+44 (0) 121 582 0192 [email protected]

The California CPRA Audit Requirements

by | WedMayJ | APAC, Brazil, Canada, EU, Hong Kong, Malaysia, North America, Singapore, South America, Thailand, United Kingdom, United States | 0 comments

World internal audit globe for CPRA privacy audit

Introduction

The newly enacted  California Privacy Rights Act (CPRA),which went into effect  on January 1, 2023, requires a number of privacy audits to be conducted by businesses subject to the law.

Specifically, the CPRA requires businesses that collect, use, or share the personal information of California residents to conduct an annual cybersecurity audit and an annual privacy audit. These audits must be conducted by an independent third-party auditor who has been certified by a recognized organization.

The cybersecurity audit must assess the effectiveness of the business’s security measures and identify any vulnerabilities or risks to the security of personal information. The privacy audit must evaluate the business’s compliance with the CPRA and other privacy laws and regulations.

One Time Lookback Audit

In addition to these annual audits, the CPRA requires businesses to conduct a one-time “lookback” audit that assesses the business’s data collection and use practices over the previous 12 months. The lookback audit must be conducted by a certified auditor and must be completed by January 1, 2025.

Third Party Processor/ service provider  Due Dilligence

The business is authorized to undertake reasonable and appropriate measures to confirm that any personal information collected by its service provider or contractor is utilized in a manner consistent with the business’s obligations under the CCPA and associated regulations as set forth in their written agreement. Such reasonable and appropriate actions may include continuous manual reviews and automated scans of the service provider’s systems, as well as periodic internal or third-party assessments, audits, or other technical and operational tests conducted at least once every 12 months.

Contract clauses are only as good as your actions

If, for instance, a business fails to enforce the terms of the contract or neglects to exercise its right to scrutinize or test the systems of the service provider or contractor, the business may not be able to use the defense that it had no reason to believe that the service provider or contractor would violate the CCPA and related regulations at the time the personal information was disclosed to them. The applicability of this defense will depend on the specific circumstances surrounding the situation.

The Formiti101 Global Privacy Assessment audit is a versatile tool that can be employed to meet the 12 month lookback audit and to evaluate your business’s compliance with the California CPRA, as well as to conduct a due diligence audit of any third-party processors or service providers. Formiti Data International UK Ltd is an excellent partner for clients with global operations, as it covers all applicable regulations worldwide.