CPRA Compliance Audit (Previously CCPA)
The California Privacy Rights and Enforcement Act (CPRA), previously known as the California Consumer Privacy Act (CCPA), provides requirements for the collection and processing of personal information. Originally instituted in 2020, the CPRA will come into effect on January 1, 2023, however any data collected by businesses from January 1, 2022, will be subject to compliance with the CPRA. The CPRA expands on several areas of the existing CCPA. CPRA introduces new privacy rights for California’s people and adds more stringent regulations for businesses on the use of personal information. The CPRA has also established a new government agency for the enforcement of data privacy laws in California, named the California Privacy Protection Agency (CPPA).
How does the CPRA compare with the CCPA?
The CPRA is an enhancement of the CCPA. The CCPA formed the basis of the data privacy landscape of California. The CPRA builds upon it to strengthen the privacy regulations in the State and elevate it to the level of the GDPR of the European Union.
The CPRA does not replace the CCPA but surely amends it to benefit consumers and increase the compliance requirements for both SMB and Enterprise.
Our CPRA Compliance Services
At 360 Advanced, we can help you achieve and demonstrate CPRA compliance. Our auditors:
- Determine if you meet the revenue requirements and data processing volumes for which compliance is required
- Evaluate the requirements that apply to your business
- Determine which of your current privacy and security measures are already CPRA-compliant
- Identify and prioritize remediation actions
- Formally audit and report on your organization’s CPRA compliance program
CPRA Readiness Assessments
CPRA readiness assessments are designed for organizations that are currently taking steps towards – but have not yet fully achieved – compliance.
Our auditors will help you determine how your current privacy and security controls compare to CPRA compliance requirements. We evaluate:
- The types of information you collect from California residents (including names, email addresses, physical addresses, signatures, educational and professional information, internet search and browsing history, geolocation data, and other personal identifiers), and the ways you use this information
- The technologies you use to store and process consumer data (including customer relationship management software and sales or marketing enablement software)
- Your organization’s internal and public-facing privacy policies, including opt-in and opt-out policies, consent forms, notices and disclosures, and policies that specifically pertain to the collection of minors’ information
- Your organization’s data collection, data retention, data access, and data deletion policies
- Your organization’s policies for responding to consumer data provision requests
- Your organization’s service provider agreements
- Your organization’s employee training programs
- Your organization’s incident response plan and breach notification policies
- Leadership and accountability standards for your internal CPRA compliance program
CPRA Compliance Audits
Once you have designed a privacy and security program that meets the obligations of the CPRA, our auditors can formally evaluate your policies, processes, and procedures. A CPRA compliance audit covers the same control areas as a readiness assessment, with the results documented in a formal report.
CPRA compliance audits allow organizations to demonstrate their commitment to protecting confidential information. You can share your report with key stakeholders, regulatory bodies, and prospective clients, documenting your controls and providing third-party validation of your efforts.
Integrated Privacy, Security, and Compliance Assessments
While the California Consumer Privacy Act was the first consumer data protection law enacted in the United States, many states are considering similar legislation. As consumers continue to demand stronger protections, companies that handle their data will be held to increasingly complex regulations.
360 Advanced can help you navigate your compliance efforts. Our team has extensive experience with consumer data protection requirements, as well as commonly used compliance standards such as ISO and NIST; PCI DSS; and the AICPA SOC Suite of Services.
With this experience, our auditors can help you identify overlap between relevant programs, making it easier to manage each of your efforts. For instance, certain types of consumer data are also covered by HIPAA; our firm can help organizations that process health-related data understand the relevant exemptions and tailor their programs accordingly. Similarly, we can help organizations that are already GDPR-compliant leverage existing evidence for their CPRA audit. By integrating multiple initiatives, we make it easier for organizations to meet obligations and achieve a broader view of their compliance programs.