The CPRA Countdown Continues – 4 Months to Go!
As of Jan 1, 2023 businesses subject to the California Privacy Rights Act – which expands and strengthens the 2018 California Consumer Privacy Act – will be required to publish additional metrics covering the privacy requests they process.
Are you required to publish privacy request metrics? Are you prepared to respond to and report on higher volumes of requests? Make the most of the next few months.
Do You Have to Publish Request Metrics?
Only businesses processing “large amounts of personal information” for commercial purposes are expected to report on their request handling. “Large amounts” continues to mean data concerning 10 million or more California residents, which is about 10% of the State’s population.
However, since the CPRA clarifies and expands on the CCPA, more businesses may find themselves subject to the reporting requirement. How so? It’s about the “sharing” of data.
Per the first set of CPRA Regulations, “A business that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares, or otherwise makes available for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year” have to “compile and disclose” prescribed information.
This means if you disclose or transfer data to a business that provides cross-contextual behavioral advertising services, that disclosure counts towards your 10M threshold.
(You probably already know if your business is subject to the CPRA, but if not, take our CCPA/CPRA quiz to find out.)
What New Metrics Does the CPRA Require?
Reporting requirements remain largely the same but now include the CPRA’s two new rights—the right to correct personal information, and the right to limit the use of sensitive personal information. Counts for CPRA’s expanded right to opt-out of the sale or sharing of personal information must also be maintained.
Further, as of January 1, 2023 employees, contractors and business contacts will be able to exercise their California privacy rights like any other Californians. As privacy awareness continues to rise organizations should expect to see more trackable requests from more kinds of “consumers”.
|Metrics||# Received||# Complied with in Whole or in Part||# Denied in Whole or in Part||Median or Mean Response Days||# Denials by Reason*|
|*NEW* Correction Requests||✅||✅||✅||✅||Optional|
|*BROADER* Do Not Sell or Share Opt-Out Requests||✅||✅||✅||✅||Optional|
|*NEW* Limit Use of Sensitive PI||✅||✅||✅||✅||Optional|
*Per § 7102(a)(2)(A) of the CPRA Regulations, a business may choose to provide metrics on the reasons for which it denied consumer requests. Example reasons include requests being not verifiable, not made by a “consumer”, calling for information exempt from disclosure or deletion, and so forth.
When Do You Need to Publish Metrics?
Do You Need to Maintain Records Supporting Metrics Reporting?
Yes! While many companies have handled privacy requests for years under EU data protection law, California’s is the first to prescribe a public accounting.
If you already have a robust DSR handling process you may already have the audit trails you need to support metrics reporting. Your DSR tickets and logs should at a minimum include:
- Date of CPRA request
- Nature of CPRA request
- Manner in which the CPRA request was made
- Date of the business’s response
- Nature of the response
- The reason for denying a CPRA request
What Are These Metrics For?
Metrics help businesses and public authorities benchmark compliance and plan for the future. In their original Final Statement of Reasons (FSOR), the Office of the California General explained why these metrics were important for public trust. The California Privacy Protection Agency reinforces these objectives in their own statement:
- Ongoing compliance. The Agency wants to know if businesses are complying with the new rights to correct and to limit, and whether they have sufficiently “clear guidance about their responsibilities” in relation to these and pre-existing rights.
- Imbalance and arbitrary denial. The CPRA and its regulations aim to put Californians in a better “position to knowingly and freely negotiate with a business over the business’ use” of their personal information. If businesses appear to systematically deny Californians their rights, the Agency will want to understand why. Undocumented or arbitrary reasons for denying CPRA requests may be further scrutinized.
- Transparency in the public interest. The Agency recognizes businesses may be subject to similar privacy laws in other jurisdictions, including in other US States. In considering its rules and guidance, the Agency aims to simplify “compliance for businesses operating across jurisdictions“ and avoid “unnecessary confusion for consumers who may not understand which laws apply to them.” Metrics, when taken with other information, can help inform “the Agency, Attorney General, policymakers, academics, and members of the public” about businesses’ compliance challenges.
Since California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, millions of Californians (and non-Californians) have exercised their CCPA rights. In 2021, the numbers just went up: businesses must process nearly double the number of privacy rights they processed in 2020. For example, organizations required to offer DNS, saw that 63% of total requests received were DNS requests—making them the bulk of requests.
From our point of view, expanded reporting is just one of a number of operational enhancements you’ll need to make. For example, HR data—anything from payroll information, to 401(k) participation, to recruiting—would now be subject to the CPRA’s uncapped look-back provision and data minimization requirements, particularly in the case of “sensitive personal information”. Privacy managers will need to work with HR partners to clarify departmental data practices and update organizational policies and procedures for privacy rights compliance.
And since HR data generally resides in different platforms from customer data, privacy managers will need to have an actionable grasp on this side of the company’s processing ecosystem. The time to inventory systems and map data is now.
Why This Matters
It comes down to providing transparency while demonstrating accountability at scale in order to build brand trust.
Compliance with California’s metrics publication requirements is more than about checking a box. Even if your business isn’t required to publish request metrics, you should still consider doing so.
When it comes to privacy requests it helps to think like a researcher, auditor or regulator. In preparing the metrics you will be able to benchmark your request volumes, identify operational delays and investigate spikes in request denials among other benefits.
It is also an opportunity to demonstrate in a tangible way that your brand is committed to your customers’ privacy rights and freedoms: it’s all well and good to say “we respect your privacy” on a web page. It’s another to back that up with an easy, fast user experience for people making privacy requests, and then publishing transparency metrics in an equally easy-to-find location and format.
Don’t delay! Use the next 4 months to get ahead of CPRA.
If you’re a DataGrail customer already, feel free to reach out to your customer success manager to review this new requirement.
If you’re not yet a DataGrail customer, and you’re thinking about how your privacy solution can set you up for success with CPRA privacy rights requests, let’s talk.
[NOTE: As of this writing the CPRA regulations are undergoing public comments and are not yet finalized. Whenever the regulations are finalized, you may need to look at both the regulatory and statutory texts to ensure that all requirements are met.]
- Countdown to CPRA: Making the Most of the Next Few Months
- State of CCPA: A Look Back to Prepare for What’s to Come
- IAPP: Unpacking CPRA + 2023 Predictions
- State of US privacy: Countdown to compliance
- State of US Privacy: AMA