Do Your Third-Party Vendors Put You At Risk For CPRA Noncompliance?

As organizations and CISOs are budgeting and planning for 2022, readiness and compliance for the California Privacy Rights Act (CPRA) should be high on their list. With that in mind, I think it is a good time to update a post I wrote 2 years ago about the California Consumer Privacy Act (CCPA). That legislation, passed in 2018, was a stark wake-up call to organizations that had previously been collecting, processing and selling consumer data with little oversight. Less than a year after it got into full effect, the state followed up with CPRA to expand and amend the CCPA. These new regulations will go into full effect on January 1, 2023.

CPRA introduces new applicability criteria and stricter regulations than the CCPA, as well as heftier fines for organizations that fail to comply. And although the legislation only applies to data collected on California residents, the business itself does not have to be located in the state. For example, a German company could find itself liable if its website is breached and California customers are affected. The CCPA and CPRA are, in effect, national and global laws for anyone serving California users.

CCPA and CPRA are the strongest consumer privacy regulations mandated at the state level, and they represent an important shift in the regulatory landscape. Lawmakers across the nation are increasingly calling upon businesses to take accountability for the data they harvest. New York, for example, is in the process of enacting its own data privacy legislation. CCPA and CPRA give significantly more power to consumers to demand accountability and transparency for how their private data is handled — and these laws won’t be the last.

Understand the Differences Between CCPA and CPRA

A recent report from Osterman Research revealed that only 23% (Read more...)