California’s new privacy law CPRA will require American businesses to enforce data minimization. Redaction and anonymization tools are vital for complying with the new regulations set out for 2023.
In November 2020, the government of California approved an amendment to the already existing data privacy law California Consumer Privacy Act (CCPA) from 2018. The new proposition 24 is called the California Privacy Rights Act (CRPA), and it was approved with 56% to 44% of the votes. In the U.S., California is known for being ahead of the rest, when it comes to the legal implementation of data security and protection of privacy. Perhaps a natural consequence of its status as a tech innovation hub and the home of Silicon Valley and Facebook.
With this new amendment, California’s privacy law now looks strikingly more similar to that of the European GDPR-regulative. Accordingly, the new law is stricter in several ways. Therefore, it was quite surprising, how the law was put in place without much resistance from corporate California.
According to professionals in the field, the lack of juridical outcry was mainly due to three things. 1.) The ongoing election. 2.) The fact that data privacy is an upward going trend, and that going against it by lobbying to stop the new amendment is a highly unpopular signal to send to consumers. And 3.) The big tech companies and lobbying superpowers have already implemented the GDPR-rules, i.e., the transition to CPRA is hardly an issue and more of a competitive advantage over non-GDPR-compliant rivals.
Mid-sized companies affected the most
So, how will the CPRA affect daily business, once the law comes into effect on January 1. 2023?
Well, as mentioned above, big tech companies already complying with GDPR will probably hardly feel the new amendment. While the CPRA toughens certain aspects of the old law, it also relieves some liabilities. For instance, previously the CCPA-law applied to companies, who serve 50.000 California residents, households, or devices under their territory. With the new CPRA, “devices” are off the list, and the bar has been increased to 100.000, leaving the overall threshold for compliance at a more SME-friendly level.
In conclusion, companies that surpass the threshold of 100.000 households/residents and have no European activities will probably be most affected by the law. Candidates encompass companies in labor and knowledge-intensive industries such as law, consulting, real estate, and accounting (excluding the big four American accounting firms). A mid-range firm may not have the manpower to throw tons of lawyers and accountants after privacy compliance, even though they are at risk of breach due to the vast amount of their data. In particular, the new CPRA privacy law contains three pillars, that middle-sized companies need to navigate after in the future:
Data blueprinted partners only.
Fines independent of harm factor.
Required data minimization.
CPRA introduces the data minimization principle
Let´s zoom in on the latter. It is by far the requirement calling for most effort, and it is imperative to both prevent fines and mitigate an unregulated exchange of information with third parties.
Coming back to the headline above: What must companies be especially aware of, and why can a redaction software be highly useful to have in the digital toolbox?
The CPRA implies that personal data should not be stored and saved by a company for longer than necessary. Under the GDPR, this usually means a deletion of sensitive data after five to ten years depending on the case. For data-driven and knowledge-intensive companies, the deletion is a major hindrance. The logic being “more data is better”, managers, business developers, and controllers alike hate the idea of knowledge being “thrown away”.
The solution is to redact and anonymize data for personal information. Your options are either a modern software redaction tool or manual redaction. Whichever method you choose to redact your data with, you reach the same advantage. You exempt the data at hand from the CRPA (or GDPR) framework, meaning that you can ignore the rules altogether. Of course, only, if you have redacted the data properly! It must never be possible to deduct, for example, who a particular person in the data set is, by means utilizing sources. In that case, you have merely pseudonymized or “masked” the document.
Manual redaction: Not realistic
There are two reasons why manual redaction for the companies encompassed by CRPA is a pretty unrealistic endeavor. First, it may work with small datasets. However, for a 100.000+ household domain enterprise, who produce millions of documents yearly… Hardly likely.
Secondly, traditional manual redaction methods typically come down to blacklining confidential areas and personal identifiers. Yet, that won’t help companies, who wish to preserve the meaning inside a given document after a full implementation of CRPA. A valuable ability, if you wish to build and maintain a substantial knowledge bank. Not to mention taking advantage of new technologies such as AI and machine learning, where high-quality data is a minimum requirement.
To still be able to make sense of the data (names, addresses, social security numbers, and all the other identifiers), you need to replace them with something else. That requires methods a little more sophisticated and trickier than “just” hiding information in a document. Luckily, there are ways to automate the redaction and anonymization process with the help of a software redaction tool.
It is currently the only way for the companies in question to avoid deleting their precious data after a certain period. Luckily, these automated redaction tools have become better over time. Especially after the EU decided to set the standard for new data ethics... While the rest of the world seems to be tagging along at a slower pace.
Risk of larger fines and more lawsuits
The new Californian rules are no doubt a positive step towards securing more data privacy for American citizens. It also helps companies identify and comply with the governing rules. Yet, there is an increased risk of receiving fines under the new amendment. Predominately because the former law required plaintiffs to document harm such as monetary losses in order to receive compensation. Now, the mere existence of a breach – harm or no harm – is enough to trigger a fine.
All the more reason to spend the next two years preparing and implementing effective tools to avoid breaches AND preserve valuable data in redacted forms. Cleardox can deal with that.
Interested in getting a closer look at our product? Sign up for a demo here!
The Cleardox team