Ang California Privacy Rights Act (CPRA) ay naging fully effective noong 2023, significantly expanding ang California Consumer Privacy Act (CCPA). Ang California Attorney General ay nag-aggressively enforce both statutes, na nag-file ng 8 major enforcement actions noong 2024.
CCPA/CPRA Compliance Framework
Ang statutes ay nag-grant ng consumers ng specific rights:
Right to Know: Consumer ay may right na malaman kung anong personal information ang business ay nag-collect, kung bakit, at sa sino ito shared
Right to Delete: Consumer ay may right na mag-request ng deletion ng personal information
Right to Opt-Out: Consumer ay may right na mag-opt out mula sa sale o sharing ng personal information
Right to Correct: (CPRA addition) Consumer ay may right na mag-request ng correction ng inaccurate personal information
Right to Limit Use: (CPRA addition) Consumer ay may right na limit use at disclosure ng personal information
California AG Enforcement Pattern 2024
Case Trend: Businesses na nag-fail na mag-honor ng data deletion requests within required timeframe (45 days).
Key Violations:
- Incomplete deletion across all business systems
- Retention ng archived or backup data after deletion request
- Failure na mag-delete data held sa third-party service providers
- Inadequate tracking ng deletion requests
Technical Challenges sa Data Deletion
System Fragmentation: Modern businesses typically process data sa multiple systems:
- Customer relationship management (CRM)
- Data warehouses
- Analytics platforms
- Email systems
- Backup systems
- Archived data repositories
Compliance Requirement: Delete data from ALL systems, not just primary database.
Technical Solution: Requires automated PII detection systems na:
- Scan all data repositories
- Identify all occurrences ng consumer personal information
- Trigger deletion across all systems
- Maintain audit trails ng deletion activities
Personal Information Definition
Ang CCPA/CPRA ay nag-define ng "personal information" broadly:
Direct Identifiers:
- Names
- Social Security Numbers
- Email addresses
- Phone numbers
- Postal addresses
- Driver's license numbers
- Passport numbers
Quasi-Identifiers:
- IP addresses
- Cookie IDs
- Mobile device IDs
- Account numbers
- Device identifiers
Special Categories:
- Biometric data (fingerprints, facial recognition)
- Precise geolocation
- Health information
- Trade secret designations
California-Specific Identifiers
Social Security Number: 9-digit format, critical identifier na may legal significance.
California Driver's License: 8-digit format with specific validation algorithm.
Enforcement Penalties
Ang California Attorney General ay may authority na mag-impose ng:
Civil Penalties: Up to $7,500 per intentional violation (CCPA) or $2,500 per unintentional violation
Injunctive Relief: Court orders requiring remediation
Restitution: Compensation sa affected consumers
Compliance Automation Strategy
Data Inventory: Maintain catalog ng all data repositories containing personal information
PII Detection: Automated systems para sa identifying personal information
Deletion Workflow: Automated process na trigger deletion across all systems upon consumer request
Verification: Confirmation na deletion ay successful across all repositories
Audit Trail: Comprehensive logging ng deletion activities
Ang California trend ay increasingly requiring technical sophistication sa data management para sa compliance.