
Frontrunner state, California, adopts new data rules

Frontrunner state, California, adopts new data rules
April 21, 2024
Introduction
California’s new privacy law CPRA will require American businesses to enforce data minimization. Redaction and anonymization tools are vital for complying with the new regulations set out for 2023.

In November 2020, the government of California approved an amendment to the already existing data privacy law California Consumer Privacy Act (CCPA) from 2018. The new proposition 24 is called the California Privacy Rights Act (CRPA), and it was approved with 56% to 44% of the votes. In the U.S., California is known for being ahead of the rest, when it comes to the legal implementation of data security and protection of privacy. Perhaps a natural consequence of its status as a tech innovation hub and the home of Silicon Valley and Facebook.
With this new amendment, California’s privacy law now looks strikingly more similar to that of the European GDPR-regulative. Accordingly, the new law is stricter in several ways. Therefore, it was quite surprising, how the law was put in place without much resistance from corporate California.
According to professionals in the field, the lack of juridical outcry was mainly due to three things. 1.) The ongoing election. 2.) The fact that data privacy is an upward going trend, and that going against it by lobbying to stop the new amendment is a highly unpopular signal to send to consumers. And 3.) The big tech companies and lobbying superpowers have already implemented the GDPR-rules, i.e., the transition to CPRA is hardly an issue and more of a competitive advantage over non-GDPR-compliant rivals.
Mid-sized companies affected the most
So, how will the CPRA affect daily business, once the law comes into effect on January 1. 2023?
Well, as mentioned above, big tech companies already complying with GDPR will probably hardly feel the new amendment. While the CPRA toughens certain aspects of the old law, it also relieves some liabilities. For instance, previously the CCPA-law applied to companies, who serve 50.000 California residents, households, or devices under their territory. With the new CPRA, “devices” are off the list, and the bar has been increased to 100.000, leaving the overall threshold for compliance at a more SME-friendly level.
In conclusion, companies that surpass the threshold of 100.000 households/residents and have no European activities will probably be most affected by the law. Candidates encompass companies in labor and knowledge-intensive industries such as law, consulting, real estate, and accounting (excluding the big four American accounting firms). A mid-range firm may not have the manpower to throw tons of lawyers and accountants after privacy compliance, even though they are at risk of breach due to the vast amount of their data. In particular, the new CPRA privacy law contains three pillars, that middle-sized companies need to navigate after in the future:
- Data blueprinted partners only.
- Fines independent of harm factor.
- Required data minimization.
CPRA introduces the data minimization principle
Let´s zoom in on the latter. It is by far the requirement calling for most effort, and it is imperative to both prevent fines and mitigate an unregulated exchange of information with third parties.
Coming back to the headline above: What must companies be especially aware of, and why can a redaction software be highly useful to have in the digital toolbox?
The CPRA implies that personal data should not be stored and saved by a company for longer than necessary. Under the GDPR, this usually means a deletion of sensitive data after five to ten years depending on the case. For data-driven and knowledge-intensive companies, the deletion is a major hindrance. The logic being “more data is better”, managers, business developers, and controllers alike hate the idea of knowledge being “thrown away”.
The solution is to redact and anonymize data for personal information. Your options are either a modern software redaction tool or manual redaction. Whichever method you choose to redact your data with, you reach the same advantage. You exempt the data at hand from the CRPA (or GDPR) framework, meaning that you can ignore the rules altogether. Of course, only, if you have redacted the data properly! It must never be possible to deduct, for example, who a particular person in the data set is, by means utilizing sources. In that case, you have merely pseudonymized or “masked” the document.
Manual redaction: Not realistic
There are two reasons why manual redaction for the companies encompassed by CRPA is a pretty unrealistic endeavor. First, it may work with small datasets. However, for a 100.000+ household domain enterprise, who produce millions of documents yearly… Hardly likely.
Secondly, traditional manual redaction methods typically come down to blacklining confidential areas and personal identifiers. Yet, that won’t help companies, who wish to preserve the meaning inside a given document after a full implementation of CRPA. A valuable ability, if you wish to build and maintain a substantial knowledge bank. Not to mention taking advantage of new technologies such as AI and machine learning, where high-quality data is a minimum requirement.
To still be able to make sense of the data (names, addresses, social security numbers, and all the other identifiers), you need to replace them with something else. That requires methods a little more sophisticated and trickier than “just” hiding information in a document. Luckily, there are ways to automate the redaction and anonymization process with the help of a software redaction tool.
It is currently the only way for the companies in question to avoid deleting their precious data after a certain period. Luckily, these automated redaction tools have become better over time. Especially after the EU decided to set the standard for new data ethics... While the rest of the world seems to be tagging along at a slower pace.
Risk of larger fines and more lawsuits
The new Californian rules are no doubt a positive step towards securing more data privacy for American citizens. It also helps companies identify and comply with the governing rules. Yet, there is an increased risk of receiving fines under the new amendment. Predominately because the former law required plaintiffs to document harm such as monetary losses in order to receive compensation. Now, the mere existence of a breach – harm or no harm – is enough to trigger a fine.
All the more reason to spend the next two years preparing and implementing effective tools to avoid breaches AND preserve valuable data in redacted forms. Cleardox can deal with that.
Interested in getting a closer look at our product? Sign up for a demo here!
Cheers,
The Cleardox team
What is the California Privacy Rights Act (CPRA), and how does it differ from the CCPA?

The California Privacy Rights Act (CPRA) expands and strengthens the original California Consumer Privacy Act (CCPA). Among other changes, it introduces stricter requirements around data minimization, data retention, and consumer privacy rights, bringing California's privacy framework closer to the GDPR.
What does the CPRA data minimization principle require businesses to do?

The CPRA requires organizations to collect, retain, and share personal information only when it is necessary for a specific business purpose. Proper anonymization allows businesses to retain valuable information while removing personal data, helping them comply with the law without losing important insights.
Why are mid-sized companies expected to be most affected by the CPRA?

Many large enterprises have already adapted their processes to meet GDPR requirements, making the transition to CPRA easier. Mid-sized organizations often have fewer compliance resources while still processing large amounts of personal data, making efficient anonymization tools especially valuable.
Why is automated redaction software a better long-term solution for CPRA compliance?

Manual redaction is difficult to scale and increases the risk of human error. Professional redaction software like Cleardox automates the identification and irreversible removal of sensitive information, making compliance faster, more consistent, and easier to maintain as document volumes grow.
What are the risks of failing to comply with the California Privacy Rights Act?

Organizations that fail to comply with the CPRA may face regulatory fines, legal action, and reputational damage following a data breach. By securely anonymizing personal information before documents are shared or stored, businesses can significantly reduce compliance risks while continuing to use valuable data safely.













