The California Privacy Rights Act went into effect Jan.1, 2023, expanding consumer protections offered by the California Consumer Privacy Act.
CPRA enforcement won’t start until July 1 and applies only to violations occurring on or after that date. Businesses are given a six-month window to comply with this new law.
Whether a business needs to create privacy or security programs or update existing programs to comply, it should follow some top-line compliance steps.
If a business was subject to the Consumer Privacy Act, it is likely also subject to the CPRA.
The law expanded the definition of a business to include any for-profit entity doing business in California that collects California consumers’ personal information and had annual gross revenues of more than $25 million in the previous year; buys, sells, or shares personal information of 100,000 California consumers or households; or derives 50% or more of its annual revenue from selling or sharing information.
The CPRA expanded the number of organizations subject to the CCPA by including all businesses that share data.
Additionally, the CPRA now also covers service providers, contractors, and third-party organizations that process, possess, or receive California consumers’ personal information on behalf of a business, according to the statute.
Evaluate Personal Information Collected
The CPRA increases burdens on businesses for data minimization and purpose limitation. Accordingly, businesses need to evaluate the types of personal information they collect and determine how they use, share, and store that information to achieve business purposes.
Only personal information that is reasonably necessary and proportionate for business purposes is to be collected, processed, and retained. If a business collects sensitive personal information, such as Social Security numbers, bank account numbers and passwords, or geo-locational data, the CPRA added additional requirements related to its use.
The CPRA’s new requirements also require businesses to update their privacy policies by requiring identification of the categories of third parties to whom information is disclosed and/or sold, the business purpose for collecting and/or selling personal information, and the categories of sources from which personal information is collected.
Businesses must now also inform California consumers of their additional rights under the CPRA, including rights to correct inaccurate personal information and limit the use and/or disclosure of sensitive personal information, the right to information about a business’s data retention practices, and the right to opt out of the use of automated decision-making technology. That technology includes the automated processing of personal information for the purpose of evaluating or predicting personal aspects of consumers’ performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Update Consumer Notices
The CPRA also subjects businesses to new notification requirements, including notifying California consumers of the categories of personal information collected and the purposes for which that personal information is collected and/or used, whether the personal information is sold and/or shared, and the length of time the business retains the consumers’ personal information.
Update Internal Policies
The additional obligations imposed by the CPRA require increased communications between businesses and consumers, primarily responding to consumers who exercise their new rights.
Businesses should also prepare to establish internal processes to pass along these requests to service providers, contractors, and other third parties with which the business has shared personal information.
Additionally, given the CPRA’s aim for data minimization and purpose limitation, businesses will likely need to create more detailed data retention policies.
These should specify the purpose for which personal information is collected and the length of time it is retained, and identify a scope related to the collection and use of such data that is proportionate to the purposes for which it was collected.
Finally, the CPRA imposes new obligations on businesses to perform privacy impact assessments and data protection impact assessments. This will require businesses to assess the personal information they collect, identify the systems used to collect and store this information, and resolve any data protection risks so this information is protected.
Establishing a policy to evaluate privacy program and practices is essential when handling requests from the California Privacy Protection Agency and the California Attorney General, as well as other audits.
The CPRA requires updating contract templates and existing contracts with service providers and contractors. Additionally, it also now requires written agreements with third parties.
Update Websites and Back-End Systems
In addition to implementing CCPA-compliant service provider contracts with every cookie, tag, and tracking technology provider for a website, the website should also honor global privacy control signal, a setting that notifies websites of a user’s privacy preferences, and do-not-sell requests from consumers.
The new CPRA requirements are extensive, but by following the preceding steps, a business can ensure compliance with the new law.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Simran Mahal, an active litigator at Hanson Blodgett and Certified Information Privacy Professional (CIPP/US), focuses her practice on litigation and dispute resolution for both public agencies and businesses.