The California Privacy Rights Act (CPRA) was passed as an initiative on the November 2020 ballot. The CPRA is an amendment to and expansion of the existing California Consumer Privacy Act (CCPA).
The CPRA aims to give Californians a greater ability to control how their personal data is collected, used, and shared by any business that operates within the state.
This year's new California law will clarify how the existing provision of the Californian Consumer Privacy Act must be implemented, and it creates a few other laws that affect businesses with consumers in California.
One aspect of the law is that Californians now have a few more rights while businesses are given some new obligations to comply with.
The California Privacy Protection Agency will also be created, whose main role will be to ensure all companies follow these rules about how Californians' personal information can or cannot be used.
What’s New with CPRA?
Californian Consumers Now Have the...
Right to Correct
Consumers can request that a business correct the information it has about them. Businesses should work to voluntarily disclose the right to request correction and should use their best efforts when trying to correct inaccuracies upon the consumer's request.
Right to Know
The Consumer Privacy Act removes the Customer Privacy Protection Act’s 12-month look-back period. Consumers are allowed to request information that extends beyond the 12 months preceding the CPRA request. Additionally, consumers can ask for personal information collected from January 1, 2022, onwards.
This is the driving force behind implementing parts of the California Privacy Rights Act one year early. Businesses should evaluate whether their systems can honor these requests or if changes must be made to their data retention policies and processes.
Right to Delete
This initiative ensures that your personal information is not kept around by companies and corporations just because they can. Instead, the law provides further control over one's privacy over a consumer's information.
It’s now a requirement that businesses that are covered by the CCPA if a consumer requests personal information relating to them be deleted, the business must receive proper notice.
Upon receiving such notice, contractors, service providers, and any third parties who have been told to store this personal information must be notified immediately.
Right to Opt-Out of Sharing Personal Information
California law used to be that internet users had the right to opt-out of having their personal information being sold. Under the California Consumer Privacy Act, consumers are now given more rights.
So, if businesses share customers' personal information like many companies do, they should be aware of how this will affect their operations and should adapt their contracts moving forward.
Right to Restrict Sensitive Information Processing
The CPRA highlighted a new category of personal information, sensitive personal information, including social security numbers, passport numbers, racial or ethnic origin, and financial account and payment card information.
California consumers are granted the right to opt-out of a business’ use and disclosure of their sensitive personal information.
Businesses that include sensitive personal data in their database must comply and give consumers the right to opt-out from a business’ use and disclosure of their sensitive information.
What Does Your Business Need to Do?
The CPRA requires businesses to make efforts to reflect the new privacy policies that have been brought about by the introduction of recent technological advancements.
Not only must businesses provide notices about their privacy policies to Californians, but now they need to define & disclose the retention period for a particular data they have been collecting.
Privacy and security concerns are at the forefront of many consumers' minds. CPRA dictates that any business that collects consumer information must have a privacy policy in place. This policy should state the exact ways in which it will use its collected data, and how customers can make changes to personally identifiable information when they want to opt out.
The "right to be forgotten" is now firmly embedded into law as well... Allowing users - even minors - to request the deletion of online accounts and content in some circumstances.
While some steps can wait, like an updated privacy policy, businesses would be wise to start becoming compliant with the new privacy law.
Even if they don't need a privacy policy right away, they should allocate longer working hours towards assessing their current state of compliance.
As businesses continue to grow and look at their budget in the future years ahead, they should begin planning how to become compliant with the new privacy laws and what additional features are needed to do so.
As of now, the deadline for businesses to be ready for the new California privacy regulations is July 1, 2022.
Larger corporations will have more time to comply with the law than their smaller SMBs. While there have been no changes yet, we expect the rules regarding consent and express opt-in to change prior to when each business line will need to comply with the legislation.
The key is ensuring your business is ready with a strategy for compliant data management, in ordinance with all relevant regulations, by the moment your business is mandated to register.
Key Takeaway
We hope this article has provided you with some helpful insights into the changes proposed by the CPRA and how their impact on your business. We encourage you to stay up to date on these changes as they continue to be debated and made into a bill.
If you would like to learn more about how the CPRA will impact your business, we are always happy to answer any questions you might have. If you enjoyed reading this article, check out more of our content by visiting our Resources Page.