New Year, New Data Privacy Regulations
The deadline for the California Privacy Rights Act (CPRA) is fast approaching. On January 1, 2023, any business that collects, processes and stores information related to California residents will be subject to stricter data privacy regulations — and face heftier fines for compliance violations. Here’s what you need to know about maintaining CPRA compliance.
What’s new in the CPRA?
The CPRA comes on the heels of the California Consumer Privacy Act (CCPA) of 2018, which defined regulations for companies’ use of personally identifiable information (PII). The CPRA takes the law even further, establishing new applicability criteria, stricter rules and more severe non-compliance penalties.
Some key changes include:
- Increases applicability threshold on organizations that collect the information from California consumers of 50,000 individuals or 100,000 users in households
- Specifies new requirements for the handling of sensitive personal information (SPI)
- Modifies some consumer rights granted under the CCPA and establishes new ones, specifically the right to opt-out of third-party sales and sharing, right to data portability, right to limit use and disclosure of SPI and, right to opt-out of automated decision-making technology
- Requires brands to implement login credentials when attempting to access any information for which consumers can take legal action in the event of exposure
- Establishes the California Privacy Protection Agency (CPPA) to oversee the investigation and enforcement of the CPRA and amend the regulations as needs change over time
- Imposes the same CCPA fines ranginging from $2500-$7500 per violation, and increases potential fines for violations involving consumers under 16
You’re on the Hook for Your Third-party Vendors
But even worse than unauthorized access by trusted vendors is unauthorized access by bad actors. Cybercriminals can exploit weaknesses in third-party code to inject malicious scripts designed to skim user data. If consumer data is exposed on your site because of an attack on a third-party vendor, you may be liable for damages that result.
It’s Time to Shore Up Your Website Supply Chain
It’s critical to continuously audit third-party code and always verify that it is collecting expected data under your agreement with them. This is easier said than done. Online businesses may find it difficult to audit third-party scripts for the following reasons:
- Lack of visibility at runtime - Because payment page scripts run externally, scripts that load dynamically often change without tipping off your server at runtime. Code alterations, which can sometimes include malicious code injections, can evade detection for weeks.
- Frequent code changes - Third-party scripts change and update continuously. But even after passing an initial security review, updated scripts can have blind spots. These adjustments can mean trouble for your payment page, especially as over 50% of website owners report that their third-party scripts change at least four times a year, at times without their immediate knowledge.
- Insufficient security reviews - Your business likely relies on client-side code to enrich the user experience by quickening up interface and swiftly bringing capabilities to market. Since speed is the name of the game, developers forgo security review processes that slow down the application of new codes. But even an initial review does not guarantee the security of future updates.
Without a process for continuous script monitoring and threat mitigation, your client-side supply chain puts you at risk of digital skimming, supply chain attacks and possible fines for CPRA non-compliance.
Cross CPRA Compliance Off Your List of New Year Resolutions