This year’s elections not only saw record turnout, but also ushered in a suite of new laws and lawmakers. Voters in California had a dozen propositions on the ballot, one that has far reaching implications for citizens and organizations alike is Proposition 24, the California Privacy Rights Act (CPRA) — or as we call it, the CCPA 2.0.
CCPA 2.0 passed with 56.1% of the vote in California, meaning that it is on track to become effective in California in January 2023 and amend the original California Consumer Privacy Act (which we’ll refer to as “CCPA 1.0”). With the proliferation of sensitive personal data use and the rapid acceleration to multi-cloud compute platforms, it can be hard to keep up with what these changes mean and how to absorb them compliantly and efficiently. We break down what CCPA 2.0 is and its implications for your organization’s data use.
For starters, what does CCPA 2.0 mean for CCPA 1.0?
CCPA 1.0 is the most important state-level privacy framework in the US. While it has often been described as a “light” version of the GDPR, it introduced a similar list of privacy rights — information, access, deletion and opt-out, to name a few.
To illustrate this point, let’s look at the three key differences between CCPA 1.0 and GDPR:
- Consent Gathering. CCPA 1.0 is based on a “notice and consent” model. Consumers must be informed about the purposes for which their personal information is processed and have the option to opt out when personal information is sold to third parties. GDPR, on the other hand, is based upon a “data protection by design” approach. This model offers a variety of legal bases to justify processing activities, and if consent is required it must be opt-in.
- Organization Size. CCPA 1.0 excludes non-profit organizations and many small businesses from its framework. Meanwhile, GDPR applies to all types of organizations, although recording obligations are lighter for organizations with fewer than 250 employees.
- Enforcement Power. CCPA 1.0 relies on a relatively narrow private right of action for enforcement. Citizens can help enforce the law themselves through lawsuits, but only in case of security breaches. Under GDPR, each Member State has its own regulator with enforcement powers, called a Supervisory Authority. Data subjects have a right to lodge a complaint before their Member State’s Supervisory Authority for any type of violation under the framework.
So what’s new about CCPA 2.0?
From a high level perspective, CCPA 2.0 moves CCPA 1.0 closer to GDPR for large organizations — specifically relative to individual rights and enforcement. There are a few measures in particular that guide this:
- CCPA 2.0 expands the list of rights granted to consumers. It introduces new rights, such as rectification and restriction, and extends the opt-out right to include data exchanges characterized as either “sales” or “sharing.” Processing sensitive information for legitimate business purposes is more restricted than under CCPA 1.0 and the definition of consent is now similar to GDPR’s definition.
- Key data protection principles under GDPR are now expressly acknowledged or strengthened. This includes data minimization (“only process the amount of data that is reasonably necessary and proportionate to achieve your purpose”) and purpose limitation (“only process the data for a predetermined or compatible purpose”). Of note, for under-16 minors, opt-in consent must be obtained for “narrowly defined particular purposes.”
- CCPA 2.0 sets up a new regulator called the California Privacy Protection Agency (PPA). While the private right of action remains intact, PPA will be responsible for primary enforcement. PPA has the power to impose administrative fines — up to $2,500 per violation — and triples them to $7,500 per violation when under-16 minors are involved.
Aside from consent and enforcement, CCPA 2.0 introduces a new definition of “sensitive personal information.” The definition is unique to this regulation but loosely inspired by GDPR. Among other things, this definition of sensitive personal information includes information that reveal details about a consumer’s:
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, or union membership
- Mail, email and text message content, unless the business is the intended recipient of the communication
- Genetic, biometric or health information
- Sex life or sexual orientation
Organizations must be prepared to envelope this sensitive personal information into CCPA 2.0’s other provisions to ensure compliance with its data privacy stipulations.
What does CCPA 2.0 mean for your organization’s data?
The bottom line for data-driven organizations is that it’s time to centralize policy enforcement mechanisms.
In a day and age in which data engineers and architects are managing data pipelines across multiple cloud compute platforms, using disparate tools and tactics for implementing and enforcing data protection policies is no longer realistic. The most powerful and effective way to protect privacy in practice is to streamline the process with a single, cross-cloud automated data access governance solution like Immuta.
For example, CCPA 2.0 doubles down on purpose restrictions and integrates them as a key part of the regulatory compliance framework. Immuta’s dynamic, fine-grained data access controls include purpose-based access control, so data teams can limit data use to specific purposes and ensure that certain data sets are accessed according to those purposes.
Additionally, Immuta enables privacy by design and supports a variety of key data protection principles, providing a layered approach to safeguarding privacy. Data minimization — a key aspect of CCPA 2.0 — can be implemented using Immuta’s dynamic data masking tools, data minimization policy and time-based policies.
CCPA 2.0’s de-identification provision has also been reworded and appears less absolutist — meaning the flexibility and power of Immuta policies are even more applicable. Taking a blended approach to de-identification — in other words, combining data policy and purpose acknowledgements — saves data teams time and vastly increases the datas’ utility while preserving privacy.
Finally, with a newly formalized definition for sensitive personal information, it behooves data teams to have an efficient, comprehensive system in place for sensitive data discovery. The proliferation of personal data makes manually detecting, tagging and implementing appropriate policies and data sharing agreements highly taxing on data engineers and architects. In preparing for CCPA 2.0, data teams can lean on Immuta’s sensitive data discovery capability to automate classifying and tagging sensitive, direct and indirect identifiers for efficient human inspection.
To step back and look at the big picture, CCPA 2.0 is yet another sign that privacy and data protection are becoming central pillars in the regulation of new technology. We expect many more privacy laws like CCPA 2.0 — or even more stringent ones — to be passed in the months ahead. Getting ahead of the regulatory curve by streamlining your data access governance strategy now will help avoid haphazard approaches to achieving compliance while ensuring optimal data protection.
To see Immuta’s built-in regulatory starter policies and other data access governance capabilities, request a demo today.