Last year, Californians passed proposition 24, also known as the California Privacy Rights Act (“CPRA”). That law makes several changes to the California Consumer Privacy Act (“CCPA”), including some that relate to an organization’s cybersecurity practices. So, as you begin to prepare your organization’s CPRA compliance strategy, keep in mind the following points for your cybersecurity team:

  • The private right of action covers a broader set of data breaches. The CPRA expands the CCPA’s private right of action, such that California residents may also bring suit in the event that a business’s unreasonable security practices lead to the unauthorized acquisition of their non-encrypted and non-redacted email address in combination with a password or security question and answer that would permit access to an account. Importantly, the CPRA excludes its broader private right of action from the exemptions covering personal information related to both employees and business-to-business contacts; so subsequent amendments to those exemptions may have an impact on the range of potential plaintiffs.
  • The new enforcement agency may evaluate a business’s security practices. The CPRA creates a new agency with broad authority to enforce the CPRA: the California Privacy Protection Agency (“CPPA”). That enforcement agency may investigate possible legal violations upon a sworn complaint or its own initiative. The CPRA obligates businesses to implement reasonable security procedures and practices to protect the personal information they collect. Consequently, it’s possible the CPPA may try to use its enforcement powers to investigate a business’s security practices. 
  • Businesses must obligate the parties to which they disclose personal information to use reasonable security practices. The CPRA obligates businesses that disclose personal information to third parties, service providers, and contractors to contractually require those recipients to provide the same level of privacy protection as required by the CPRA.
  • The upcoming rulemaking activities will shed light on obligations relevant to cybersecurity audits. The CPRA contemplates a rulemaking process in which two of the forthcoming areas of regulation are cybersecurity related. The first area is an annual cybersecurity audit requirement for businesses that engage in processing activities that present a significant risk to consumers’ personal information. The second area is the regular submission to the CPPA of a risk assessment with respect to those same businesses’ processing of personal information.