CPRA/Prop 24: Get Ready for Risk Assessments and Audits


The California Consumer Privacy Act (CCPA) recently crystallized a new U.S. standard for data privacy. But it still falls short of meeting the requirements of many consumer privacy advocates.

Some Californians are already forging ahead with a ballot initiative to further strengthen privacy rights in their state. The California Privacy Rights Act (CPRA), also known as Proposition 24, is on the November 3rd ballot and it proposes stricter protection of consumer privacy, similar to the European Union’s Generation Data Protection Regulation (GDPR).

Like GDPR, CPRA seeks to expand the definition of sensitive personal information, add new compliance requirements for businesses, and enact a new state agency for enforcement. Consumer privacy is a hot topic with strong support, but that doesn’t mean CPRA is a shoo-in. Opponents are spending a lot of money on ads that paint the CPRA as a bad idea for consumers. And there’s no clear consensus on the pros and cons. Proposition 24 is even pitting privacy advocates against each other, causing confusion for voters.

Where does that leave businesses that are trying to stay on top of the law?

There is a strong chance CPRA will be enacted and the consumer privacy demands on businesses will continue to grow. If this doesn’t happen through CPRA, it’s bound to happen in the other states with similar ballot measures already in the works. Either way, one of the greatest impacts on your business operations will be through new requirements for privacy risk assessments and audits.

Businesses complying with GDPR are already familiar with the concept of risk assessments. Under the European Union’s law, a Data Privacy Impact Assessment (DPIA) is required any time a business begins a new project that is likely to involve a “high risk” to consumers’ personal information.

In a similar vein, CPRA calls for businesses that process consumers’ personal information to:

  1. Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.
  2. Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information. This should include whether the processing involves sensitive personal information and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing, with the goal of restricting or prohibiting such processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public.

“…CPRA essentially adopts the GDPR concept of DPIAs but takes it a step further, by affirmatively requiring such assessments to be submitted to a regulatory body on a regular basis.”

California Privacy Rights Act: Latest Update, Impact and Next Steps

How to prepare your business for risk assessments and audits

This new CPRA requirement for risk assessments and audits will be daunting, even if you’re already complying with the CCPA and the DPIA requirements of GDPR.

How can you prepare for the new requirement for risk assessments and audits? Here are a few simple steps you can take:

1. Understand what’s meant by “significant risk” to consumers’ privacy or security

What’s meant by “significant risk” and who determines the risk level? Let’s hope more guidance is given if, or when, CPRA is enacted. But, in the meantime, CPRA tells us:

“The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.”

As it stands, there’s a lot of room for subjectivity when determining whether your business is subject to risk assessments. Err on the side of caution and assume you will be expected to provide assessments and could be subject to audits. That means you’ll need to have the procedures in place to perform the assessments and have access to all of the necessary data.

2. Understand how you’re processing personal information

Do you have a good grasp on your company’s end-to-end process for handling personal information? The only way you’ll know if it presents “significant risk” is if you understand the process, including its nature and scope. Make sure you’ve documented every single touchpoint for consumer data. That’s how you will be able to weigh the benefits versus the potential risks.

3. Implement solutions to ensure the Privacy Impact Assessment Process is complete and accurate

Let’s be honest: tracking and documenting everything you’ll need for Privacy Impact Assessments and audits could be a tremendous amount of work. Most companies aren’t equipped with the resources to handle such granular tracing of data. Fortunately WireWheel can provide the technology to handle this heavy lift. WireWheel’s Privacy Assessment Automation Solution gathers critical information from people and systems to manage assessments effectively and efficiently.

CPRA leaves lots of grey areas when it comes to data privacy risk assessments and audits, and there’s plenty of room for interpretation. No matter how CPRA shakes out, and no matter how many states enact their own privacy laws, WireWheel is equipped to handle all of the intricacies. WireWheel helps you understand your own data with automated, transparent processes. With WireWheel, you can be prepared now for risk assessments and audits and be prepared for any new privacy laws that come your way.