It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: March 21, 2023
Published: October 12, 2021
Like most things in privacy, California’s privacy law can seem like a letter-salad: CCPA, CPRA — what’s the difference?
There isn’t one. The California Privacy Rights Act (CPRA) was merely the name of the bill passed to amend the California Consumer Privacy Act (CCPA) to align it better with the EU’s General Data Protection Regulation (GDPR). The new version of the CCPA, the CPRA, adds a few more rights to citizens, but it also helps companies looking for some relief in streamlining compliance. And it appeases consumers who weren’t entirely satisfied with how the regulations ended up.
Because of the CPRA, however, there are some upcoming dates you need to pay attention to.
On Jan. 1, 2023, the new CPRA regulations will come into effect. The most significant changes affect which organizations must comply with the CCPA and the type of information those organizations will need to collect. Specifically (though not exclusively):
“But that’s 2023!” you’re thinking. “That seems like an eternity from now!”
That’s why the so-called “look back” provision is a sneaky provision of the law that can bite you if you’re not paying attention now.
The CPRA says that consumers need to be able to access all of the data you’ve ever collected about them — everything! Including those categories of vendors and service providers you’ve shared data with — starting on Jan. 1, 2023, and that you need to be able to produce everything going back to Jan. 1, 2022, on day one.
That means you need to start collecting data in the right way on Jan. 1, 2022, even if the CCPA doesn’t apply to your business until 2023.
As of that 2023 date, too, you’re going to need to start changing your data retention policies and probably your meta-tagging if you’ve got a sophisticated data governance system at all. While the CCPA originally mandated you be able to produce data you’ve collected over the last 12 months, as of that date, you’ll have to show everything you’ve got starting from that date.
So, even if someone asks for their data in 2035, you’ll have to be able to produce anything you’ve collected going back to Jan. 1, 2022.
Make sense?
If you’re already complying with the CCPA, this really shouldn’t be much of a problem. Essentially, you have the next couple of months to make the following substantial changes, to go live on Jan. 1, 2022:
Suppose you’re newly covered by the CPRA. After all, the umbrella is expanded to any company that shares the data of 100,000 Californians, not just those who buy or sell, or which does 50% of its revenue via the sharing of personal data of Californians. If so, you’re going to have a more difficult row to hoe on Jan. 1, 2022, because that’s when you’re going to need to start your regimented data collection and mapping program.
At that point, you’ll have to implement the operational capacity to quickly organize all of the data you hold about a specific individual and be able to produce it, delete it, etc. — within 30 days. And you’ll need to be able to track where that data went and who currently has it in their possession.
While the consumer can’t make the request that you produce their data until Jan. 1, 2023, remember that request will cover all of the data going back to Jan. 1, 2022. While you may be able to create a system in the middle of 2022 that will retroactively wrangle up everything back to Jan. 1, it’s likely to be much easier if you’ve already started tagging and categorizing the data when the look-back period begins.
And you’ll be really happy on Jan. 1, 2023, because much of the heavy lifting for being able to comply with the CCPA — with the new CPRA provisions — will already have been done.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Sam is a journalist and head of West Gray Creative, a content services firm based in Maine. In a former life, he was director of content at the IAPP and has run publications in the security, workboat, and 3D reality capture spaces. Currently, he serves as the chair of his local school board, fronts the World Famous Grassholes, and would like to be a professional baseball player when he grows up.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.