPA that have already contended with the challenges of better accounting for how they collect and use personal information to comply with requirements like consumer data rights. Under CPRA, these challenges are compounded with the expanded category of sensitive PI.
Existing approaches to data discovery and identification are simply not designed to accurately recognize sensitive PI that depends heavily on context - in particular for unstructured data.
And, under the new consumer data rights in CPRA, linking individuals to their sensitive PI data elements is critical to operationalization.
A New Approach for Data Privacy
With the increased enforcement pressure that comes with a dedicated agency and the expanded liability for data breach, businesses will have to take proactive efforts to ensure their data is accounted for. This is where new approaches to automating insights into personal information come into play.
Text IQ’s AI-powered privacy tool uses unsupervised machine learning to develop a social linguistic understanding of the data to improve the accuracy of recognizing personally identifiable information (PII) and to classify special category information within unstructured data. In addition to leveraging context and semantic analysis to understand how data elements relate to an individual, Text IQ’s AI is capable of recognizing an individual appearing under different names through a process of entity normalization.
These entity-centric views, data element linkages, and entity normalization capabilities enable customers to better prepare themselves for the expanded data rights ushered in by the approval of Prop 24, including the more specific requirements for the handling of SPI.
Additionally, these capabilities can also help with the data breach response process by automating data assessment - including the need to identify combinations of personal information now included under CPRA.
To address the new data minimization provision, Text IQ’s data enrichment can facilitate data retention controls and input for personal information handling policies.
The approval of Prop 24 ushers in new legislation that will further redefine the landscape of consumer data privacy. Businesses will have to react quickly to ensure they can comply or risk the wrath of a new and eager state agency. The regulatory burden of CPRA may seem overwhelming, but there are ways that Text IQ’s technology can help.