The California Privacy Rights Act (CPRA) makes a variety of amendments to the requirements in the California Consumer Privacy Act (CCPA). Effective January 2023, but retroactive to January 2022, the CPRA expands on the CCPA by increasing consumer and employee rights, strengthening privacy protections, and establishing an enforcement agency to protect California consumers and employees through more active enforcement of the law.
How OneTrust Helps
Evolve from “Tick-the-Box” Compliance to Automated Data Intelligence
The CPRA is more than just a “Do Not Share” link on your website. OneTrust helps automate a deep understanding of personal information and the controls that to apply for ongoing compliance
Fully Automated Consumer & Employee Rights Requests from Intake to Fulfillment
Fulfill rights requests for employees with OneTrust’s integrations with employee-specific channels, Data Discovery™ to pinpoint employee data, and automated redaction to protect sensitive information
Powered by Intelligence from the World’s Largest Regulatory Research Database
From templates to automation rules to classification algorithms, OneTrust’s CPRA solution is powered by intelligence from the DataGuidance community so your program is always up-to-date
Automate the Discovery, Classification, and Mapping of your Data
CHALLENGE
The CPRA requires companies to fully understand their data, what is being processed, and the purpose for processing. It also expands the amount of metadata that needs to be captured by adding a new data classification – Sensitive Personal Information (SPI) – and requirements around data minimization and retention. Finally, the CPRA requires additional analysis of how third parties use personal information.
HOW ONETRUST HELPS
OneTrust’s Data Discovery & Classification technology scans cloud and on-premise systems and structured and unstructured data sources to inventory all personal data, classify personal information vs. sensitive personal information, and extract metadata like created and last updated dates to help with the enforcement of retention policies. OneTrust also helps identify and manage the third parties involved in personal data processing, giving you an automated and holistic view of personal information in your organization.
Respond to Expanded Privacy Rights Requests
CHALLENGE
The CCPA gave consumers additional rights and control over their data. The CPRA expands upon these rights, including rights like data correction and portability, and also extends these rights beyond the consumer to employees. Employee rights requests create unique challenges including new methods of ID verification, larger data volumes, and greater amounts of unstructured data associated with the requestor.
HOW ONETRUST HELPS
OneTrust’s Privacy Rights (DSAR) Automation solution helps automate the consumer and employee request lifecycle from intake through fulfillment by embedding the request process into existing channels such as your website or employee portal, streamlining identity verification, automating the discovery of data associated with the requestor, and redacting sensitive information that should not be shared with the requestor using AI & ML driven classification models.
Enable the “Do Not Share” Opt-Out
THE CHALLENGE
Some organizations resisted the CCPA’s similar “Do Not Sell” requirement, not interpreting data shared for targeted advertising as a “sale” of personal information. This new requirement removes the ambiguity and sets a firm requirement for all organizations to provide an opt-out mechanism by way of a “Do Not Share My Personal Information” link on their website.
HOW ONETRUST HELPS
OneTrust’s Consent Management Platform (CMP) supports the “Do Not Share” opt out with pre-configured templates and settings across web, mobile, and CMP channels. Easily geo-target a banner or link to those browsing from California, ensure the proper opt-outs are communicated to third parties through the IAB’s CCPA framework, and integrate the OneTrust Privacy Rights solution to easily extend the opt-out beyond targeted advertising to other types of data sharing.
Perform Risk Assessments & Annual Audits on High-Risk Processing
Challenge
Businesses undertaking high-risk processing, which present significant risks to consumer privacy or security, are required to perform annual audits and a thorough, independent cybersecurity audit annually. The CPRA essentially adopts the GDPR concept of DPIAs but takes it a step further, by affirmatively requiring such assessments to be submitted to a regulatory body on a regular basis.
How OneTrust Helps
Establish a process to ensure proper completion of annual cybersecurity audits and risk assessments for high-risk data processors. Get access to data and context needed to manage assessments, consolidate findings, and review recommendations over time to demonstrate continuous improvement initiatives.
Monitor AG Regulations and Other CPRA Updates
Challenge
The CPRA also establishes the California Privacy Protection Agency (CPPA) as enforcement agency exclusively focused on investigating data privacy complaints and vigorously enforcing CPRA violations. This addition places greater importance on organizations to stay updated on changes to the regulation and ensure they are taking all the appropriate steps to remain compliant.
How OneTrust Helps
OneTrust DataGuidance keeps organizations up-to-date with AG regulations and other CPRA updates. Access a CPRA portal with the latest news, opinions, and FAQs powered by a contributor network of over 500 lawyers and 40 in-house legal researchers. Insights from OneTrust DataGuidance are also built into the OneTrust tool, ensuring organizations are using the most updated templates and guidance.
Accelerate time to CPRA compliance with OneTrust
At its core, the CPRA expands the protections given to consumers under the CCPA and extends those protections to new types of individuals, including employees. Beyond the critical requirements that most organizations will address first, the CPRA also includes requirements for consent, policy & disclosure updates, employee rights requests, and risk assessments for high-risk processors. OneTrust’s Privacy Management platform, powered by DataGuidance Regulatory Research, is the most intelligent and automated platform for CPRA compliance.