The California Privacy Protection Act (CPRA) amended the California Consumer Privacy Act (CCPA) and has an operative date of January 1, 2023. The CPRA introduces new compliance obligations including a requirement that businesses conduct risk assessments. While many U.S. companies currently conduct risk assessments for compliance with state “reasonable safeguards” statutes (e.g., Florida, Texas, Illinois, Massachusetts, New York) or the HIPAA Security Rule, the CPRA risk assessment has a different focus. This risk assessment requirement is similar to the EU General Data Protection’s (GDPR) data protection impact assessment (DPIA).
The goal of conducting a CPRA risk assessment is to restrict or prohibit the processing of personal information where the risks to a consumer’s privacy outweigh any benefits to the consumer, business, stakeholders, and public. Notably, the CPRA does not limit risk assessments to activities involving the processing of sensitive data. In addition to conducting the actual risk assessment, this process will require a preliminary determination of which data processing activities may present a significant risk to privacy rights. The business must document these risk assessments for submission to the California Privacy Protection Agency on a regular basis.
Under the CPRA, the documented risk assessment shall:
- include whether the processing involves consumers’ sensitive personal information (e.g., social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with security or access code, password, or credentials for account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; contents of mail, email, and text messages unless the business is the intended recipient of the communication; genetic data; biometric information processed for the purpose of uniquely identifying a consumer; information related to health, sex life or orientation); and
- identify and weigh the benefits to the business, consumer, other stakeholders, and the public from the processing against the potential risks to the rights of the consumer whose data is being processed.
The CPRA directs the California Attorney General and California Privacy Protection Agency to issue implementing regulations, including regulations related to risk assessments. These regulations must be adopted by July 1, 2022 and will likely provide further guidance on the scope of and process for conducting and documenting risk assessments.
Complying with the CPRA will require expanded data mapping and advance planning, some of which may occur prior to issuance of the implementing regulations. During this time, businesses may find the GDPR instructive, particularly since the CCPA and CPRA borrow liberally from the regulation.
Under the GDPR and related guidelines, a DPIA is required or recommended where data processing is likely to result in a high risk to the privacy rights of individuals. This includes activities that
- use automated processing, including profiling, to evaluate an individual’s personal aspects and on which decisions are based that produce significant effects
- include large scale processing of sensitive data
- process data on a large scale
- match or combine datasets
- process data of vulnerable individuals (e.g., children)
- innovate or use new technologies
The DPIA must document and include
- a description of the processing operations
- the purposes of the processing
- the legitimate interest pursued by the business, where applicable
- an assessment of the necessity and proportionality of the processing activity in relation to the purposes
- an assessment of the risks to the individual’s privacy rights
- measures designed to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data
The CCPA and CPRA currently exclude employee personal information from certain provisions (e.g., the right to opt out, right to delete). This carve-out exempts employee personal information from the risk assessment requirement outlined above; however, the carve-out is due to expire on January 1, 2023. As businesses begin developing their risk assessment programs, they will want to monitor whether this exclusion for employee information will be extended and/or amended and how it might impact the risk assessment process.
As noted above, the operative date of the CPRA is January 1, 2023. Implementing regulations must be adopted by July 1, 2022 and civil and administrative enforcement activity can commence on July 1, 2023.