California’s privacy laws, CCPA and CPRA
If your organization does business in California, it may be impacted by the recent and upcoming changes in the state’s privacy laws. Find out if and how they affect you, and how our email archiving solution can help you comply with them.
Background
California’s privacy rights and laws have changed in recent years. First, there was the California Consumer Privacy Act (CCPA) of 2018. Intended to enhance privacy rights and protect consumers more effectively, it took effect on January 1, 2020.
Then, in the same year, the state’s voters approved Proposition 24, AKA the California Privacy Rights Act of 2020 (CPRA). It builds on the previous Act, expanding data privacy laws, giving consumers greater control of their personal data, and establishes a new privacy protection agency. It takes effect on January 1, 2023.
Businesses affected
CCPA – the Act that’s already in force – applies to any organization doing business in California that either has annual gross revenues over $25 million; or buys, receives, or sells the personal information of 50,000 or more consumers, households or devices; or earns over half of its annual revenue by selling consumers’ personal information.
From January 1, 2023, the above criteria will change under CPRA . Then it will be any organization doing business in California that either has annual gross revenues over $25 million; or buys, receives, or sells the personal information of 100,000 or more consumers or households (number of devices disregarded); or earns over half of its annual revenue by selling or sharing consumers’ personal information.
The International Association of Privacy Professionals (IAPP) estimated that CCPA would affect over 500,000 US companies. CPRA could both add to and reduce that number.
Rights granted by CCPA
This Act gives California residents the right to:
- Know what personal data an organization is collecting about them
- Be told whether that data is sold or shared and to/with whom
- Refuse to allow the sale of their personal data
- Gain access to their personal data.
- Ask a business to delete any personal information that business has collected from them
- Not suffer discrimination for exercising the above privacy rights
In addition, relating to this Act, California civil code expects businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
Additional rights, granted by CPRA
CPRA will empower citizens to:
- Request that an organization correct inaccurate personal information the organization holds on them
- Opt out of automated decision-making based on personal information
- Have their personal information sent from the organization holding it, to another entity, in a commonly used electronic format (“data portability”)
- Restrict organizations from using sensitive personal information
Effects on business
The CCPA is impacting, and the CPRA will impact, the businesses described above in a number of ways. Read about them below, and then discover how our email archiving system can help you comply with the law and deal with the impacts.
The CCPA has forced businesses to take cybersecurity seriously and be more responsible with the personal information they hold. If your business is compliant with this act, that’s good. If it isn’t though, be warned:
A Californian citizen can now sue an organization if their personal information is compromised in a data breach. There’s already been plenty of litigation. In February 2021, TikTok agreed to pay $92 million to settle a class action over “theft” of personal data. The year before, children’s clothing retailer Hanna Andersson made a $400,000 settlement to address a class-action lawsuit over a data breach. Many other companies were sued under CCPA in its first year, including famous names such as Salesforce, Walmart, and Zoom.
In addition to needing to protect personal information compliantly, your business now has to be prepared, when people ask you, to:
- Tell them what personal information you hold on them
- Delete that information
With the CCPA and CPRA combined, California’s privacy laws will be similar to the EU’s, with its General Data Protection Regulation (GDPR). So, if you’re already compliant with GDPR, then CPRA’s impact will be minimal on your business.
CPRA gives businesses extra responsibilities in dealing with personal information, and you have increased liability exposure for data breaches. While, at present, consumers have to show that they were harmed by a breach, they will no longer have to demonstrate this from 2023.
Also, with CPRA, you’ll need to:
- Handle consumers’ requests to limit your use of sensitive personal information, including providing them with a link to make this request
- Allow consumers to opt out of sharing and selling their personal information
- Not keep that information any longer than is absolutely necessary – in other words, destroy it as soon as you can
- Be prepared to document and assess your data collection practices, and be able to show why you need to keep certain personal information.
What you can do
It’s important to:
- Check that you’re complying with CCPA
- Make sure your business is ready for Jan. 1 2023, when CPRA goes into force
This is where your organization’s email system comes in. Your email archive is one of your biggest repositories of personal information. With the right software, you can secure that data compliantly and have the tools you need to access the information when answering requests, and destroy it if a subject wishes or if you no longer need it.
Importance of compliant email archiving
Emails contain employee data ranging from résumés and contact details to performance reviews, plus customer and supplier correspondence including personal details. Depending on your industry, your organization is likely to have stored between one and seven years’ worth of email.
So, it’s important to make sure your archiving solution can comply with California’s privacy regulations.
Cryoserver can help you. Our email archiving solution, which is used by businesses of all sizes, is designed to meet any standard of privacy compliance in the world – as our parent company’s name promises: Forensic & Compliance Systems.
We already keep organizations across Europe compliant with GDPR, and we can easily meet California’s CCPA and CPRA regulations.
Secure, compliant storage
Cryoserver stores copies of every email and attachment sent or received in a secure, tamper-evident, encrypted archive. So, if your business experiences a data loss or a cyber-attack with your Office 365 or on-premise mail server, all your email is protected. Also, you control access to all emails stored in the archive.
Address access requests quickly
Under CCPA, you need to fulfil right-to-access requests, and delete personal information when asked. Fortunately, Cryoserver enables you to find and remove all the relevant data from your emails and attachments quickly and compliantly. You will even have audited proof that you’ve met the requirement.
Privacy by design
When we developed Cryoserver, key considerations were the privacy and rights of end users. This is our “Privacy by design” philosophy, which is at the core of the solution. It leads to enhanced privacy options for organizations and individual employees. It enables role-based access to archived emails, audit trails at all levels, and preservation of audit trails – all overseen by employees you assign to be your archive custodians or what we call “Data Guardians”. The unalterable nature of Cryoserver creates an evidential repository, which is admissible in court. The software is designed to protect your employees’ human rights.
To see how Cryoserver can help your business comply with both CCPA and CPRA – on top of being a handy productivity tool for everyday business – book a demo or email us.