Jodi Daniels is a privacy consultant and Founder/CEO of Red Clover Advisors, one of the few Women’s Business Enterprises focused on privacy.
Privacy regulations are often looked at as an annoyance, something that disrupts business practices. But I’m here to tell you, they can help you build better business practices.
The newest regulation on the privacy block in America? The California Privacy Rights Act (CPRA). CPRA retools some of the wonky parts of its predecessor, the California Consumer Protection Act (CCPA), but more than that, it extends new and meaningful action items for businesses.
If you weren’t privacy-inclined before now, you might want to reconsider it.
How CPRA Will Impact Businesses
The line item changes in CPRA are numerous. Some parts of the regulation have a more immediate impact on business practices than others, though.
1. Expanded Privacy Rights
Let’s start this part of the conversation by giving CCPA a shout-out. Individual rights are an important part of CCPA, establishing five fundamental privacy rights for California residents: (1) right to notice, (2) right to access, (3) right to opt out, (4) right to request deletion and (5) right to equal services and prices.
MORE FOR YOU
CPRA preserves these rights, plus adds four more:
• Right to correct
• Right to opt out of automated decision making
• Right to data portability
• Right to restrict the use of sensitive personal information
The right to restrict the use of sensitive personal information is particularly important. Mirroring the EU’s General Data Protection Regulation (GDPR) special categories of data, CPRA offers protection for information like social security numbers, passport numbers, religion, genetic data and sexual orientation.
What this means for your business: Individuals now have more legal protections against misuse of their personal information, and more data points are protected, too. This should give all businesses pause when collecting and securing personal information, especially sensitive personal information.
You’ll also need to adhere to requirements for limiting the use of sensitive information. Under CPRA, consumers need access to a link to place this request, and you’ll need to have mechanisms to handle this as individual rights requests.
However, consider this an opportunity to infuse your business’ culture with privacy practices. As new rights are extended to consumers, you’ll need to provide training to staff. Training teaches your employees what to do, but the opportunity to teach them why you do it is valuable, too.
2. Better Definition For Selling and Sharing
A sticky issue with CCPA is its definition of “selling” data. CPRA breaks it into “selling” and “sharing.” More specifically, it breaks those terms up into “selling” and “sharing, renting, releasing, disclosing, disseminating, making available, or transferring personal information for behavioral advertising.”
What this means for your business: What this comes down to is that businesses have been able to — or at least tried to — skirt compliance requirements by claiming that they didn’t “sell” data. But the new definition doesn’t provide much cover for that now. Consumers will now have the right to opt out of sharing and selling their personal information.
3. Keeping Closer Tabs On Data
Another CPRA move that mirrors GDPR? The addition of data minimization and storage limitations provisions. Data minimization and storage limitations reflect the reality that the more information you gather and the longer you keep it, the greater security (and therefore, privacy) risk it poses.
Under CPRA, organizations will need to be ready to document and assess their data collection practices. They’ll need to be able to demonstrate why they need certain personal information, define its lifecycle and have a plan for disposing of the information at the end of its lifecycle.
What this means for your business: Yes, gathering and documenting this information is a lot of work. It pays off, though. Not only does it reduce the risk for you and your customers, but it can also streamline your data collection practices.
4. No Third-Party Vendors At The Bottom Of The List
Your vendors are an important part of your services and/or products, but that doesn’t mean they don’t pose a risk to you and your customers. CPRA creates more regulatory structure around these relationships by mandating that businesses and vendors must detail their data relationship in a contract. This contract, among other things, requires both parties to maintain the same level of privacy protections.
What this means for your business: Audit your vendors. Make sure they understand and are ready to handle the CPRA compliance protocol. What’s more, make sure they’re willing to put it all in a contract.
Here’s the thing, though, this is a great business practice to do anyway. It gives you a chance to review your data flow. After all, privacy requires you to know your data collection and what’s going on with it. It’s a wellness check on behalf of you and your customers.
Not Business As Usual, But Better Business
Privacy has long been seen as an enhancement to business practices — something extra, not something foundational. Privacy regulations are changing that, though. Just having privacy protections is now the bare minimum. When implemented as part of good business practices, privacy is more than just the technical aspects of protecting customer information. It’s about building trust and sustaining relationships.
When done right, it’s a reason to do business with you.