As the amount of digital data continues to grow, so have the number of laws designed to regulate it. Much like the GDPR and other digital privacy laws, the California Consumer Privacy Act (CCPA) was established several years ago to increase transparency, access, and control over a consumer’s personal information. Now, just a few years later, new legislation -The California Privacy Rights Act (CPRA) - is taking effect.
While the CPRA has “California” in its name, its implications stretch beyond this state’s borders. Similarly to how GDPR operates, companies don't need a physical presence in California for the law to apply to them. Since the CPRA protects the personal data of California residents - regardless of where the data is collected or stored - any company that collects data from or about consumers based in California is subject to CPRA mandates.
Further, CPRA compliance regulations apply to data stored on-premises AND in the cloud. And when it comes to cloud data in particular, it can be challenging to monitor and know what security risks impact it. Below, we outline several steps to take now to ensure your cloud data is CPRA compliant and how OwnBackup can help support these efforts.
As an amendment to the CCPA, the CPRA expands privacy policies in CCPA, such as the requirement that businesses disclose details about which personal information they collect and allow consumers to opt out of the sale of their personal data.
However, the CPRA goes beyond the CCPA in three main ways:
Since the CPRA grants individuals various rights regarding how their data is used, one-size-fits-all data protection policies aren’t sufficient for maintaining CPRA compliance. Instead, companies need a granular way to manage data that allows them to modify data policies across various cloud environments where data is stored.
Because the CPRA adds new categories to the list of personal data that must be protected, teams should start by identifying which data is considered personal and sensitive. After identifying this data, you can classify it based on internal data classification policies. If you use automated data discovery or classification tools, you should also update the policies that control them.
As mentioned above, in addition to internal audits, companies must generate reports proving CPRA compliance efforts and submit them to the CPRA compliance agency. These reports must demonstrate that reasonable data protections are in place.
For these reasons, you’ll need to develop your own auditing processes if you don’t already have them in place and make sure that the audit reports they generate are sufficient for CPRA regulators.
While CPRA doesn’t provide specific data retention restrictions, it does state that your retention “shall be reasonably necessary and proportionate to achieve the purposes” for which it was collected, processed, or for another disclosed purpose.
With thousands (or more) of records entering and leaving your cloud environments daily, it’s critical to have an official data retention policy on record. Your data retention policy should look holistically at all the data entering your cloud environments and should define the data you're retaining, the data’s sensitivity level, and which regulations specify minimum or maximum retention periods.
The CPRA requires businesses to implement and maintain “reasonable security procedures,” meaning that they must protect any data they do hold from being destroyed, modified, or falling into unauthorized hands.
Various events, including data breaches and human errors, can lead to incident response situations under CCPA and CPRA. For example, even incorrectly updating or mistakenly deleting data requires notification under CCPA and CPRA.
A robust data protection plan will allow your company to quickly and confidently go into incident response mode when a breach occurs, a critical capability to satisfying California requirements. This includes the ability to quickly pinpoint what data was affected and recover it quickly.
OwnBackup can help you achieve CPRA compliance within your critical SaaS platforms like Salesforce, Microsoft Dynamics 365, and ServiceNow when paired with a well-designed compliance strategy. In addition, OwnBackup’s security processes have passed Salesforce security reviews, comply with SOC2 Type II requirements, and is ISO certified.
Below are some of our product features that are particularly helpful for ensuring CPRA compliance:
Request a demo today to learn more about OwnBackup and how we can help you achieve CPRA compliance.