The California Privacy Rights Act, or CPRA, is one of a kind in the United States – but it may not be for long. In a recent webinar, CSU’s Director of the Center for Cybersecurity and Data Privacy Brian Ray, and Director of Graduate Studies and Professional Development Julie DiBiaso examine the CPRA and explained how an online Master of Legal Studies (MLS) in Cybersecurity and Data Privacy from CSU fits into the bigger picture.
California’s Expanded Privacy Rights
State Privacy Law is one of the fastest-moving and most interesting areas of cybersecurity and privacy. The emerging rulings include an amended version of California’s original, groundbreaking law, now complete with expanded cybersecurity requirements. These state-mandated requirements, in turn, require innovative responses in companies that drive the future of data privacy and security. At CSU, we emphasize the importance of this sequence, and it’s one of our key success factors.
California was the first state to create what we now refer to as a Comprehensive Consumer Privacy Law. As it stands right now, there is no comprehensive federal consumer privacy law. The states are following a model developed in Europe under what’s called the general data protection regulation. Essentially, it provides a set of rights to consumers for things that companies can and cannot do, plus establishing the need to ask permission with respect to personal information. In creating this path-breaking law, California moves closer to Europe in terms of adding additional protections.
Know, Delete, Opt Out, Opt In
The California Privacy Rights Act (CPRA) and the General Data Protection Regulation (GDPR) are both comprehensive privacy laws that give consumers greater control over their personal data. While there are some similarities between the two laws, there are also some key differences.
Under the CPRA, consumers in California have the following rights:
Right to know: Consumers have the right to know what personal information businesses are collecting about them, why it is being collected, and with whom it is being shared.
Right to delete: Consumers have the right to request that businesses delete their personal information.
Right to opt-out: Consumers have the right to opt-out of the sale of their personal information.
Right to correct: Consumers have the right to request that businesses correct inaccurate personal information.
Right to data portability: Consumers have the right to request that businesses provide them with a copy of their personal information in a portable format.
Right to non-discrimination: Consumers have the right to not be discriminated against for exercising their privacy rights.
In comparison, under the GDPR, consumers in the European Union have the following rights:
Right to access: Consumers have the right to access their personal data and obtain information about how it is being processed.
Right to rectification: Consumers have the right to request that businesses correct inaccurate personal data.
Right to erasure: Consumers have the right to request that businesses delete their personal data in certain circumstances.
Right to restrict processing: Consumers have the right to request that businesses limit the processing of their personal data.
Right to data portability: Consumers have the right to request that businesses provide them with a copy of their personal data in a portable format.
Right to object: Consumers have the right to object to the processing of their personal data in certain circumstances.
Right not to be subject to automated decision-making: Consumers have the right to not be subject to decisions based solely on automated processing.
Overall, both the CPRA and GDPR provide consumers with similar rights to control their personal data. However, the CPRA is limited to California residents, while the GDPR applies to all individuals in the European Union. Additionally, the GDPR provides consumers with the right to restrict processing and the right to object, which are not explicitly included in the CPRA.
The Key Role of Compliance
Complying with California’s law is an extensive process. Lawyers advise clients on what the law and regulations mean, but much of the implementation of a privacy program is performed by compliance professionals, from Privacy Specialists all the way up to Chief Privacy Officers. The increasing requirements under California and other state laws requires a growing number of these roles at medium and large organizations.
Your Multifunctional Degree
This is the core of what we do in the online Master of Legal Studies (MLS) in Cybersecurity and Data Privacy. Understanding legal concepts is essential for pursuing a career in privacy compliance because privacy laws and regulations are complex and constantly evolving. Privacy compliance professionals need to be familiar with various legal concepts such as data protection, information security, and privacy frameworks. They also need to be knowledgeable about the legal requirements and standards set by regulatory bodies such as GDPR, CCPA, HIPAA, and other privacy laws.
Privacy compliance professionals are responsible for ensuring that their organization’s data collection, processing, and storage practices align with legal requirements. This requires a deep understanding of the legal landscape and the ability to interpret and apply legal concepts to specific business operations.
Furthermore, privacy compliance professionals are often responsible for drafting and implementing privacy policies, procedures, and guidelines. They need to have strong legal writing skills to ensure that these documents are clear, accurate, and legally compliant.
In summary, a strong understanding of legal concepts is crucial for privacy compliance professionals to effectively perform their duties and mitigate the risks associated with data privacy breaches. Without a thorough understanding of legal requirements, privacy compliance professionals may be unable to effectively protect their organization’s data and mitigate risks associated with non-compliance.
Our program consists of 10 courses across 5 semesters. It is part-time and asynchronous with
synchronous components. We strongly encourage you to reach out to either Julie or Brian with any questions.