CPRA Security Risk Assessments & Privacy Compliance
Does the CPRA require companies to undergo security risk assessments?
Likely no. While the CCPA provides for statutory damages if certain personal information is exposed in a data breach due to a business’s failure to have reasonable and appropriate security in place, the CPRA goes a step further. The CPRA requires the California government to issue regulations requiring businesses whose processing of consumers’ personal information “presents a significant risk to consumers’ privacy or security” to perform an annual cybersecurity audit. The factors to be considered when determining whether processing poses a significant risk to the security of personal information include the size and complexity of the business and the nature and scope of the processing activities. Thus, it is possible that the regulations will not require all businesses to undergo a security audit, e.g., if they are not collecting or processing sensitive information.
Will companies be required to designate an employee responsible for privacy compliance?
Not specifically. While the CPRA will require businesses whose processing poses a “significant risk” to consumers’ privacy or security to conduct an annual risk assessment and submit it to the newly-created California Privacy Protection Agency, the CPRA does not require that businesses appoint a “Chief Privacy Officer” or similar individual responsible for compliance with the CCPA and CPRA. Practically speaking, businesses may find compliance easier to achieve if the responsibility for doing so is assigned to a designated individual.
What additional rights does the CPRA grant to California consumers?
The CCPA provides California residents with the right to know what personal information businesses are collecting about them, the right to request deletion, and the right to opt out of the sale of their personal information
The CPRA goes a step further and grants additional rights. These rights include the right to (a) fix errors or correct inaccurate personal information (sometimes known as the right to rectification), (b) opt out of information sharing with third parties for behavioral advertising across websites, (c) object to certain uses of their sensitive information (e.g., Social Security number and other identity-related information, financial information, race or religious information, precise geolocation, etc.), and (d) object to automated decision-making and profiling.