New Year, New Data Privacy Regulations
The deadline for the California Privacy Rights Act (CPRA) is fast approaching. On January 1, 2023, any business that collects, processes and stores information related to California residents will be subject to stricter data privacy regulations — and face heftier fines for compliance violations. Here’s what you need to know about maintaining CPRA compliance.
What’s new in the CPRA?
The CPRA comes on the heels of the California Consumer Privacy Act (CCPA) of 2018, which defined regulations for companies’ use of personally identifiable information (PII). The CPRA takes the law even further, establishing new applicability criteria, stricter rules and more severe non-compliance penalties.
Some key changes include:
- Increases applicability threshold on organizations that collect the information from California consumers of 50,000 individuals or 100,000 users in households
- Specifies new requirements for the handling of sensitive personal information (SPI)
- Modifies some consumer rights granted under the CCPA and establishes new ones, specifically the right to opt-out of third-party sales and sharing, right to data portability, right to limit use and disclosure of SPI and, right to opt-out of automated decision-making technology
- Requires brands to implement login credentials when attempting to access any information for which consumers can take legal action in the event of exposure
- Establishes the California Privacy Protection Agency (CPPA) to oversee the investigation and enforcement of the CPRA and amend the regulations as needs change over time
- Imposes the same CCPA fines ranginging from $2500-$7500 per violation, and increases potential fines for violations involving consumers under 16
You’re on the Hook for Your Third-party Vendors
Developers often use JavaScript from third-party vendors or open source libraries, such as social media pixels, chatbots, tracking scripts and payment iframes. Under CPRA, you may be liable if a third-party script accesses consumers’ data for reasons unrelated to the service they’re providing or uses your consumers’ data for their own purposes, even if it isn’t malicious.
There are many documented cases of JavaScript from trusted vendors accessing users’ PII when they fill out login forms. If the consumer elects not to share their data with third parties, this would be a violation of CPRA. And third-party contracts often state that they aren’t responsible for what data gets grabbed by their systems. Updating contracts to limit data usage is a great start, but ultimately, taking control of third-parties' access to sensitive data is the best way to prevent unauthorized exposure.
But even worse than unauthorized access by trusted vendors is unauthorized access by bad actors. Cybercriminals can exploit weaknesses in third-party code to inject malicious scripts designed to skim user data. If consumer data is exposed on your site because of an attack on a third-party vendor, you may be liable for damages that result.
It’s Time to Shore Up Your Website Supply Chain
It’s critical to continuously audit third-party code and always verify that it is collecting expected data under your agreement with them. This is easier said than done. Online businesses may find it difficult to audit third-party scripts for the following reasons:
- Lack of visibility at runtime - Because payment page scripts run externally, scripts that load dynamically often change without tipping off your server at runtime. Code alterations, which can sometimes include malicious code injections, can evade detection for weeks.
- Frequent code changes - Third-party scripts change and update continuously. But even after passing an initial security review, updated scripts can have blind spots. These adjustments can mean trouble for your payment page, especially as over 50% of website owners report that their third-party scripts change at least four times a year, at times without their immediate knowledge.
- Nth-party vendors - Third-party scripts often extract code from external vendors who can themselves source code from external vendors. Your partnering codes do not need to reveal their dependence on other partners. As this supply chain lengthens, the possible vulnerability of new, undisclosed code endangers each link. A compromised nth-party vendor can injure the entire JavaScript supply chain, taking your code with it.
- Insufficient security reviews - Your business likely relies on client-side code to enrich the user experience by quickening up interface and swiftly bringing capabilities to market. Since speed is the name of the game, developers forgo security review processes that slow down the application of new codes. But even an initial review does not guarantee the security of future updates.
Without a process for continuous script monitoring and threat mitigation, your client-side supply chain puts you at risk of digital skimming, supply chain attacks and possible fines for CPRA non-compliance.
Cross CPRA Compliance Off Your List of New Year Resolutions
An entire skimming as a service industry has emerged in recent years to provide malicious scripts that are able to evade traditional detection tools and steal user data. Reviewing traditional code monitoring solutions, such as external scanners or SAST, reveals that many legacy tools are not sufficient to detect and prevent all JavaScript attacks which could impact CPRA compliance.
Achieving CPRA compliance requires a comprehensive approach that blends different code mitigation techniques. HUMAN Code Defender offers a combination of behavioral analysis, content security policy (CSP) and granular JavaScript blocking to give website owners complete visibility and control over client-side code.
Code Defender allows website owners to prevent known malicious scripts from loading and transmitting PII, and to block third-party JavaScript from accessing sensitive form fields without disabling the entire script. The solution identifies vulnerabilities and anomalous behavior, and proactively mitigates risk, which prevents the theft of user data and helps with CPRA compliance.