Schedule a demo
See how you can maintain an inventory of CCPA-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be-forgotten requests at endpoints, and policy enforcement.
As of January 1, 2023, CPRA extends further protections to “Sensitive Personal Information.” Qohash finds SPI on any data source, in any location, and monitors it 24/7, for evidence of sensitive data policy enforcement.
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are considered the most comprehensive consumer data privacy laws in the U.S., and a benchmark for other states.
CCPA was enacted to enhance privacy rights of California residents by setting guidelines on how businesses should handle private consumer information. CPRA, also known as CCPA 2.0, builds on CCPA’s foundation and enhances consumer privacy protections, as well as the obligations for companies and organizations that process personal information.
CCPA has been fully enforceable since July 2020. Businesses have until January 1, 2023 to become CPRA compliant.
CPRA’s amendments to CCPA apply to any for-profit business that collects personal information on California-based consumers and meets any of the below criteria:
Note: Businesses need not have operations or employees in CA in order to be subject to CPRA.
CCPA does not apply to nonprofit orgs or government agencies. Other exemptions include:
For purposes of CCPA, a California resident is defined as an individual who uses California residency for income tax purposes. CCPA does not protect consumers who are temporarily in the state of California.
The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with a particular consumer or household. This includes: name, address, birthday, biometric data, social security number, telephone number, email address, and any other information linkable to a specific individual.
Sensitive Personal Information is a subset of personal information newly defined in the CPRA.
SPI is personal information that reveals:
The CCPA offers two exemptions:
Neither the CCPA and CPRA extend to data already protected by other laws, such as:
The CCPA creates six specific rights for consumers:
The CPRA creates three additional rights:
The CPRA creates and transfers all rulemaking and enforcement authority from the California attorney general to the new state agency, the California Privacy Protection Agency.
The CPRA tightens enforcement, removing the mandatory 30-day cure period that businesses currently enjoy under the CCPA and tripling penalties for violations that involve minors under the age of 16. The law also expands the types of data breaches that are considered within the scope of the data breach private right of action to include breaches of a username or email address, in combination with a password or security question and answer that would permit access to an online account.
Provide evidence to auditors of clear steps taken to secure the confidentiality of customer information and protect it against threats and unauthorized access.
The CPRA introduces new requirements for “sensitive personal information.” Businesses must limit the use of SPI and make sure it’s adequately protected.
The CPRA requires any business that processes personal data to perform periodic privacy risk assessments and independent cybersecurity audits.
Run keyword searches by name, date, credit card number, and more to find all copies of SPI across business systems. See which categories of sensitive data are stored on business systems. See how specific data elements moved across employees and locations.
Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.
CCPA/CPRA gives consumers the right to know what SPI is in their possession, correct inaccurate information, and delete sensitive personal data upon request.
CCPA/CPRA requires that businesses have data retention policies in place so that data is automatically deleted once it’s no longer relevant to the business.