California voters passed the California Privacy Rights Act (CPRA) in November 2020. It replaces the 2018 California Consumer Privacy Act (CCPA) and is often described as a cousin to the EU’s GDPR law. The law applies to all for-profit organizations within the state. It also requires compliance from anyone doing business in California or collecting data from the state’s residents.
Since the CPRA focuses on data protection, it applies to developers who deal with customer data or develop websites handling customer data. Building good-looking apps and websites that deliver a great user experience is no longer enough; data privacy must also be part of the equation.
With that in mind, let’s look at everything developers need to know about achieving CPRA compliance.
CPRA Compliance Checklist for Developers
Here are the main compliance points organizations need to adhere to:
- Have a process that allows customers to exercise their right to correct personal information.
- Have a process that enables easy opt-out for customers regarding advertising and data sharing.
Before or during consumer data collection, organizations must disclose:
- The categories of data gathered and whether the data will be sold or shared.
- How long the organization plans to keep the data gathered.
- How the data will be used for targeted advertising and how users can opt out.
Organizations mustn’t keep personal or sensitive information longer than necessary to achieve the disclosed purposes.
These are just some of the compliance checkpoints. For more details on the CPRA responsibilities for businesses, visit the Californians for Consumer Privacy website.
The Risks of Non-Compliance with CPRA
CPRA compliance is costly, but non-compliance can lead to even heftier penalties. The California Privacy Protection Agency (CCPA) is a new agency responsible for enforcing the law. It will give out fines of $2,500 for inadvertent non-compliance and $7,500 for intentional non-compliance. The penalties will increase significantly for abusing data belonging to persons under the age of 16.
Apart from financial losses, non-compliance is risky from a reputational and consumer trust standpoint. In the event of a data breach, these factors may even be more damaging than the fines.
The Importance of the CPRA for Developers
App and web developers have long prioritized deadlines, user experience and other factors over security. This is because they tend to focus on elements that improve engagement and keep users coming back. The CRPA puts a significant limit on data gathering, not only for customers but also for employees. That significantly changes a developer’s approach.
The new law requires developers to take a privacy-first approach throughout the software development life cycle (SDLC). This requires a complete mental shift for most developers, and it will take time to attain. Security is no longer a client request; it’s a mandatory requirement.
Security, privacy and transparency must become focal points for software developers. These elements should influence every decision they make throughout the SDLC.
For existing systems, the CPRA means operational and system updates relating to data gathering and storage, security and governance. Developers will have to adjust systems to gather the bare minimum of data, as the law encourages.
Data anonymity capabilities are also required. Data that isn’t crucial for app or website functions should be anonymized to reduce the risk of a data breach.
Developers should focus on creating apps that:
- Track data throughout its life cycle.
- Anonymize data when possible.
- Get rid of old, unused data.
- Allow for easy data sharing across the organization.
- Incorporate CPRA compliance best practices for developers.
- Perform a gap analysis.
Gap analysis is the process of determining whether the current system satisfies the desired or mandated requirements. A gap assessment will give developers a clear picture of any existing compliance gaps. For non-existing systems, a gap analysis will help determine how the new system can fulfill requirements.
A gap assessment will also determine whether the CPRA applies to your organization. For instance, if your organization doesn’t collect consumer data, the CPRA may not apply to you.
Set Clear Timelines for Reaching CPRA Compliance
Reaching CPRA compliance can be a long process, as developers have many requirements to meet. Doing everything at once with no clear plan is a recipe for failure. Instead, create a compliance roadmap with target dates for meeting each requirement. Follow the roadmap rigorously, but also leverage your company’s existing efforts to reach compliance.
Existing efforts may include significant changes like raising the cybersecurity budget. They may also include smaller implementations such as a VPN for remote workers or stricter access control.
Identify and Update Privacy Notices by January 1, 2023
Privacy notices to customers are an integral part of the CRPA. The law requires that privacy notices are updated at least once every twelve months. Businesses can no longer set-and-forget their notices.
App developers must identify the existing notices in the system and develop new ones that are in line with the policy changes brought by the CRPA. Notices for employees, job applicants and others must not be forgotten during this process.
Provide Additional Security to Sensitive Data
Not all data has the same value. Consumer data and confidential company documents are examples of sensitive data. Developers must work with other IT employees to separate the sensitive data and provide additional security to ensure its confidentiality.
Some additional security solutions are data encryption, restricted access, two-factor authentication and strong passwords.
Quality Assurance and Testing
When it comes to cyberthreats, you can never be 100% secure, even if you follow all the best practices and regulations. That’s why having additional help from automated logging and testing software is necessary to maximize security.
Develop a process for continuous self-monitoring and quality assurance. Automated penetration testing is a great way to find holes in your system. It’s also very affordable.
Conclusion
The CPRA was instituted in November 2020. The law requires all for-profit businesses in California to comply with data protection standards. Other states throughout the US are also implementing the same or similar legislation to protect consumer data.
Now is the time to reevaluate your data security practices. Developers must take a privacy-first mindset and start thinking about security implications throughout the entire software development life cycle.