CCPA 2.0 - Here’s What You Need to Know | Very Good Security

May 14, 2020

Dubbed “CCPA 2.0,” a proposed initiative called the California Privacy Rights Act (CPRA) is gaining traction – and will likely make an appearance on the November 2020 ballot in California.

The original legislation, the California Consumer Privacy Act (CCPA), only came into effect on January 1, 2020, but we are already seeing potential changes to this data privacy regulation looming on the horizon. If passed, these proposed changes like CPRA could mean businesses will need to further beef up their data security measures.

CCPA Might Be Getting a Makeover

Nearly a million signatures have been collected in support of the act, which will push the state’s privacy regulations more toward the European Union’s General Data Protection Regulation (GDPR).

While the signatures haven’t yet been validated, early polling shows that CPRA has a good chance of passing. If it becomes effective, several modifications to the CCPA and its language would be implemented, impacting businesses and consumers across the globe.

To help make sure your business is prepared for whatever comes next, we’ve put together this blog post to briefly outline what the CPRA will look like as well as how you can be ready if and when it takes effect.

Background: What is the CCPA?

The CCPA was passed by the California Assembly in 2018. Its appearance on the ballot came as a compromise between lawmakers and data privacy activists, the latter of which - led by Californians for Consumer Privacy (CCP) founder Alastair MacTaggart - were pushing for a much stricter and consumer-focused initiative drafted before CCPA took shape.

MacTaggart agreed to remove the initial proposal from the ballot in exchange for assurance that the CCPA would pass, which it eventually did.

The CCPA introduced new privacy rights to California residents, including the right to request that businesses not sell the individual’s or the household’s personal information, the right to access, and the right to delete information.

Businesses were required to be compliant with the new law on January 1, 2020, and enforcement of the law is set to begin in July 2020.

Introducing CCPA vs CPRA

While the Assembly passed the CCPA, the CCP was not satisfied with how the law was implemented. In September 2019, MacTaggart announced that a new initiative had been drafted and signatures would be collected to get it on the November 2020 ballot in California.

The new initiative, the California Privacy Rights Act (CPRA) would build on the framework of the CCPA, but it would build on it to move the law toward becoming more like GDPR.

Currently the CCPA requires companies to provide a privacy policy which lets consumers know their rights to data privacy. You need to let them know if you plan on selling their information and how they can opt-out of the process, as well as provide a verifiable method a consumer can use to request you to change or erase their data.

The CCPA applies to any company which collects personal information from Californian residents, regardless of the company’s location.

In short, the CPRA would:

  • Emulate GDPR rules in how personal information may be collected and stored without sacrificing data integrity.
  • Create a data classification called “Sensitive Personal Information” which includes personally identifiable data such as health and financial data, race, and geolocation.
  • Customers will be given the right to opt-in if a company wants to sell their data or use it for advertising.
  • Businesses will be required to release whether they are using consumer data for profiling purposes and explain their rationale if they are.
  • It would also create a new state agency to act as an enforcement body for the law, the California Privacy Protection Agency (CPPA) - a responsibility that is currently delegated to the state’s Attorney General’s office.

What will it take for CPRA to be implemented?

The CCP has already collected nearly 1 million signatures, but only about 623,000 signatures are needed to qualify it for the 2020 ballot. Because the CCP already qualifies with such a high number of raw, unverified signatures, the Secretary of State is now responsible for ordering county election officials to conduct a random sample of signature validity.

If the initiative receives a simple majority of votes, it will become law in California.

Two provisions of the initiative would go into effect immediately. Business-to-Business and employee data would be exempted until January 2023.

Currently, these types of data are exempted until January 2021. In addition, the CPPA would be created.

The remaining provisions would not go into effect in January 2023, similar to the two-year time period provided to businesses to implement the GDPR when it went into effect in Europe.

How should businesses prepare?

While we won’t know until November whether or not the CPRA will become law, there are things you can do right now to prepare yourself - which will be beneficial to your business regardless of the law.

These things aren’t specific to the CPRA, but are rather privacy practices to protect consumer information that you can implement in your organization so that you can quickly adapt to any future change in privacy laws.

Building and nurturing an agile, adaptable data privacy program at your organization will not only make achieving various compliance certifications much easier, it also puts you in the best position to avoid data breaches during the lifespan of your business.

How to maintain an CPRA-ready agile data privacy program?

Privacy will always be filled with some level of uncertainty because laws can change. Brazil, for instance, has a new law going into effect in August (unless it’s preempted), and the State of Washington has been close to passing a privacy law for the past several years.

Instead of reacting to the laws as they take effect, forward-thinking business leaders wisely take certain steps to create an agile data privacy program that can adapt to any data privacy curveball that lawmakers might throw at them.

1.Create a culture of privacy

Be an advocate for privacy within your organization and help people become aware of data privacy. Culture is created in part through training but, more importantly, it’s created when you help people understand the day-to-day activities that can impact people’s privacy.

Help system owners understand what personally identifiable information they are responsible for and the sensitivity of that information. Empower them to be stewards of their data and provide them with guidelines for how to determine things like who should be able to access the data (role-based access control) and under what circumstances the information can be used.

If privacy is baked into your culture, your processes and workflows may need to be tweaked to meet the specifics of a law but they won’t have to be overhauled.

2. Measure your security maturity

Privacy is what you want; security is how you get it. Many privacy laws require security, but they aren’t specific about how your security program should look.

Ensure that you’re using a security framework and measuring your maturity against the framework. This will help you to prioritize the areas where you’re least mature and define what level of maturity you want to get to.

Not everything needs to be a five, but make thoughtful decisions about your business needs and mature those areas that are most critical to your success.

3. Find ways to get to Zero Data

Data security tools, like tokenization, aliasing, masking, and encryption, won’t necessarily keep you from having to comply with a law or regulation, but they can help you get to compliance faster.

That’s because having an expansive data environment with personal information flowing through your business puts you deeper into the jurisdiction - or “scope” - of compliance regimes like the CCPA. If implemented correctly, you can leverage data privacy tools that enable you to still operate on sensitive data without the burden of having personal information on your systems.

VGS Zero Data solutions are part of an end-to-end security platform that protects sensitive data at every point while preventing it from coming into contact with your organization. You can collect, transfer, and analyze all the personal information you want without ever taking on the burden or liability of actually touching it.

With VGS, companies outsource their data security worries to us, so they can get back to dedicating their time and energy on what’s most important: continuing to develop their businesses.

Channin Gladden Channin Gladden

Senior Compliance Manager at VGS


You Might also be interested in...

Very Good Security Achieves Amazon Web Services Partner Network Select Technology Partner Status

Very Good Security Achieves Amazon Web Services Partner Network Select Technology Partner Status

Amanda Heinemann May 21, 2020

Payment Card Industry Data Security Standard (PCI DSS) includes specific requirements for the transmission of cardholder information across open, public networks (including email and other messaging technologies).

Email And PCI Compliance: How to Stay Secure & Compliant

Marshall Jones May 5, 2020


Securing GitOps Deployments in AWS EKS

Maksym Kulish April 28, 2020