CPRA Security Risk Assessments & Privacy Compliance
Friday, November 6, 2020
CPRA Risk Assessment Requirements

Related Practices & Jurisdictions
Print Mail Download i

Does the CPRA require companies to undergo security risk assessments?

Likely no. While the CCPA provides for statutory damages if certain personal information is exposed in a data breach due to a business’s failure to have reasonable and appropriate security in place, the CPRA goes a step further. The CPRA requires the California government to issue regulations requiring businesses whose processing of consumers’ personal information “presents a significant risk to consumers’ privacy or security” to perform an annual cybersecurity audit.  The factors to be considered when determining whether processing poses a significant risk to the security of personal information include the size and complexity of the business and the nature and scope of the processing activities. Thus, it is possible that the regulations will not require all businesses to undergo a security audit, e.g., if they are not collecting or processing sensitive information.

Will companies be required to designate an employee responsible for privacy compliance?

Not specifically. While the CPRA will require businesses whose processing poses a “significant risk” to consumers’ privacy or security to conduct an annual risk assessment and submit it to the newly-created California Privacy Protection Agency, the CPRA does not require that businesses appoint a “Chief Privacy Officer” or similar individual responsible for compliance with the CCPA and CPRA. Practically speaking, businesses may find compliance easier to achieve if the responsibility for doing so is assigned to a designated individual.

What additional rights does the CPRA grant to California consumers?

The CCPA provides California residents with the right to know what personal information businesses are collecting about them, the right to request deletion, and the right to opt out of the sale of their personal information

The CPRA goes a step further and grants additional rights. These rights include the right to (a) fix errors or correct inaccurate personal information (sometimes known as the right to rectification), (b) opt out of information sharing with third parties for behavioral advertising across websites, (c) object to certain uses of their sensitive information (e.g., Social Security number and other identity-related information, financial information, race or religious information, precise geolocation, etc.), and (d) object to automated decision-making and profiling.

©2024 Greenberg Traurig, LLP. All rights reserved.

Current Legal Analysis

More from Greenberg Traurig, LLP

DOL Makes Significant Changes to QPAM Exemption
by: Nathan M. Iacovino
Florida’s Live Local Act Middle-Income Affordable Housing Exemption Has 2-Year No-Exemption Exit Trap
by: Marvin A. Kirsner
U.S. to Impose Further Tariffs on Imports from China Following Section 301 Review
by: Laura Siegel Rabinowitz , Donald S. Stein
Treble Ahead? Supreme Court Decision Sharp on Copyright Damages but Flat on the Discovery Rule
by: Sabina A. Vayner , Steven J. Wadyka Jr.
Maryland Restricts Noncompete Clauses for Veterinary and Health Care Professionals
by: Galit Kierkut , Kristin Spallanzani
IRS Issues Supplementary Letters to Affected Taxpayers Who Requested More Information About Data Breach; Scope of Disclosure Remains Unknown
by: G. Michelle Ferreira , Scott E. Fink
CA Bill Would Shift Lobby Filer Audits to Fair Political Practices Commission
by: Rebecca J. Olson
June 2024 Visa Bulletin Updates
by: Patricia A. Elmas
NY State Ethics Commission Violates Separation of Powers Doctrine: Appellate Court
by: Mark F. Glaser , Joshua L. Oppenheimer
FDA Issues Final Rule to Regulate Laboratory-Developed Tests as Medical Devices
by: Nicholas J. Diamond , Charles C. Dunham, IV

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins