California loves privacy! Seems like just yesterday we were helping customers prepare for the new California Consumer Privacy Act. And now the law is getting updated. Meet CCPA 2.0—the California Privacy Rights Act (CPRA). 

2023 will be the year of data privacy laws in the United States. Virginia and Colorado passed brand new privacy regulations and California is right on their heels with the amendment of the CCPA. Most CPRA’s provisions go into effect in January 2023, so you still have plenty of time to get prepared, right? Bzzz! Wrong answer. 

CPRA’s look-back period begins on January 1st, 2022 which means that all data collected during 2022 is subject to the act. But fear not, even if you haven’t started preparing yet, all is not lost. Here are our tips on how to step up your privacy game with a proper automated data lineage solution.

Does the CPRA Apply to My Business?

The CPRA applies to any for-profit that does business in the State of California, collects personal information of its residents, and meets one or more of the following thresholds:

• Had annual gross revenues over twenty-five million dollars ($25,000,000) in the preceding calendar year
• Buys sells, or shares the personal information of 100,000 or more California residents, households, or devices
• Derives 50% or more of their annual revenue from selling or sharing California residents’ personal information.

Categories of Personal Information

While the new law preserves the existing CCPA’s consumer rights, it also introduces new, stricter protection of sensitive personal information.  

Sensitive personal information is defined as personal information that reveals:

• A consumer’s social security, driver’s license, state identification card, or passport number;
• A consumer’s account log-In, financial account, debit card, or credit card number In combination with any required security or access code, password, or credentials allowing access to an account; 
• A consumer’s precise geolocation; 
• A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; 
• The contents of a consumer’s mall, email, and text messages, unless the business is the intended recipient of the communication;
• A consumer’s genetic data; and 
• The processing of biometric information to uniquely identify a consumer; 
• Personal Information collected and analyzed concerning a consumer’s health; or 
• Personal Information collected and analyzed concerning a consumer’s sex life or sexual orientation.

Even if your business is CCPA compliant, introducing new types of sensitive data requires you to identify it to provide the extra layer of protection. How can you do it? First, make sure that you have a complete overview of your data environment. With today’s volume of data and the fast pace at which it is being collected and processed in complex data environments, crucial information can be easily overlooked. 

You can get the overview you need to maintain visibility with an automated data lineage solution that can scan all those nooks and crannies of even the most siloed data environments and generate a map of all data flows, their sources, and connections. 

Once you have this information at hand, make sure that the solution offers a feature that allows you to highlight those data elements in the data pipeline that contain sensitive information. It will give you a solid base for any audit and reporting purposes and facilitate faster collaboration between the employees who are dealing with data privacy issues in your organization.

MANTA’s active tags allow you to highlight selected nodes, i.e. the ones that contain sensitive information, in the repository tree

Displaying active tags in MANTA’s lineage can help companies illustrate compliance for regulators evaluating how sensitive data is being handled. 

Businesses’ Obligations Under the CPRA

What would a new law be without new obligations for business? Similar to the GDPR, businesses that are subject to the CPRA must ensure data minimization, purpose limitation, and storage limitation. It means that a consumer’s personal information can only be collected, used, retained, and shared “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”  You must also be able to notify the customers of “the length of time the business intends to retain each category of personal information, including sensitive personal information.”

The CPRA also imposes a new obligation of conducting and documenting risk assessments. Those assessments are not limited to the activities that involve the processing of sensitive data but also include the preliminary determination of the activities that might present a risk to privacy rights.

Can data lineage help fulfill those obligations? The right solution that shows you complete, accurate, and up-to-date information surely can. Again, knowing what data you have and what data sources are should be the starting point. And once you have such a solid foundation, make sure that your lineage solution clearly shows the connection between data assets. It ensures better, more complete visibility of your data pipeline and helps you immediately identify how a planned activity will influence the parts of the environment where sensitive data assets reside. Learn more about carrying out preventive impact analyses with data lineage.

Expanding Consumers’ Rights

The CCPA had granted consumers numerous rights in regards to their personal information. These rights include the right to access, right to know, right to disclosure, right to deletion, and right to equal services and prices.  The CPRA adds a few more on top of the existing ones, such as:

• Right to correct inaccurate personal information
• Right to know if businesses are using personal information
• Right to know what personal information is sold and to whom
• Right to opt-out of sale or sharing of personal information
• Right to limit the use of sensitive personal information
• Right of no retaliation following opt-out or exercise of other rights

Failure to comply with the CPRA obligations will result in fines up to $2,500 per violation or $7,500 per intentional violation. If the violation involves the data of consumers under 16, the fine increases to $7,500, even if the violation is unintentional.

How to Get Started with Proper Metadata Management

The key to any data compliance and solid data governance effort is data mapping and understanding what and whose data you are storing. Based on that, you should implement and adjust your privacy policy and security controls, such as data protection impact assessments. And of course, you should document your compliance program to make sure you adhere to data protection laws and regulations.

For complete documentation, you need to know exactly how the PII (personally identifiable information) that you store and process flows through your environment. Once you’ve identified databases and tables that contain such information, use automated lineage to highlight the paths that data flow and trace that flow up and down. It’s crucial to do it in an automated way, so you eliminate the risk of incomplete and erroneous data that the manual approach carries. If you are not sure where sensitive data resides in your environment, make sure that you pair your data lineage solution with another tool that sells data. MANTA’s lineage platform has several out-of-the-box integrations with data governance solutions that can help you do that

Can’t I Just Wait Until 2023?

Don’t wait until the eleventh hour to start preparing for data protection regulations. Having worked with organizations from all over the world, we know how stressful, time-consuming, and costly the preparation phase can be. Spare yourself the frustration of manual mapping of your environment and allocating extra resources only to try to figure out how regulated data entered your systems, what its complete journey was, and whether it’s still there or maybe just changed its format during an ETL process. Once you have this part sorted, you can spare your valuable time and resources on the tasks that actually require human labor.

Oh, and remember the 12 month look-back period that I mentioned at the beginning of this article? It’s another good reason to start adjusting your data governance program rather sooner than later. Plus when the regulation kicks in, it might be useful to look back and review the changes in data flows. A feature like MANTA’s ability to compare how the system looked at the time of the selected period can help you identify what changed in the flow or identify any possible discrepancies. 

Automating data lineage collection in advance is the most efficient way of starting your journey towards full regulatory compliance. Not only will you discover all the valuable information about your data that will guide you in the right direction, but also you’ll do it much faster and you will eliminate the risk of human error without allocating extra resources and burning the midnight oil. 

If you would like to learn more about the privacy regulations in the United States and how to prepare for them with automated lineage, watch our webinar.

Do you want to automate your data governance and get CPRA-ready? Schedule a call with our representative. We’ll be happy to tell you how we help our customers comply with various privacy regulations around the world and see how we can help your organization.