CPRA: Why You Need to Know it!

The California Privacy Rights Act (CPRA) was passed as an initiative on the November 2020 ballot. The CPRA is an amendment to and expansion of the existing California Consumer Privacy Act (CCPA).  

The CPRA aims to give Californians a greater ability to control how their personal data is collected, used, and shared by any business that operates within the state.  

The year's new California law will clarify how the existing provision of the Californian Consumer Privacy Act must be implemented, and it creates a few other laws that affect businesses with consumers in California. 

One aspect of the law is that Californians now have a few more rights while businesses are given some new obligations to comply with.   

The California Privacy Protection Agency will also be created, whose main role will be to ensure all companies follow these rules about how Californians' personal information can or cannot be used.  

What’s New with CPRA?  

Californian Consumers Now Have the...  

Right to Correct  

Consumers can request that a business correct the information it has about them. Businesses should work to voluntarily disclose the right to request correction and should use their best efforts when trying to correct inaccuracies upon the consumer's request.   

Right to Know  

The Consumer Privacy Act removes the Customer Privacy Protection Act’s 12-month look-back period. Consumers are allowed to request information that extends beyond the 12 months preceding the CPRA request. Additionally, consumers can ask for personal information collected from January 1, 2022, onwards.   

This is the driving force behind implementing parts of the California Privacy Rights Act one year early. Businesses should evaluate whether their systems can honor these requests or if changes must be made to their data retention policies and processes.  

Right to Delete   

This initiative ensures that your personal information is not kept around by companies and corporations just because they can. Instead, the law provides further control over one's privacy over a consumer's information.  

It’s now a requirement that businesses that are covered by the CCPA if a consumer requests personal information relating to them be deleted, the business must receive proper notice.  

Upon receiving such notice, contractors, service providers, and any third parties who have been told to store this personal information must be notified immediately.  

Right to be Forgotten  

The “right to be forgotten” is also firmly embedded in law. Upon receiving such requests, a business must delete information it has about an individual and also refrain third parties from use the data. California residents can also exercise this right to prevent companies from using their publicly available information without consent.  

Right to Data Minimization 

Companies cannot collect and hoard unreasonable data from their customers. They can only collect necessary information and use it responsibly for the intended purpose.   

Right To Data Portability 

Customers should be able to transfer their data from a website, app, or portal to another. Upon receiving a request, it is a company’s responsibility to transfer customers data while providing the information in a format that is easy to access and read.  

Right to Opt-Out of Sharing Personal Information  

California law used to be that internet users had the right to opt-out of having their personal information being sold. Under the California Consumer Privacy Act, consumers are now given more rights.  

So, if businesses share customers' personal information like many companies do, they should be aware of how this will affect operations. Businesses should adapt their contracts moving forward and ensure taking adequate measures to make websites and apps safe for the end users. 

Apart from the “Do not sell my personal information” link mandated by CCPA, businesses must also incorporate a “Limit the use of my sensitive personal information” link on websites and apps.  

Right to Restrict Sensitive Information Processing  

The CPRA highlighted a new category of personal information, sensitive personal information, including social security numbers, passport numbers, racial or ethnic origin, and financial account and payment card information.  

California consumers are granted the right to opt-out of a business’ use and disclosure of their sensitive personal information. 

Businesses that include sensitive personal data in their database must comply and give consumers the right to opt-out from a business’ use and disclosure of their sensitive information. 

Children’s’ Data Privacy Rights under the CPRA  

Under the CPRA, any violations against the data privacy rights of a minor California resident will result in tripled fines. The law establishes that companies that collect, store, process, and share children’s personal information are liable to pay a fine of $7,500 per violation.  

Before the CPRA, businesses could get away on account of a mistake. That’s not the case with CPRA, as it is stringent about Child data privacy and does not allow excuses.  

The California Privacy Protection Agency 

Until now, Californians had the protection of the CCPA, but there was a lack of any proper agency which could lodge complaints against data privacy violations.  

Enforcement of the CPRA involves establishing the California Privacy Protection Agency, governed by a 5-member board.   

The Agency will safeguard the data privacy of Californians by creating widespread awareness about consumer data privacy rights and obligations placed on businesses through the CPRA amendment.   

The Privacy Protection Agency will enforce the CPRA, investigate possible privacy violations, and take severe actions against defaulters.

