Our previous coverage details the many changes the California Privacy Rights Act of 2020 (CPRA) has undergone since it was first proposed in 2020 as a replacement to the California Consumer Privacy Act of 2018 (CCPA). Fingers crossed that those changes are finalized, since the CPRA is set to take effect in just a few weeks on January 1, 2023.
But that might not be the case—the California Privacy Protection Agency (CPPA) is still taking public comments on the modified text of the CPRA—an outline of which can be found here—and has announced it will hold a virtual meeting, open to the public, on December 16, 2022, at 9:00 am PST, to discuss:
- The CPPA memorandum addressing the CPPA’s position on privacy legislation that has been or will be introduced at the state and federal level;
- The CPPA memorandum on appointing members to the California Children’s Data Protection Working Group pursuant to the California Age-Appropriate Design Code Act;
- The CPPA presentation on next steps regarding the CPRA’s Rule Subcommittee; and
- The CPPA memorandum on budget policy.
Because of the potential for further changes, Reuters notes that businesses likely won’t receive their full marching orders until the end of January or February 2023, “given the Office of Administrative Law’s (OAL) 30-day review period.”
Regardless of the outcome of this virtual meeting, your organization can begin preparing for the release of the CPRA now by:
- Determining if the CPRA applies to your organization;
- Establishing a means of receiving consumer requests or complaints with regard to their personal information and policies and procedures for carrying out a request to a consumer’s right to access, correct, delete, port, and opt-out of their data being shared;
- Establishing a written information security plan that will ensure the confidentiality and accessibility of personal data;
- Updating your consumer-facing applications and websites to include privacy notices and disclosures; and
- Limiting your organization’s data collection and retention to only that which is necessary.
- Adopting a policy requiring data minimization and retention principles, which require an organization to only collect a consumer’s personal information or data if it is necessary;
- To establish safeguards to protect collected consumer information, and procedures to delete said information once your organization no longer needs it;
- Review your organization’s security safeguards to ensure your processes for encrypting, authenticating, and controlling consumer information are in accordance with the most recent guidelines, including those provided by the NIST.
* * * * * * *
To read our news alerts discussing: Morrison Foerster publishes 2023 cybersecurity predictions from experts in the field, Ireland’s DPC probes Musk’s Twitter over data dumps, European Commission announces it has reached an adequacy decision for the EU-U.S. Data Privacy Framework, click here.
This week’s breach report covers breaches of the following companies: Uber, San Gorgonio Memorial Hospital, Sequoia, California Department of Finance, Twitter, LastPass. Click here to find out more.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
83 | Geofence Warrants and January 6: Constitutional and Privacy Issues (with guest Matthew Esworthy)
82 | A Look at the Consequences of the Uber and Twitter CISO Cases (with guest Ron Raether)
81 | Looking at Cyber Leadership & Costly Mistakes (with guests Rachel Briggs and Richard Brinson)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.