In this blog, we highlight the six steps to go from CCPA to CPRA compliance. The California Privacy Rights Act (CPRA) was passed on November 3, 2020, and it brought with it a range of new obligations for organizations to comply with. An expanded scope, additional consumer rights, and a new definition for sensitive personal information mean that more data will fall under the provisions of the law, and consumers – and now employees – will have greater control over how organizations use that data.  

From an operational perspective, organizations that already have their CCPA compliance programs up and running should consider these new requirements before the CPRA’s January 1, 2023, effective date. However, the CPRA’s look-back period means that many of its provisions will be applicable to personal information collected from January 1, 2022. Therefore, organizations should implement solutions that bring them in line with the CPRA now. 

The 6 Steps from CCPA to CPRA Compliance  

1. Understand What Data Falls Under the CPRA’s Expanded Scope

The CPRA’s new provisions mean that a greater volume of data will fall under its scope including a new classification for sensitive personal information (SPI). This will include information such as SSN, driver license numbers, biometric information, precise geolocation, and racial and ethnic origin which organizations will need to find, catalog, and govern correctly in line with the CPRA’s data minimization and retention requirements.  

How OneTrust Helps: Data Discovery

OneTrust’s Data Discovery & Classification technology scans cloud and on-premise systems to discover and classify structured and unstructured data. Advanced AI & machine learning (ML) driven classification models scan samples of data, ensuring a real-time and more accurate view of personal information. These models are trained and kept up-to-date by DataGuidance Regulatory Research, ensuring that organizations can stay current with evolving definitions of personal information across regulations. Additionally, the data discovery engine can extract metadata such as ‘date created’ and ‘last updated’ to help automate the enforcement of retention policies, another new requirement under the CPRA. Finally, OneTrust helps to identify and manage the third parties involved in personal data processing, giving you an automated and holistic view of personal information in your organization. 

2. Prepare for new Consumer and Employee Rights Requests 

The CCPA introduced new consumer rights for Californians including the right to know, access, delete, opt-out of sale, and to non-discrimination. The CPRA will now expand these rights to include the right to rectification, portability, and the right to limit the use and disclosure of sensitive personal information as well as extending these rights to employees. While many organizations that have CCPA compliance programs in place will likely have the appropriate processes for dealing with consumer rights requests, employee rights requests will pose several unique challenges. With the inclusion of employee rights, organizations will need to parse through greater volumes of data as well as increased amounts of unstructured data. This makes the need for automated discovery and data redaction more critical for organizations to keep up with this new category of requests.  

How OneTrust Helps: Privacy Rights (DSAR) Automation

OneTrust’s Privacy Rights (DSAR) Automation solution helps to automate consumer and employee rights requests from intake to fulfillment by embedding the request process across systems such as employee portals and existing IT ticketing systems. The OneTrust DSAR Automation solution also helps to streamline the identity verification process and automates the discovery of data associated with the requestor. Automated redaction capabilities find and redact sensitive information that should not be shared with the requestor using AI & ML-driven classification models. 

3. Update Websites to Include “Do Not Share” Opt-Out Mechanisms 

Since its introduction, the CCPA’s “Do Not Sell” requirement has been interpreted ambiguously by many organizations sharing personal information for advertising purposes. The CPRA has removed this ambiguity by including “Do Not Share” obligations for organizations to comply with. Businesses are required to provide consumers with a “Do Not Sell or Share My Information” link on their websites.  

How OneTrust Helps: Consent Management Platform

OneTrust’s Consent Management Platform (CMP) supports the “Do Not Share” opt-out requirements through pre-configured templates and settings across web, mobile, and CMP channels. Banners and links can be geo-targeted to those browsing from California to help ensure the proper opt-outs are communicated to third parties. OneTrust’ CMP easily integrates into the OneTrust Privacy Rights solution to extend the opt-out beyond targeted advertising to other types of data sharing. 

4. Update Policies for Retention & Sensitive Personal Information 

The CPRA introduces new policy requirements for data retention and the collection and use of sensitive personal information, limiting this to what is necessary to provide goods or services. Putting these updated policies into practice manually will pose a challenge to organizations looking to operationalize retention, access, and visibility into data on a large scale.  

How OneTrust Helps: Data Retention & Personal Information Policies

OneTrust Data Discovery & Classification can help implement automated policy enforcement by creating rule-based data policies and simple integration into your IT ecosystem. The discovery process helps to inventory data through tagging the data with classifications such as personal information or sensitive personal information as well as flagging violations of policies based on those factors.  

5. Perform Risk Assessments and Annual Cybersecurity Audits 

The CPRA outlines that organizations undertaking high-risk processing of personal information and sensitive personal information are required to perform regular risk assessments similar to a Data Protection Impact Assessment (DPIA). These risk assessments must be submitted to a regulatory body to demonstrate that processing activities that present significant risks to consumer privacy or security are being performed with an appropriate level of protection in place to mitigate the risk. In addition to regular risk assessments, the CRPA requires organizations whose processing activities present a significant risk to consumer privacy or security to carry out an annual, independent cybersecurity audit.  

How OneTrust Helps: Risk Assessments & Cybersecurity Audits

Organizations should therefore establish a process to ensure the proper completion of annual cybersecurity audits and risk assessments for high-risk data processors. OneTrust Assessment Automation provides an extensive library of customizable assessment templates built by privacy experts which can be sent internally and externally via a self-service portal. OneTrust will automatically flag risks and provide recommendations for remediation and will offer visibility into processing activities through a centralized dashboard.  

6. Monitor Regulatory Updates 

The CPRA establishes the California Privacy Protection Agency (CPPA) to oversee, implement, and enforce the CCPA and the CPRA, a role previously fulfilled by the California Attorney General. The CPRA includes a provision for the CPPA to create new regulations relating to compliance areas such as risk assessments, correction requests, and opt-out rights. The timeline for the CPPA to adopt its final Regulations is July 1, 2022. 

How OneTrust Helps: DataGuidance Regulatory Research

Keep up to date with the latest CPRA regulation developments through OneTrust DataGuidance Regulatory Research Software powered by a contributor network of over 800 lawyers and 40 in-house legal researchers. OneTrust DataGuidance includes daily news updates as well as a dedicated CPRA portal that centralizes the latest news, opinions, and FAQs. OneTrust DataGuidance’s ask an analyst feature allows users to submit questions specific to their privacy program and receive a response that addresses their unique compliance concerns within 48 hours. 

Further reading on the steps to compliance from CCPA to CPRA:  

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on the CPRA & CCPA compliance.