California Privacy Rights Act Compliance

As expected, on Nov 3rd, 2020, Californians approved prop 24 with a 56% majority to create a new privacy legislation, California Privacy Rights Act (CPRA). This regulation takes effect on January 1, 2023 and becomes fully enforceable on July 1, 2023. The data privacy legislation significantly expands upon the existing California Consumer Privacy Act (CCPA) that took effect on January 1, 2020. This regulation affects all companies that have customers in California, regardless of where they are head quartered.


CPRA broadens the definition of Sensitive Personal Information. Sensitive Personal Information now includes things like Social Security, driver’s license, state ID card, or passport numbers, log-in or financial information in combination with any required information enabling access to such information, geolocation information, contents of the consumer’s communications with third parties, racial, genetic, or ethnic information, biometric information used for identification (e.g., fingerprint or facial recognition access methods), health information, and sex life and sexual orientation.

This regulation has also significantly increased the risk and exposure on business to handle sensitive information. Companies will need to ensure they document the collection, use, retention and sharing of personal information in accordance with this new policy. In order to comply with this regulation organizations will need to discover and classify the data to be able to meet audit requirements.

Any company with a mid to large data landscape may contain several hidden or unused assets with sensitive data. Some of the large enterprises may have to search through several million columns in their data lakes. Imagine hundreds of thousands of columns in data lakes with cryptic column names. A manual data discovery process in such instances is just impossible, it would take too long and would be too costly. An automated, ML driven, data discovery process that scans the entire data landscape, studies the patterns, automatically catalogs data assets and helps companies to classify data assets as sensitive is absolutely essential to be able to comply with these regulations. And finding and classifying the data is just the starting point, as regulations such as CPRA demand companies to track how sensitive data is used, including all automated decision making, the lifecycle of data needs control, and data must be protected according to its sensitivity.

IBM Watson® Knowledge Catalog, powered by IBM Cloud Pak™ for Data, is a hybrid cloud service that can help organizations detect, protect and govern sensitive data. Here’s a framework to follow while embarking on such projects.

1. Define the scope and priorities of your Data Privacy project. While it may be tempting to find sensitive data in many hidden data sources, start with your business-critical systems.

2. Identify tasks that have to be carried out to become CPRA compliant.

3. Identify the kind of PII your company stores. Establish a PII taxonomy, link this taxonomy to business terminology your employees understand, and establish policies — phrased in business terminology — that prescribe how data must be managed depending on its sensitivity.

4. IBM provides a set of business glossary definitions that you can pre-load to accelerate your CPRA project (specifically industry specific business terms linked to a PII taxonomy).

5. Execute data discovery to establish a data inventory. This includes the mapping of sensitive columns to business terminology.

6. Consider and track how data flows through your systems (aka lineage).

7. Track progress

8. Implement processes to ensure sensitive data is kept safe and managed efficiently through it’s entire life cycle. This includes moving from human driven enforcement of policies around sensitive data to automated enforcement.

9. Implement change management to be able to quickly react on data changes, regulation changes or changes of company guidelines.

Data Privacy and Protection regulations will soon be expanded to other states and countries. Organizations must be prepared to quickly adapt to any new regulations and regulation updates with a small incremental cost. It’s important to build that privacy framework from the get-go.

As the privacy framework described above is part of the broader IBM Cloud Pak™ for Data platform approach, the efforts put into privacy compliance can also be leveraged for establishing a self-service analytics solution. This paves the way for managing business critical data in a cost-conscious way, providing value far beyond the need to comply to privacy regulations.