The California Consumer Privacy Act (CCPA) is a strict set of rules for companies in California, defining what these organizations must do to protect consumer privacy.
Although the CCPA does not require formal audits, the upcoming CPRA expansion will call for these practices, particularly in consumer protection and privacy areas.
As concerns about data privacy grow, more businesses see CCPA certification as more than just a legal requirement. They consider it a best practice. This certification offers a well-defined structure that helps organizations evaluate, confirm, and share data protection measures.
What Are the CCPA and the CPRA?
Governor Jerry Brown signed the California Consumer Privacy Act into law on June 28, 2018, after its introduction earlier that year. In 2019, lawmakers amended the CCPA several times to clarify the rules for businesses and regulators.
The law took effect on January 1, 2020, and the California Attorney General started enforcing it on July 1, 2020.
California voters approved the California Privacy Rights Act (CPRA) in November 2020. This act, an extension of the CCPA, clarified and expanded various aspects of the original law. The CPRA is set to take effect on January 1, 2023, adding more privacy rights for consumers and new obligations for businesses.
Inspired partly by the European Union’s General Data Protection Regulation (GDPR), the CCPA granted Californians new rights. This includes the right for consumers to know what data businesses collect about them, the right to delete that data, and the right to opt out of data sales.
Under the CCPA, specific rights include:
- Right to Know: Consumers can ask businesses what categories and specific pieces of personal data they have collected. They can also inquire about the reasons for collecting this data.
- Right to Delete: Consumers can request that businesses delete their personal information, subject to certain exceptions.
- Right to Opt-Out: Consumers can choose not to have their personal information sold to third parties. Businesses must provide a “Do Not Sell My Personal Information” link on their websites to make this easy.
- Right to Non-Discrimination: Businesses cannot discriminate against consumers for exercising their CCPA rights. This means they must provide goods or services, charge the same prices, and offer everyone the same level of service.
- Right to Data Portability: Consumers can receive their personal information in a format that is easy to use and transfer to another service when they request to know about or delete their data.
- Right to Be Informed: Companies must provide clear and easy-to-understand privacy policies that explain their CCPA rights and how to exercise them.
- Right to Know About Financial Incentives: You can learn about any rewards or benefits companies offer for keeping or selling your personal information.
- Right to Opt-In (for Minors): Companies must get permission from teenagers between 13 and 16 before selling their personal information. For children under 13, companies need permission from a parent or guardian.
- Right to Be Notified: Companies must tell you what personal information they collect and why.
These rights put you in the driver’s seat regarding your data while making companies more accountable for protecting that information.
What Is the CPRA?
The California Privacy Rights Act extends and expands the California Consumer Privacy Act. It was passed as a ballot initiative in the November 2020 elections in California and aims to strengthen and clarify the privacy protections provided by the CCPA. Here’s how the CPRA relates to the CCPA and what changes it brings:
- Continuation: CPRA builds upon the foundational privacy rights established by the CCPA. It does not replace the CCPA but rather enhances it.
- Consumer Rights: Both laws aim to give consumers more control over their personal information. CPRA introduces additional rights and clarifies existing ones.
- Business Obligations: Businesses already required to comply with the CCPA will generally also need to comply with the CPRA.
- Enforcement: The CPRA establishes a new enforcement agency, the California Privacy Protection Agency, to take over the role previously held by the California Attorney General in enforcing the CCPA.
CPRA added several additional privacy rights for consumers in California, including:
- The right to correct inaccurate personal information.
- The right to limit the use of sensitive personal information.
- Businesses must restrict data collection to what is necessary for the explicitly stated collection purpose.
- Companies must provide more transparency about automated decision-making and profiling.
- Consumers can opt out of sharing their data for advertising or marketing purposes, a provision that goes beyond the CCPA’s focus on the sale of data.
- CPRA imposes stricter rules on how businesses can share data with third parties and service providers.
- This new agency will have the power to enforce privacy laws and issue fines, taking over the role of the California Attorney General.
- CPRA introduces higher fines for violations involving minors.
- Certain businesses must conduct regular audits and risk assessments regarding their data processing activities.
What Goes Into CPPA Attestation?
The CCPA is a state statute that enhances privacy rights and consumer protection for California, United States residents. CCPA Attestation refers to the formal process by which organizations certify compliance with the CCPA regulations. This attestation is often a requirement for doing business in California, especially for companies that handle large volumes of consumer data.
The critical components of CCPA attestation include:
- Documentation: Organizations must maintain comprehensive records that demonstrate their compliance with CCPA. This includes data processing logs, privacy policies, and records of consumer requests and responses.
- Third-Party Audits: Some organizations opt for an independent third-party audit to validate their CCPA compliance. The audit report serves as a form of attestation.
- Legal Review: Legal experts often review the organization’s data handling practices to ensure they align with CCPA requirements.
- Certification: After completing the necessary steps, organizations may receive a certification or seal indicating their CCPA compliance. This is often displayed on the company’s website or other public-facing materials.
- Annual Renewal: CCPA attestation is generally not a one-time event. Organizations are required to renew their attestation annually to confirm ongoing compliance.
- Transparency: As part of the attestation process, organizations often make public disclosures about their data handling practices through a dedicated CCPA compliance page on their website or other public statements.
- Board Approval: In some cases, the organization’s board of directors may need to approve the attestation, adding a layer of oversight.
Differences Between CCPA and CPRA for Auditing Purposes
The California Consumer Privacy Act and the California Privacy Rights Act aim to protect consumer data. Still, they have different requirements for audits and compliance assessments. Here are some of the key differences:
CCPA Audit Requirements
- No Explicit Audit Requirement: The CCPA does not explicitly require businesses to undergo regular privacy audits. However, companies are expected to maintain records to demonstrate compliance.
- Third-Party Contracts: While not explicitly an audit, businesses must enter into contractual agreements with service providers to ensure they comply with CCPA requirements.
- Record-Keeping: Businesses must maintain records of consumer requests and how they responded for at least 24 months.
- Enforcement: The California Attorney General enforces the CCPA, and businesses are generally expected to self-assess and self-report violations.
CPRA Audit Requirements
- Risk Assessment: The CPRA introduces the concept of regular risk assessments for certain businesses, particularly those whose processing of personal information presents significant risks to consumer privacy.
- Audit and Accountability: The CPRA mandates that businesses take appropriate action to audit and assess compliance, mainly when using consumers’ sensitive personal information.
- California Privacy Protection Agency: The CPRA establishes a new enforcement agency specifically for privacy rights, which is expected to conduct audits.
- Third-Party Compliance: CPRA imposes stricter rules on how businesses can share data with third parties and service providers, potentially requiring audits or assessments of these third parties.
- Annual Certification: While yet to be confirmed, some experts anticipate that businesses may be required to certify their compliance annually under CPRA.
- Penalties: The CPRA introduces higher fines for non-compliance, especially violations involving minors, making the audit process more critical.
Both laws require businesses to implement reasonable security procedures and practices to protect consumer data, although the CPRA provides more detailed guidelines.
Stay Ready for Your CPRA Attestation with Continuum GRC
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
- ISO Assessment and Audit Standards
And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.
[wpforms id= “43885”]