A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
April 15, 2022
In 2018, Californians voted for the California Consumer Privacy Act (CCPA), the USA's first broad data privacy law. The CCPA came into effect in January 2020, enhancing California residents' privacy rights and consumer protections. Eleven months later, residents of The Golden State voted for the California Privacy Rights Act (CPRA) to add even more privacy protections for consumers.
Your role in protecting a consumer's privacy doesn't end once you achieve consent. After you collect a user's data, they can submit a data subject access request (DSAR) to discover the personal information your organization has collected and for what purpose.
When a data subject submits a DSAR, you must respond promptly with the requested information. As governments worldwide pass privacy laws, consumer data privacy regulations make it easier than ever for individuals to request access to their data.
The CPRA goes into effect on January 1, 2023, and most businesses will need to make adjustments to avoid penalties. We'll look at the CCPA and CPRA regulations and requirements to help you appropriately handle DSARs and build consumer trust through transparency.
When America's first broad data privacy law went into effect in 2020, consumers acquired more rights over their data. More specifically, they received the right to:
Here's what you need to know about the current rules under the CCPA:
The CCPA affects for-profit entities that do business in California which meet one or more of the following requirements:
Nonprofits and government entities are not subject to the CCPA.
Eligible individuals may submit a DSAR CCPA. Californians can ask businesses to:
Personal information refers to the defining characteristics of an individual. This data, which companies use to build a consumer profile, includes, but is not limited to: a person's name, birth date, social security number, email address, records of products purchased, internet browsing history, phone number, and geolocation data.
Once a DSAR is received, CCPA requires organizations to provide the requested information within 45 days. A business can extend for up to 90 days. Data mapping can help speed up this process.
California residents are covered by the CCPA, even those temporarily outside the state. The CCPA does not protect residents of any other US state, but some companies choose to extend those rights to all Americans.
When a business receives a DSAR, it must verify the user's identity and complete the request within the allotted 45-day period.
Less than one year after CCPA took effect, Californians voted for CPRA. The new initiative augments the initial legislation to expand individual rights.
Some have given CPRA a nickname– CCPA 2.0. The new legislation maintains the original intent of CCPA while expanding, modifying, and updating the rules to protect consumer privacy. Despite the expanded rules, businesses must comply within a 45-day window, with the option of a 45-day extension.
The new legislation revises the scope of qualifying businesses:
The new legislation identifies sensitive personal information in a new category of highly protected data. CPRA places limitations on how businesses use data and how long they can keep it. These restrictions kick in when companies use sensitive personal information to infer characteristics about a consumer (instead of using it to provide necessary services). At this point, the business must inform the consumer of their right to limit the business's use of the data.
CPRA expands on the five rights afforded by the CCPA and adds the rights to:
CPRA introduces an enforcement element with the creation of the California Privacy Protection Agency. The civil and administrative enforcement will begin on July 1, 2023.
July 2023 will be here before we know it. To prepare your business for DSARs under new CPRA regulations, you should:
Manually digging through user data is time-consuming and leaves room for human error. Sending too little information or accidentally sharing another user's information opens your business to penalties.
Osano's Data Discovery uses AI to map the data you need to comply with CCPA and CPRA DSARs. Once you receive a DSAR, Osano's Subject Rights Management software verifies a data subject's identity, assigns inbound requests to the correct person, and delivers results to the data subject within the required timeframe. Schedule a demo or sign up for a free trial today to see how easy it is to manage DSAR privacy requirements with Osano.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”