What Does Your Business Need to Do?  

The CPRA requires businesses to make efforts to reflect the new privacy policies that have been brought about by the introduction of recent technological advancements.  

Not only must businesses provide notices about their privacy policies to Californians, but now they need to define & disclose the retention period for a particular data they have been collecting.  

Privacy and security concerns are at the forefront of many consumers' minds. CPRA dictates that any business that collects consumer information must have a privacy policy in place. This policy should state the exact ways in which it will use its collected data, and how customers can make changes to personally identifiable information when they want to opt out.  

The "right to be forgotten" is now firmly embedded into law as well... Allowing users - even minors - to request the deletion of online accounts and content in some circumstances.  

While some steps can wait, like an updated privacy policy, businesses would be wise to start becoming compliant with the new privacy law.  

Even if they don't need a privacy policy right away, they should allocate longer working hours towards assessing their current state of compliance. 

As businesses continue to grow and look at their budget in the future years ahead, they should begin planning how to become compliant with the new privacy laws and what additional features are needed to do so.  

Prioritize Customer Privacy Protection  

While the CPRA exempts non-profit organizations and government agencies, compliance is essential for businesses relying on customer data to make profitable decisions. Businesses that meet one of the following requirements must comply with the CPRA: 

• Have an annual revenue of $25 million or more. 

• Buy, Collect, Sell, or share the personal data of 100,000 (or more) California residents or households. 

• Make 50% (or more) of the annual revenue by selling or sharing of personal information of California residents or households.  

The law also governs the data processing activities of third parties and contractors that companies hire to process consumer data on their behalf. So, suppose a company appoints a third-party agency that uses customer data to create targeted ad campaigns. In that case, it becomes their responsibility to ensure data safety. Businesses will be responsible for any data breaches and privacy violations, regardless of who does it! 

As of now, the deadline for businesses to be ready for the new California privacy regulations is July 1, 2022.  

Larger corporations will have more time and resources to comply with the law than their smaller SMBs. However, smaller organizations may find it harder to accommodate to the changes in a swish!  

Thus, business owners and marketers should focus on implementing fast, accurate, and effective ways to comply with the CPRA.   

Steps to CPRA Compliance Procedure  

While the new law has not come into full effect, we expect the consent and express opt-in rules to change soon. When that happens, businesses that fall under the law must comply with the legislation regardless of the size.  

The key is ensuring your business is ready with a strategy for compliant data management, in ordinance with all relevant regulations, by the moment your business is mandated to register.  

The following steps make for a solid compliance checklist for every business: 

Risk Assessment  

It’s better to be safe than sorry, right? Identifying the risk involved with collecting various categories of personal data before implementing collection techniques is vital for ensuring privacy compliance.  

Business owners and marketers must keep track of their information about customers while ensuring lawful collection and storage of the data. 

The process of risk assessment also includes identifying and categorizing all kinds of cookies, pixels, scripts, and trackers used by a business for collecting customer data.   

Privacy Policy  

Businesses must display a privacy policy on their websites and apps. The policy should not be written in confusing or deceptive language and indicate how customers can opt-out of the company’s data collection processes and related services.  

It is acceptable of businesses to place a policy banner on the footer of a website. However, it should be easily visible.  

Lawful Consent Collection 

As discussed earlier, the CPRA prohibits businesses from collecting, processing, storing, selling, or sharing customer data without prior consent. Thus, the requirement for seeking authentic user consent for data collection, selling, and sharing is indispensable for business websites and apps.   

Earnest Fulfilment of Customer Requests 

Businesses cannot get away without fulfilling privacy requests of their customers. If a customer asks to delete personal data collected on them and a company does not fulfil, it is liable for a privacy violation lawsuit.   

Finding a Cost-effective Solution 

A cost-effective solution for managing consumer consent and compliance assistance is the way to go for small and medium-scale businesses. The costs of building an in-house privacy management system can be steep. However, small businesses can rely on a comprehensive software solution that manages everything in an admissible budget! 

Key Takeaway   

We hope this article has provided you with some helpful insights into the changes proposed by the CPRA and how their impact on your business. We encourage you to stay up to date on these changes as they continue to be debated and made into a bill.  

If you would like to learn more about how the CPRA will impact your business, we are always happy to answer any questions you might have. If you enjoyed reading this article, check out more of our content by visiting our Resources Page.