Without question, 2020 has been an interesting year, and with so much attention paid to the recent U.S. Presidential election, it is easy to overlook an important ballot initiative, Proposition 24, which effectively replaces the relatively new California Consumer Privacy Act (CCPA). For businesses that buy, share or utilize California resident data, this is big.
Consumer demand for privacy rights and protection of personal information continues to drive regulatory reform worldwide. For example, the General Data Protection Regulation (GDPR) mandate in Europe has redefined privacy and data protection efforts, leaving many jurisdictions, including the United States to follow suit.
California is no different. Seeking to enhance and improve on the existing CCPA, Proposition 24, also known as the Consumer Privacy Rights Acts (CPRA), gives consumers greater powers over corporate use of their sensitive personal information. Furthermore, the Act establishes a new regulatory body, the California Privacy Protection Agency, which has oversight and enforcement duties in parallel with the California Department of Justice.
There are many notable provisions in the CPRA; too many to list. However, several novel features move the CPRA closer in line to Europe’s GDPR. Some of the standout provisions include:
For many technology, financial and other organizations dealing with big data, CPRA compliance comes down to a three-part test:
Under the CPRA, affected businesses are required to submit an annual cybersecurity audit, as well as risk assessments. This means that now, more than ever, businesses need to move from cumbersome email and spreadsheet compliance practices to streamlined and integrated compliance management and risk platforms.
One such solution to this challenge is the MetricStream Compliance Management product that simplifies and strengthens compliance with regulations across organizations, while improving visibility into control effectiveness and ensuring timely issue remediation.
MetricStream Compliance Management, built on the MetricStream M7 Integrated Risk Platform – intelligent by design, helps manage a wide range of compliance requirements, including CCPA, in an integrated manner. Policies, standards, regulations and controls are aligned, eliminating inefficiencies and redundancies. Compliance processes with workflows, self-assessments, surveys, and issue remediation are widely supported.
Key features of MetricStream Compliance Management include:
CPRA, like GDPR, is here to stay, and for businesses around the world that touch California consumer data, they will have to make substantive changes to their compliance programs. Although the majority of the CPRA provisions do not go into effect until January 1, 2023 a one-year “look-back provision” will govern data collected starting January 1, 2022. As many compliance professionals know, this does not give much time for businesses to modify and update their workflows, policies and practices. Given this short time requirement to compliance, it is fair to say that indeed, we are living in interesting times.