What do I need to know about the updates to the CCPA framework in Drata?
The CPPA (California Privacy Protection Agency) and CA’s Office of Administrative Law recently issued new regulations for the CCPA. These regulations became effective on March 29th, 2023. As a result, we have made changes to the CCPA framework that you work with in Drata to align with these changes. The following changes have been made to what you see in Drata:
CCPA Requirement updates:
The description for most requirements have been updated with new language from the CCPA. All material changes have been mapped to existing or new DCF controls.
13 net new requirements were added to this framework
Statute: 1798.106, 1798.110
Regulations: 7002, 7003, 7004, 7014, 7015, 7023, 7025, 7027, 7051, 7052, 7053
2 previous requirements were split into 3 new requirements each
Regulation: 999.313 to 7021, 7022, 7024
Regulation: 999.317 to 7100, 7101, 7102
1 requirement was removed
Regulation: 999.318
Two of the controls mapped to the requirement (DCF-541 and DCF-547) are already mapped to other requirements; one control (DCF-548), which was directly related to 999.318 is no longer applicable, however if you had the old version of CCPA, we have not removed it from your account. Because the control is no longer relevant, you are free to mark it out of scope if you choose.
We added a field for applicable requirements that displays the previous OAG Regulations.
Updates to Drata’s DCF controls:
DCF-534 and DCF-552 had a slight update to the verbiage. If you have not already updated the language of these two DCF controls, you will have access to the updated verbiage. If you have manually updated these two controls but want to use Drata's latest verbiage for these controls, reach out to your CSM.
We’ve added 3 new controls. These controls are already mapped to the applicable requirements and policies. If you have our risk management tool, you’ll notice they’re also mapped to your risks. These new controls are DCF-545, DCF-554, and DCF-555
We’ve updated the mappings of our DCF controls to align with the new requirements and regulations of the CCPA.
These mappings are additive to the way you’re managing your framework now. If you added custom controls to the old version of the CCPA framework, these controls will be mapped to the new versions of the CCPA requirements.
New policy
In order to adhere to these new requirements, we’ve added a new policy: Personal Data Management policy
How do these changes affect me and what should I do next?
When these changes were introduced, you may have noticed a change in your readiness for the CCPA framework. Here are the steps you need to take in order to stay on track with your compliance goals for this framework.
Determine if any of the new controls are out of scope for your organization.
Ensure the DCF controls that are in scope have the necessary evidence.
Review and approve the new policy so it is pushed to your employees to accept.