Last year, Californians passed proposition 24, also known as the California Privacy Rights Act (“CPRA”). That law makes several changes to the California Consumer Privacy Act (“CCPA”), including some that relate to an organization’s cybersecurity practices. So, as you begin to prepare your organization’s CPRA compliance strategy, keep in mind the following points for your cybersecurity team:

  • The private right of action covers a broader set of data breaches. The CPRA expands the CCPA’s private right of action, such that California residents may also bring suit in the event that a business’s unreasonable security practices lead to the unauthorized acquisition of their non-encrypted and non-redacted email address in combination with a password or security question and answer that would permit access to an account. Importantly, the CPRA excludes its broader private right of action from the exemptions covering personal information related to both employees and business-to-business contacts; so subsequent amendments to those exemptions may have an impact on the range of potential plaintiffs.
  • The new enforcement agency may evaluate a business’s security practices. The CPRA creates a new agency with broad authority to enforce the CPRA: the California Privacy Protection Agency (“CPPA”). That enforcement agency may investigate possible legal violations upon a sworn complaint or its own initiative. The CPRA obligates businesses to implement reasonable security procedures and practices to protect the personal information they collect. Consequently, it’s possible the CPPA may try to use its enforcement powers to investigate a business’s security practices. 
  • Businesses must obligate the parties to which they disclose personal information to use reasonable security practices. The CPRA obligates businesses that disclose personal information to third parties, service providers, and contractors to contractually require those recipients to provide the same level of privacy protection as required by the CPRA.
  • The upcoming rulemaking activities will shed light on obligations relevant to cybersecurity audits. The CPRA contemplates a rulemaking process in which two of the forthcoming areas of regulation are cybersecurity related. The first area is an annual cybersecurity audit requirement for businesses that engage in processing activities that present a significant risk to consumers’ personal information. The second area is the regular submission to the CPPA of a risk assessment with respect to those same businesses’ processing of personal information.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.