The California Privacy Rights Act (CPRA) took effect in January 2023, replacing the California Consumer Privacy Act (CCPA) and providing consumers with unprecedented rights over their personal information. For businesses, complying with CPRA means upholding a new standard of transparency and accountability. This guide will help.
NOTE: This overview is intended to provide a general understanding of how to achieve CPRA compliance. For specific legal advice, consult with a qualified attorney or privacy expert.
First, know whether the law applies to your business. Businesses that collect or process personal information of California residents and meet one or more of the following criteria must comply with CPRA:
- Annual gross revenue over $25 million
- Collect or share personal data of more than 100,000 California consumers
- Derive more than 50 percent of their annual revenue from sharing or selling personal data
- Handle sensitive personal information (SPI), including Social Security Numbers, financial account details, precise geolocation, or health information
Once you have determined that your business must comply with CPRA, use the following general guidelines to begin outlying a compliance program.
Data Mapping and Inventory
To ensure compliance with CPRA, businesses must have a clear understanding of the personal data that they collect and store. They also need to know where it comes from, how it is collected and used, where it lives, and how long it is retained. Therefore, a comprehensive data inventory will prove essential. Remember that certain types of data require special handling.
For example, you might collect personal data by monitoring consumer activity on websites and social media pages. You might also gather information through purchase histories, customer service interactions, browser cookies, or feedback forms.
CPRA introduces a core principle of data minimization, mandating that businesses should only collect necessary personal data. Additionally, they must have a purpose for the data they collect and delete the data when it is no longer needed.
Once you have identified your data and data sources, label sensitive information to facilitate the special handling required. And update retention policies to ensure removal of personal data once it has served its purpose.
Privacy Policy Updates
Compliance with CPRA will likely require changes to your privacy policy and notices. Privacy policies must clearly outline data collection practices, including the purposes for which you collect, use, sell, or share personal information. They must also provide information about how consumers can exercise their rights under CPRA.
Consumer Rights Management
CPRA also mandates that businesses grant consumers the ability to opt out of the sharing or sale of their personal data. This includes offering a clear “Do Not Share” mechanism for consumers to exercise that right. They must also provide a way for consumers to limit the use of sensitive information such as financial data, health information, or geolocation.
In addition, CPRA increases protections for children. That is, businesses must obtain explicit consent from minors under 16 before collecting their data. And for minors under 13, the parent or guardian must provide consent.
Vendor Management
The CPRA holds businesses responsible for ensuring that their service providers and contractors also abide by the law. Consequently, businesses need to take time to evaluate their relationships with third parties that have access to the data they collect.
This includes updating contracts to include specific provisions. For instance, you must specify what data is shared or sold and the purpose. And the third party must agree to implement appropriate safeguards for sensitive data, including deleting or returning personal information when the contract ends.
Risk Assessment and Audits
Conducting regular risk assessments and cyber security audits will help you identify vulnerabilities and ensure appropriate data security measures. You should also periodically review data collection, processing, and storage procedures to ensure they align with CPRA requirements.
Implement Proactive Strategies for Complying with CPRA
Companies that fail to comply with CPRA face not only hefty fines but also reputational damage and consumer backlash. Address compliance proactively by taking a data inventory, updating privacy policies, revising consumer-facing disclosures, ensuring that third-party contracts contain the necessary provisions, and conducting risk assessments.
The compliance professionals at Messaging Architects can help you sort through the complexities of CPRA and gain control of your data. Whether you need compliance monitoring or a risk assessment, policy reviews or help with information governance, we have the tools and expertise you need.