The Next Generation of CCPA Compliance Requirements

The 2020 elections not only saw record turnout, but also ushered in a suite of new laws and lawmakers. Voters in California had a dozen propositions on the ballot, but one that has far reaching implications for citizens and organizations alike is Proposition 24, the California Privacy Rights Act (CPRA) — or as we call it, the CCPA 2.0.

CCPA 2.0 passed with 56.1% of the vote in California and when it goes into effect in January 2023, it will amend the original California Consumer Privacy Act (which we’ll refer to as “CCPA 1.0”). With the proliferation of sensitive personal data use and the rapid acceleration to cloud data platforms, it can be hard to keep up with what these changes mean, and how to absorb them compliantly and efficiently. We break down what CCPA 2.0 is and its implications for your organization’s data use.

For starters, what does CCPA 2.0 mean for CCPA 1.0?

CCPA 1.0 is the most important state-level privacy framework in the US. While it has often been described as a “light” version of the GDPR, it introduced a similar list of privacy rights — information, access, deletion and opt-out, to name a few.

To illustrate this point, let’s look at the three key differences between CCPA 1.0 and GDPR:

  1. Consent Gathering. CCPA 1.0 is based on a “notice and consent” model. Consumers must be informed about the purposes for which their personal information is processed and have the option to opt out when personal information is sold to third parties. GDPR, on the other hand, is based upon a “data protection by design” approach. This model offers a variety of legal bases to justify processing activities, and if consent is required it must be opt-in.
  2. Organization Size. CCPA 1.0 excludes non-profit organizations and many small businesses from its framework. Meanwhile, GDPR applies to all types of organizations, although recording obligations are lighter for organizations with fewer than 250 employees.
  3. Enforcement Power. CCPA 1.0 relies on a relatively narrow private right of action for enforcement. Citizens can help enforce the law themselves through lawsuits, but only in case of security breaches. Under GDPR, each Member State has its own regulator with enforcement powers, called a Supervisory Authority. Data subjects have a right to lodge a complaint before their Member State’s Supervisory Authority for any type of violation under the framework.

So what’s new about CCPA compliance requirements?

From a high level perspective, CCPA 2.0 moves CCPA 1.0 closer to GDPR for large organizations — specifically relative to individual rights and enforcement. There are a few measures in particular that guide this:

  1. In this iteration, CCPA compliance requirements expand the list of rights granted to consumers. It introduces new rights, such as rectification and restriction, and extends the opt-out right to include data exchanges characterized as either “sales” or “sharing.” Processing sensitive information for legitimate business purposes is more restricted than under CCPA 1.0 and the definition of consent is now similar to GDPR’s definition.
  2. Key data protection principles under GDPR are now expressly acknowledged or strengthened. This includes data minimization (“only process the amount of data that is reasonably necessary and proportionate to achieve your purpose”) and purpose limitation (“only process the data for a predetermined or compatible purpose”). Of note, for under-16 minors, opt-in consent must be obtained for “narrowly defined particular purposes.” 
  3. CCPA 2.0 sets up a new regulator called the California Privacy Protection Agency (PPA). While the private right of action remains intact, PPA will be responsible for primary enforcement. PPA has the power to impose administrative fines — up to $2,500 per violation — and triples them to $7,500 per violation when under-16 minors are involved.

Aside from consent and enforcement, CCPA 2.0 introduces a new definition of “sensitive personal information.” The definition is unique to this regulation but loosely inspired by GDPR. Among other things, this definition of sensitive personal information includes information that reveal details about a consumer’s:

  • Precise geolocation
  • Racial or ethnic origin, religious, or philosophical beliefs, or union membership
  • Mail, email, and text message content, unless the business is the intended recipient of the communication
  • Genetic, biometric or health information
  • Sex life or sexual orientation

Organizations must be prepared to envelope this sensitive personal information into CCPA 2.0’s other provisions to ensure compliance with its data privacy stipulations.

What does CCPA 2.0 mean for your organization’s data?

The bottom line for data-driven organizations is that it’s time to centralize policy enforcement mechanisms.

In a day and age in which data engineers and architects are managing data pipelines across multiple cloud compute platforms, using disparate tools and tactics for implementing and enforcing data protection policies is no longer realistic. The most powerful and effective way to protect privacy in practice is to streamline the process with a single, automated data security platform like Immuta.

For example, new CCPA compliance requirements double down on purpose restrictions and integrate them as a key part of the regulatory compliance framework. Immuta’s dynamic, fine-grained access control includes purpose-based restrictions, so data teams can limit data use to specific purposes and ensure that data sets are accessed according to those purposes.

Additionally, Immuta enables privacy by design and supports a variety of key data protection principles, providing a layered approach to safeguarding privacy. Data minimization — a key aspect of CCPA 2.0 — can be implemented using Immuta’s dynamic data masking, data minimization policy, and time-based policies.

CCPA 2.0’s de-identification provision has also been reworded and appears less absolutist — meaning the flexibility and power of Immuta policies are even more applicable. Taking a blended approach to de-identification — in other words, combining data policy and purpose acknowledgements — saves data teams time and vastly increases the datas’ utility while preserving privacy.

Finally, with a newly formalized definition for sensitive personal information, it behooves data teams to have an efficient, comprehensive system in place for sensitive data discovery. The proliferation of personal data makes manually detecting, tagging, and implementing appropriate policies and data sharing agreements highly taxing on data engineers and architects. In preparing for CCPA 2.0, data teams can lean on Immuta’s sensitive data discovery capability to automate classifying and tagging sensitive, direct, and indirect identifiers for efficient human inspection.

To step back and look at the big picture, CCPA 2.0 is yet another sign that privacy and data protection are becoming central pillars in the regulation of new technology. We expect many more privacy laws like CCPA 2.0 — or even more stringent ones — to be passed in the months ahead. Getting ahead of the regulatory curve by streamlining your data access control strategy now will help avoid haphazard approaches to achieving compliance while ensuring optimal data protection.

Read more about the details of CCPA 2.0 in our white paper, Beyond Cosmetic Compliance in Data Analytics: A Guide to CPRA. To see Immuta’s built-in regulatory starter policies and other data access control capabilities, request a demo today.

Ready to get started?

Request A Demo

Related stories