A 6 step guide to CPRA from your privacy friends at Box

With the new year comes new resolutions and complying with the California Privacy Rights Act (CPRA) should be at the top of every privacy team’s list.

Passed by California voters in 2020, the CPRA substantially amends and expands the requirements under the California Consumer Privacy Act of 2018 (collectively, CCPA), bringing California’s privacy laws closer, in many ways, to Europe’s General Data Protection Regulation (GDPR). Beginning on January 1, 2023, companies who meet the updated criteria* set forth in the CCPA will now be charged with maintaining compliance with California’s amended privacy law.

Why Should You Care? The CCPA applies to for-profit entities that collect, share, or sell, personal information of Californians, regardless of where these entities are located. As the largest sub-national economy in the world and home to some of the most globally interconnected companies, there is a good chance you do or will do business in California. Therefore, you’ll want to pay attention to the CCPA.

We know that complying with new laws can be overwhelming, so we’ve done the work to support your efforts to become CCPA ready. Over 100,000 global businesses rely on the Box Content Cloud to help them meet constantly evolving security and compliance needs. To help you navigate the latest changes in US privacy law, we’ve created this ‘6 Step Guide’ to jumpstart your journey towards CCPA compliance.*

  1. Get a handle on your information. Understand what types of personal information you currently collect, how it’s used, where it's stored, and how it's secured. In order to determine what organizational changes, you will need to make to comply with CCPA, you will need to know if you are collecting or processing personal information of your employees, of business to business (B2B), or directly from consumers. This first step is essential because the CCPA marks California as the first and only state to apply a broad privacy law to this range of personal information. Start by centralizing your content in a single system in the cloud, including creating data classification standards so you can better understand any procedural or policy changes that need to be implemented.
  2. Apply a consistent data governance policy. The CCPA obligates businesses to disclose their retention schedules for certain personal information as part of their publicly facing privacy notices. In doing so, businesses will need to remain vigilant in managing their internal data retention and destruction practices according to the set retention schedule they’ve published. Be sure to apply retention policies across all of your data globally that account for local requirements to make sure you are complying with set retention schedules.
  3. Review and update your privacy notices and program. The CCPA is the most comprehensive state privacy law in the US, and you’ll want to make sure your privacy notices and overall privacy program reflect the new reality. You can start by further explaining how you collect, use, and share personal information. More specifically, ensure regional information notices include the most up-to-date categories of personal information your business may have collected, along with how consumers in California may exercise their privacy rights.
  4. Create or update your Data Processing Addendum. Make sure this includes a specific set of privacy provisions relevant to the privacy laws passed in California. Among other provisions, this includes information relating to how you process your customer’s personal information and how you handle consumer rights requests. Importantly, include what security controls you have in place to protect this information and how Californians can exercise their privacy rights. This step is essential to supporting your compliance efforts with your enterprise customers and third-party business relationships.
  5. Enforce data protection obligations with third parties. In addition to internal changes, begin assessing each vendor, contractor, service provider, and partner on its adherence with security, privacy, and compliance regulations and industry standards. As referenced in immediately above, this may include updating contracts with third parties who handle personal information on your behalf or putting written agreements in place that enforce compliance with applicable data protection laws, security controls, confidentiality and international data transfer requirements.
  6. Finally, regularly review compliance milestones, monitor your progress, and stay up to date on any changes to the law. Compliance with CCPA is a marathon, not a sprint, and you can expect to change course as new guidance is released. Like any new regulation, the CCPA is evolving so it's important to stay aware of new developments and adapt your practices accordingly. You may want to begin conducting regular check-ins and audits with key service providers, customers and internal stakeholders to ensure you are taking steps towards adherence by the July 1, 2023 enforcement date.

We know this is a lot to process, and when you have data spread across different systems and geographies it can be difficult to keep track of where content lives and whether you’re properly securing and governing it. Plus, ensuring external companies you do business with are adhering to these standards adds another layer of complexity.

The good news is Box can help get you ready for the amended CCPA. With an enforcement date of July 1, 2023 take steps now to centralize your content in the Box Content Cloud. By using Box, you can easily manage, secure, govern, retain, and dispose of your content. Additionally, with Box Governance and Box Shield, you can apply consistent, built-in retention and security policies across all of your information globally. There’s no time like the present to start checking information governance off of your 2023 new year resolution list with the Box Content Cloud.

* CCPA Criteria:

  • Have $25M in annual gross revenue as of January 1 in the preceding calendar year,
  • Or buy, sell or share the personal information of 100,000 California consumers or households,
  • Or Derives from 50% or more of its revenues from selling or sharing personal information.

**These 6 steps are subject to change as guidance is amended.

While we maintain our steadfast commitment to offering products and services with best-in-class privacy protection, security, and compliance, the information provided above does not, and is not intended to, constitute legal advice and is for general information purposes only; we strongly encourage our customers to perform their own due diligence when assessing compliance with relevant privacy laws.