CCPA/CPRA

CCPA/CPRA is strongly influenced by the EU’s primary data privacy regulation, GDPR. The rights of individuals to control their data are highly protected under both frameworks. Once significant difference: Under CCPA/CPRA, data may be collected until the consumer opts out, whereas, under GDPR, no data may be collected until the consumer opts in.

Consumers have the right to delete the information businesses acquire and refuse the sale of their data without repercussions. Organizations that collect PII are required to implement and maintain reasonable data security practices and procedures. Sanctions and other remedies can be imposed for violations, regardless of whether there was intent.

Organizations required to comply with CCPA/CPRA must have websites that include:

1. A ‘do not sell my personal information’ option.
2. Explanations at every data collection point about what categories of personal data are collected and for what purpose.
3. A privacy policy, updated within the past year.
4. A process to respond when customers request information about the data you collected on them.

The CPPA is actively working on several sets of proposed regulations:

1. Cybersecurity Audits: Guidelines for auditing cybersecurity practices.
2. Privacy Risk Assessments: Assessing and managing privacy risks.
3. Automated Decision-Making Technologies (ADMTs): Addressing AI-driven decision-making.
4. Revisions to Existing Regulations: Updates to definitions and consumer request processes.
5. New Rules for Insurance Companies: Specific requirements for insurers

Enforcement Advisory on Data Minimization:

1. In April 2024, the CPPA issued its inaugural enforcement advisory emphasizing data minimization principles.
2. Businesses should restrict the processing of personal information to what is reasonably necessary and proportionate.
3. The CPPA will consider good-faith efforts to comply when deciding whether to pursue investigations.