Last year, Californians passed proposition 24, also known as the California Privacy Rights Act (“CPRA”). That law makes several changes to the California Consumer Privacy Act (“CCPA”), including some that relate to an organization’s cybersecurity practices. So, as you begin to prepare your organization’s CPRA compliance strategy, keep in mind the following points for your cybersecurity team:

  • The private right of action covers a broader set of data breaches. The CPRA expands the CCPA’s private right of action, such that California residents may also bring suit in the event that a business’s unreasonable security practices lead to the unauthorized acquisition of their non-encrypted and non-redacted email address in combination with a password or security question and answer that would permit access to an account. Importantly, the CPRA excludes its broader private right of action from the exemptions covering personal information related to both employees and business-to-business contacts; so subsequent amendments to those exemptions may have an impact on the range of potential plaintiffs.
  • The new enforcement agency may evaluate a business’s security practices. The CPRA creates a new agency with broad authority to enforce the CPRA: the California Privacy Protection Agency (“CPPA”). That enforcement agency may investigate possible legal violations upon a sworn complaint or its own initiative. The CPRA obligates businesses to implement reasonable security procedures and practices to protect the personal information they collect. Consequently, it’s possible the CPPA may try to use its enforcement powers to investigate a business’s security practices. 
  • Businesses must obligate the parties to which they disclose personal information to use reasonable security practices. The CPRA obligates businesses that disclose personal information to third parties, service providers, and contractors to contractually require those recipients to provide the same level of privacy protection as required by the CPRA.
  • The upcoming rulemaking activities will shed light on obligations relevant to cybersecurity audits. The CPRA contemplates a rulemaking process in which two of the forthcoming areas of regulation are cybersecurity related. The first area is an annual cybersecurity audit requirement for businesses that engage in processing activities that present a significant risk to consumers’ personal information. The second area is the regular submission to the CPPA of a risk assessment with respect to those same businesses’ processing of personal information.
Print:
EmailTweetLikeLinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.