The California Privacy Rights Act (CPRA) is on the ballot this November, and if it passes will expand the privacy rights within the existing California Consumer Privacy Act (CCPA). The new law builds on the principles of data minimization, greater consumer control of personal data, and increased transparency on data retention and potential uses. It could have unforeseen implications for many companies who think their data is secure, and new opportunities for software developers and ISVs moving to “privacy by design” software development.
CPRA Employee Data Protection Provisions
Data security is like a hydra—a dragon with many heads and all of them a potential threat. There are so many types of data shared, transferred, and stored in our digital communications and commerce. Most companies focus on the types of data that are protected by regulations or laws. These include payment data, private health information, or personal identity information. There is another data set that many companies miss when tackling security: employee information. While the CPRA excludes employee information initially, most experts agree it will eventually be protected under the CPRA and similar state, if not federal, laws.
It will not be enough for organizations to simply expand their consumer data privacy controls out to protect employee data. “Employee data is a totally new domain,” says Jean-Michel Franco, Talend’s Senior Director of Product Marketing, “with specific data and typically a diverse IT landscape with necessary data sharing between many constituents.”
The CCPA was already scheduled to expand its protection to employee information secured during the recruiting and hiring process. The CPRA, if passed, will extend the moratorium on protecting employee information until January 2023. The extra time gives companies time to create implementation strategies. It may also spur the federal government to create its own data privacy legislation. ISVs should use this extension to test, refine and launch employee management data solutions with greater data privacy controls built into the applications.
“Sensitive Data” Will Be Protected
The CPRA introduces a new category of personal data called “sensitive data.” This includes government identifiers such as social security numbers, driver’s license numbers, race, ethnicity, political persuasion, sexual orientation, precise geo-localization, and biometric and other health data. Sensitive data will be associated with informed consent by the citizen and the right to limit the use of that data.
“The introduction of the Sensitive Data category and the related set of rights means that enterprises need to establish stronger controls to discover and catalog those kinds of data whenever they are processed within their IT landscape,” says Franco. Strict controls will be needed to govern the use of the data and to anonymize those data in all instances where they are not required.
CPRA Requires New Technological Capabilities
CPRA raises the bar for data security across three separate organizational domains: B2B, B2C, and employee. Compliance with the CPRA guidelines will require operational and system upgrades in data capture, storage, governance and security for all three domains. The main technologies needs are around:
- Data mapping and cataloging. Personal data must be tracked across an organization’s entire IT landscape. Data owners must be assigned to govern data usage within their domain of the IT landscape and to manage data transfers.
- Data minimization. A major component of the CPRA and similar privacy laws is the belief that organizations should only collect the bare minimum of data required to complete an interaction or transaction.
- Data anonymity. In any instance when data is not critical to the function of the application, it should be anonymized in order to reduce the risk of data breaches.
- Data access requests. Gartner estimates that every data access request costs about $1,400 when processed manually. Organizations will look for solutions that manage data access and sharing securely and efficiently.
Applications that limit data collection, track data throughout its entire lifecycle, anonymize data when not needed, remove data regularly, and share data securely will save organization leaders time, money, and headaches. ISVs can win by providing solutions to clients that already take these capabilities into account.
Penalties for Non-Compliance
Despite the costs of compliance, non-compliance comes with its own costs as well. At present, under the CCPA, the California Attorney General has the power to enforce the regulation. Under CPRA, a new agency—the California Privacy Protection Agency—would have that authority and jurisdiction. Penalties for non-compliance are $2,500 per violation, and $7,500 per intentional violation. The CRPA would triple the penalty for violations regarding minors under the age of 16.
There is also the cost of losing consumer or employee trust in the event of a data breach, which can have enduring effects almost as severe as the financial losses.
Privacy by Design Hits the Heart of Data Security
Software developers must undergo a mindset shift. Privacy is no longer the constituency of the client. In order to defeat the hydra of data security, the best way is to strike at its heart. Privacy is no longer a value-add, a feature of an application. It must be built into every aspect of the product from its inception through implementation and throughout its lifecycle. Privacy, security, and transparency must become the software developer’s core values embedded in every decision as a system is developed. ISVs that protect their clients’ customer and employee information safeguard their own business viability, as they position themselves as privacy thought and solution leaders.