January 28, 2021

Volume XI, Number 28

Advertisement

January 27, 2021

Subscribe to Latest Legal News and Analysis

January 26, 2021

Subscribe to Latest Legal News and Analysis

January 25, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

CPRA Security Risk Assessments & Privacy Compliance

Does the CPRA require companies to undergo security risk assessments?

Likely no. While the CCPA provides for statutory damages if certain personal information is exposed in a data breach due to a business’s failure to have reasonable and appropriate security in place, the CPRA goes a step further. The CPRA requires the California government to issue regulations requiring businesses whose processing of consumers’ personal information “presents a significant risk to consumers’ privacy or security” to perform an annual cybersecurity audit.  The factors to be considered when determining whether processing poses a significant risk to the security of personal information include the size and complexity of the business and the nature and scope of the processing activities. Thus, it is possible that the regulations will not require all businesses to undergo a security audit, e.g., if they are not collecting or processing sensitive information.

Will companies be required to designate an employee responsible for privacy compliance?

Not specifically. While the CPRA will require businesses whose processing poses a “significant risk” to consumers’ privacy or security to conduct an annual risk assessment and submit it to the newly-created California Privacy Protection Agency, the CPRA does not require that businesses appoint a “Chief Privacy Officer” or similar individual responsible for compliance with the CCPA and CPRA. Practically speaking, businesses may find compliance easier to achieve if the responsibility for doing so is assigned to a designated individual.

What additional rights does the CPRA grant to California consumers?

The CCPA provides California residents with the right to know what personal information businesses are collecting about them, the right to request deletion, and the right to opt out of the sale of their personal information

The CPRA goes a step further and grants additional rights. These rights include the right to (a) fix errors or correct inaccurate personal information (sometimes known as the right to rectification), (b) opt out of information sharing with third parties for behavioral advertising across websites, (c) object to certain uses of their sensitive information (e.g., Social Security number and other identity-related information, financial information, race or religious information, precise geolocation, etc.), and (d) object to automated decision-making and profiling.

Advertisement
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 311
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Jena M. Valdetero Cybersecurity Lawyer Greenberg Traurig Law Firm
Shareholder

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on...

312.456.1025
Advertisement
Advertisement