Get Ready for the California Privacy Rights Act (CPRA)
California consumers get another layer of privacy protection when the California Privacy Rights Act (CPRA) goes into effect next year. Get ready by beefing up your existing CCPA compliance checklist.
It’s been two years since the California Consumer Privacy Act (CCPA) became the first privacy law in the United States that protects consumers’ personal information at the state level. Now the state has passed the California Privacy Rights Act (CPRA), which expands the protections the CCPA offers. What does that mean for your small business? Here are some answers to common questions that will help you prepare for the CPRA going into effect on January 1, 2023.
Do I have to comply with the CPRA?
Like the CCPA, the CPRA applies to companies that meet the following criteria.
- You have an annual gross revenue of over $25 million
- You receive, buy, sell, or share the personal information of at least 50,000 consumers in California
- You derive at least half of your revenue from selling the information of state residents
Even if the law doesn’t apply to your company, demonstrating that you care about the privacy of your customers’ sensitive personal information (SPI) is never a bad idea!
What consumer data does the CPRA protect?
All of these types of sensitive personal information (SPI) are protected under the CPRA
- a consumer’s social security number, driver’s license, state identification card, or passport number
- a consumer’s account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- a consumer’s precise geolocation
- a consumer‘s racial or ethnic origin, religious or philosophical beliefs, or union membership
- the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication
- a consumer’s genetic data
How does the CPRA expand consumers’ privacy rights?
In addition to reinforcing their existing rights under the CPPA, the CPRA expands consumers’ control over their SPI with two additional rights: the right to correct inaccurate personal information and the right to limit use and disclosure of their SPI.
How does the CPRA affect what I can do with consumer data?
The law requires you to disclose why you’re collecting SPI. It says you cannot retain it for longer than “reasonably necessary” for that disclosed purpose. It also prohibits you from retaining it for purposes other than those for which you initially collected it.
What do I need to do to make sure I comply with the CPRA?
If you’re already complying with the CCPA, you’re off to a good start, since the CPRA expands on what the CCPA requires. But there are still a few steps you should take before the state begins enforcing the new law on July 1, 2023 (full text from the National Law Review):