Zapproved has been acquired by Exterro, the leader in Legal GRC.
Read more here

Zapproved

Ediscovery Software For Corporate Legal Teams

Search

The CPRA Compliance Checklist for Ediscovery

by - Best Practices, Ediscovery, Industry News

On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. This regulation was the first of its kind in the United States, but it followed closely on the heels of Europe’s groundbreaking General Data Protection Regulation (GDPR). Both regulations have gradually been followed by other states and localities. 

In January, 2023, California is amending its privacy laws with the enactment of the California Privacy Rights Act (CPRA). This measure, in conjunction with existing provisions in the CCPA, will introduce some important changes to privacy policies that may affect your business in important ways. In this post, we’ll look at the state of privacy in California (and beyond) and provide a checklist to ramp up CPRA compliance ahead of next January.

Answering the Biggest Questions Related to CPRA and Ediscovery

Privacy regulation plays a big role in developing and maintaining defensible ediscovery preservation programs. Staying up to speed on evolving regulation is also essential for creating a robust approach to data governance. Here’s a quick reference guide to some of those most frequently asked questions relating to the CPRA:

What organizations must comply, and what are the consequences for non-compliance?

CPRA language defines a “business” as an organization which meets any of the following criteria:

  • Annual revenue that exceeds $25 million
  • Collected personal information from more than 100,000 customers
  • Earns more than 50% of annual revenue from the sale of California resident data

The intensifying focus on consumer privacy means that the penalties for non-compliance have also gotten steeper. In addition to levying stronger fines, the CPRA also creates a new, dedicated enforcement agency, the California Privacy Protection Agency (CPPA). Violations can apply to the way data is used by the business and also the way data has been protected in the event of a breach:

  • Violations deemed intentional are subject to a fine of $7500
  • Accidental violations are subject to a $2500 fine
  • Culpability in a data breach will result in damages paid to compromised data subjects in the range of $100-$750 each

What new rights do consumers have under CPRA regulation? 

Existing CCPA statutes already provide for stronger consumer rights when it comes to the use of personal data. CPRA regulations augment these rights in the following ways:

  • Consumers must be given the option to opt out of the selling and the sharing of personal information
  • Organizations must limit the use of new categories of sensitive data, which include identifiable information, location data, or information about consumer race, ethnicity, religion, or sexual orientation
  • Consumers have the right to correct personal information
  • Organizations must provide consumers with “meaningful information” regarding the use of data in automated decision-making and provide the opportunity for opt out in such instances

What new obligations do businesses face under CPRA regulation?

In addition to new protections for consumers, the CPRA also obliges businesses to take action related to three specific areas:

  • Data retention and minimization provisions state that consumer information collected must be “reasonably necessary and proportionate to either the purposes for which it was collected or another disclosed purpose.” Additionally, retention rules will place limits on the amount of time personal information can be stored. 
  • Cybersecurity audits and privacy risk assessments will be required on an annual basis for those businesses that meet a standard of higher risk for the processing and use of personal information.
  • Vendors and third parties, classified as “contractors” under the CPRA, must coordinate with partners regarding the use of consumer data and add new contract language for disclosure of personal information when such information is used as part of a contract.  

Be Proactive in Your Preparation for CPRA

The CPRA is only one in a series of state privacy regulations that will soon go into effect: Virginia, Colorado, Utah, and Connecticut have passed similar legislation. Managing that complexity will require a clear plan of attack, dedicated resources, and great process. As you build or augment your privacy strategy, the following checklist—while by no means exhaustive—can be a handy reference: 

Determine whether your organization is subject to CPRA regulation with these criteria:

  • Your annual revenue exceeds $25 million
  • You buy, sell, or share personal information from more than 100,000 California consumers
  • At least 50% of your annual revenue comes from selling or sharing California consumer information

The CPRA regulates the usage of personal information, defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Do a thorough audit of all stored data to see if it includes any of the following:

  • Social Security numbers, drivers licenses, or other forms of identification
  • Financial account numbers and login credentials
  • Geolocation data for consumers
  • Data related to race, ethnicity, sexual orientation, religious beliefs, or membership affiliations 
  • Internal communications that include emails and text messages
  • Biometric data or health records of any kind

Make sure your use of any personal information or consumer data has been properly disclosed under these guidelines:

  • Consumer data is only used in instances for which consent has been granted
  • Consumer data cannot be used for any additional purposes without further notice of opt in/out capability 
  • Consumer data cannot be collected beyond the scope of disclosures
  • Individual pieces of consumer data can be restricted at the subject’s discretion 

Perform an audit/update of documentation related to new regulation, including:

  • Disclosure notices
  • Declaration of new consumer rights
  • Opt-in/out language
  • Website notifications (ensure clarity, both in language, visibility, and equal access)
  • Service agreements (ensure compliance with new vendor and third-party obligations)

Update, augment, or build strong internal processes related to:

  • Handling and responding to consumer rights requests
  • Data governance policies around data minimization and data retention
  • Risk assessments and cybersecurity audits
  • Compliance training for those who work closely with personal consumer information

Get Your Ediscovery Process Compliance-Ready

Changes to the way your company collects, shares, sells, and uses personal consumer data could also have a significant impact on your legal holds and ediscovery process. CPRA has especially relevant provisions regarding data retention that could impact defensibility if not fully addressed.

At first glance, this may just seem like another procedural headache on top of already-complex ediscovery practices. But as we’ve discussed before, many of the behaviors and requirements of privacy regulation are already practiced by your legal team in some form—cataloging and collecting data, reviewing for relevance and personally identifiable information, and producing data. 

That means your ediscovery tool also plays an important role in your privacy policy, saving you time and resources without having to purchase, learn, administer, or duplicate efforts across multiple platforms. ZDiscovery by Zapproved reduces this complexity with an easy-to-use interface designed specifically for corporate legal teams, making it the perfect complement to your data privacy approach. 

Reach out today for a closer look at how Zapproved can help you tackle the challenges of privacy regulation.

Reach out today for a closer look at how Zapproved can help you tackle the challenges of privacy regulation

Take a Demo

4 Strategies to Advance Your In-House Legal Department

Let’s face it, being a corporate legal team in the year 2023 is no easy task. A lot has changed in recent years, and teams now rely on collaboration between legal, technical, and operational specialists. To advance in-house legal department strategy, today’s ediscovery teams must be multifaceted, integrating different considerations, roles, and technologies. But this […]

How Zapproved’s Automated Custodian Workflows Helps Corporate Legal Teams

Why Staying on Top of Legal Hold Custodians is so Important What’s the first thing you do when an active legal hold custodian is leaving your company? Do you find yourself scrambling to figure out what ediscovery actions need to be taken? Has the employee’s data been preserved? Where are the employee’s laptop and company […]

Two Ediscovery Best Practices for Information Governance

For most enterprises, managing data is like herding billions of very active cats. As corporations moved from paper to digital data (but still retained mountains of paper files), the sprawl initially shocked and disoriented those responsible for knowing where the data was kept.  Fast forward to now, and the shock has worn off. That is […]

Zapproved is Now an Exterro Company!

Legal GRC Platform Exterro Announces Acquisition Of E-Discovery Provider Zapproved Combination of Zapproved’s Industry-Leading Customer Service and Exterro’s Award-Winning Legal GRC Platform Will Enable Organizations to Better Manage the Complex Interconnections of E-discovery, Privacy, Legal Operations, Digital Investigations, Cybersecurity Response, and Information Governance. PORTLAND, Oregon – Jan. 19, 2023 – Exterro, a leading provider of […]