Click to learn more about author Kyle McNabb.
The rolling thunder of data regulations rumbles on — much to the dismay of companies and the delight of consumers. The latest rainmaker (or taker) is California’s Proposition 24. This consumer privacy ballot initiative, containing the Consumer Privacy Rights Act (CPRA), was passed on November 3, 2020, establishing a new standard for data privacy in the state. The CPRA builds on the California Consumer Privacy Act (CCPA), addressing its predecessor’s shortcomings and expediting California’s legislation on data privacy.
While Proposition 24 has been nicknamed CCPA 2.0, it is much more than another drop in the regulatory bucket. It will enforce new requirements that companies must take note of and prepare for — both with their compliance strategies and long-term approach to data privacy, which is clearly here to stay.
What Does Proposition 24 Mean for Data Privacy?
There is a key difference between the CCPA, which just became enforceable months ago, and Proposition 24 (and the CPRA). Proposition 24 will become a state law as written, not legislatively-enacted — which means it can’t be amended without more voter action, like another ballot initiative. Why does this matter?
The passing of Proposition 24 in California is further proof that consumers want a say in how they are tracked on the internet and how their data is used by companies. They feel so strongly about these rights that they’ve already improved upon the CCPA and ensured these improvements were more legislatively permanent. That’s telling. Proposition 24 represents more than a surge in regulations — it embodies an awakening of the modern consumer.
With a greater burden placed on businesses to stay on top of cybersecurity audits and risk assessments, it’s increasingly important they have a handle on how much data lives within their organization, how sensitive it is, and how much risk is involved in their handling of that data.
How Does Proposition 24 Change the CCPA?
The new legislation will ultimately strengthen and give new teeth to the existing CCPA by creating new privacy rights for consumers, obligations for businesses, and enforcement mechanisms through a new state agency. Under Proposition 24, consumers gain the right to:
- Correct personal information
- Know the length of data retention
- Opt-out of advertisers using precise geolocation
- Restrict usage of sensitive personal information
While the new legislation does roll back requirements on companies to respond to individual data requests and provide full data reports, other laws still require businesses to provide individuals with information about how their data is used. In other words, companies shouldn’t be thinking about relaxing any data privacy and security efforts they have in place. Instead, businesses should look out for four big changes from Proposition 24:
- It defines a new category of “sensitive personal information,” which is broader and stricter than just “personal information.” For instance, new stipulations include increasing penalties three times for violations concerning consumers younger than 16 years old.
- It creates a new state agency: the California Privacy Protection Agency (CPPA), the first of its kind in the United States. The CPPA will have full administrative power and oversight for enforcement, including audits.
- It prohibits precise geolocation tracking to a location within roughly 250 acres. To accommodate this change, companies will have to adjust their data collection processes.
- It allows consumers to limit the use and disclosure of sensitive personal information based on the broader category.
The key here is that the legislation still gives consumers data rights they didn’t have previously, and companies will need to actively make changes to their data collection practices.
How Should Companies Prepare for Proposition 24?
While the new legislation won’t go into effect until the start of 2023, consumers’ right to access their personal information will extend back to data collected by companies on or after January 1, 2022. That gives businesses just a year to prepare for these massive changes, so it’s critical they begin their preparations now. In fact, state-specific legislation will drive data privacy regulations to go national. To prepare for the future, businesses must invest in tools that make it easier to protect the privacy of consumers’ information and govern that information in compliance with regulations.
Organizations need to build trust with their data — knowing where it lives, where it came from, and who has touched it. For many companies, trust begins with building an automated “as is” data inventory, which collects metadata from sources inside and outside the business. Proposition 24, like other data privacy regulations, requires that companies can quickly locate all sensitive personal information to respond to data consumer requests or opt-outs. A data inventory automates the scanning and identification of sensitive personal data across the entire organization — giving companies a full view of the information they have and where it is.
That said, data intelligence is not enough for compliance alone — companies also need visibility into where sensitive personal information resides within their documents, content, and records, too. This is a major roadblock for companies. Most businesses lack the ability both to find sensitive information within content and to associate that information with a specific person — and it’s only getting worse with remote work and content sprawl. Companies must operationalize privacy compliance in order to adhere to consumer requests around their data. They need a governance strategy that can locate personal information anywhere in the enterprise. Having solutions with capabilities such as rules-based retention, redaction, and auditability of access makes this process much easier, especially when responding to consumer questions/requests.
By implementing a privacy-aware information management strategy — for both structured and unstructured data — organizations can understand their entire ecosystem. Heading into 2021, it will be increasingly important to proactively seek out dark data, tackle compliance, and prepare for current and future data privacy regulations like Proposition 24.
It’s no longer enough to simply manage data and content. As the GDPR, CCPA, and now CPRA have shown, data privacy regulations will only keep coming — and they will be increasingly targeted, intentional, and perhaps even stricter. Companies outside of California, or the EU for that matter, must resist the urge to turn a blind eye while they are not the direct subjects of data regulations. Because while data privacy laws may sound like distant thunder today, the lightning is on its way.