Get Ready for the California Privacy Rights Act (CPRA)
California consumers get another layer of privacy protection when the California Privacy Rights Act (CPRA) goes into effect next year. Get ready by beefing up your existing CCPA compliance checklist.
It’s been two years since the California Consumer Privacy Act (CCPA) became the first privacy law in the United States that protects consumers’ personal information at the state level. Now the state has passed the California Privacy Rights Act (CPRA), which expands the protections the CCPA offers. What does that mean for your small business? Here are some answers to common questions that will help you prepare for the CPRA going into effect on January 1, 2023.
Do I have to comply with the CPRA?
Like the CCPA, the CPRA applies to companies that meet the following criteria.
- You have an annual gross revenue of over $25 million
- You receive, buy, sell, or share the personal information of at least 50,000 consumers in California
- You derive at least half of your revenue from selling the information of state residents
Even if the law doesn’t apply to your company, demonstrating that you care about the privacy of your customers’ sensitive personal information (SPI) is never a bad idea!
What consumer data does the CPRA protect?
All of these types of sensitive personal information (SPI) are protected under the CPRA
- a consumer’s social security number, driver’s license, state identification card, or passport number
- a consumer’s account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- a consumer’s precise geolocation
- a consumer‘s racial or ethnic origin, religious or philosophical beliefs, or union membership
- the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication
- a consumer’s genetic data
How does the CPRA expand consumers’ privacy rights?
In addition to reinforcing their existing rights under the CPPA, the CPRA expands consumers’ control over their SPI with two additional rights: the right to correct inaccurate personal information and the right to limit use and disclosure of their SPI.
How does the CPRA affect what I can do with consumer data?
The law requires you to disclose why you’re collecting SPI. It says you cannot retain it for longer than “reasonably necessary” for that disclosed purpose. It also prohibits you from retaining it for purposes other than those for which you initially collected it.
What do I need to do to make sure I comply with the CPRA?
If you’re already complying with the CCPA, you’re off to a good start, since the CPRA expands on what the CCPA requires. But there are still a few steps you should take before the state begins enforcing the new law on July 1, 2023 (full text from the National Law Review):
Refresh your website
Update your initial data collection notice and your website privacy notice to reflect the new definition of SPI and consumers’ expanded rights under the CPRA.
Update your privacy request processes
Expand your existing processes for letting consumers exercise their privacy rights, including the “do not sell my information” page on your website, to ensure you can capture consumer requests to correct, limit, or delete SPI.
Ensure you can fulfill requests
Create a process for responding to these consumer requests, including the ability to locate and act on the relevant SPI and generate proof that you received and fulfilled the request.
Check third-party agreements
Determine whether your agreements with third parties need to be updated to bring them into compliance with the CPRA.
Need help staying in compliance?
Corodata is your record storage specialist delivering fair, affordable, and trustworthy performance for over 70 years. Properly storing records adds intrinsic value to your organization and helps ensure that you’re compliant with all the records management laws, not just the CCPA.
Yes, we need help