The California Privacy Rights Act (CPRA) is a privacy law that was approved by California voters on November 3, 2020. The CPRA essentially acts as an update to the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020.
The CPRA is aimed at protecting the privacy rights of California residents and enhancing their control over their personal information.
If you are a business that collects and uses personal information of California residents, it is important to understand the CPRA and ensure that your business is compliant with the law.
In this blog post, we will discuss what the CPRA is, what businesses are covered by the law, what the key requirements of the CPRA are, and how businesses can comply with the law.
What is the California Privacy Rights Act (CPRA)?
The CPRA enhances the privacy rights of California residents over what was previously afforded by the CCPA and provides them with greater control over their personal information. The law creates new rights and obligations for businesses collecting, sharing, or using California residents’ personal information.
What businesses are covered by the CPRA?
The CPRA applies to for-profit businesses that collect and use personal information of California residents and meet one or more of the following thresholds:
- Have an annual gross revenue of over $25 million;
- Buy, sell, or shares the personal information of 100,000 or more California residents, households, or devices; or
- Derive 50 percent or more of their annual revenue from selling or sharing California consumers’ personal information.
What are the key requirements of the CPRA?
The CPRA creates new rights and obligations for businesses that collect and use personal information of California residents. The key consumer rights within the CPRA are the:
- Right to opt-out of the sale of personal information: Businesses must provide a clear and conspicuous opt-out link on their website or mobile app regarding the sale of consumers’ personal information.
- Right to limit use of sensitive personal information: Consumers have a right to control or limit the use of their sensitive personal information, such as health information, financial information, and information about race or ethnicity.
- Right to correct inaccurate personal information: Businesses must give consumers the ability to correct inaccurate personal information.
- Right to data portability: Businesses must provide consumers with their personal information in a portable and easily accessible format.
- Right to know: Consumers have the right to know what personal information is being collected about them and how it is being used.
- Right to deletion: Consumers have the right to request that their personal information be deleted from a business’s records.
- Accountability for service providers: Businesses must ensure that their service providers are also compliant with the CPRA.
How can businesses comply with the CPRA?
Complying with the CPRA can be a complex and time-consuming process, but it is necessary for businesses collecting, sharing, storing, or using personal information from California residents. Here are some steps that businesses can take to ensure they are compliant with the CPRA:
- Conduct a data inventory: Businesses should conduct a thorough inventory of the personal information they collect, store, and use. This includes identifying the data’s sources, types, and purposes.
- Implement data security measures: Businesses should ensure that their consumer data is as secure as reasonably possible.
- Data Minimization: The data collected by businesses should be minimally invasive.
- De-Identification and Aggregation: In order to mitigate privacy risks, businesses must ensure they have procedures in place that disaggregate consumer information.
- Data Protection Assessments: Businesses must conduct assessments that “stress test” their data protection practices and procedures.
- Opt-Out of Automated Decision-Making: Businesses must provide off-ramps where a human can intervene in certain situations.
Implementing Data Security Measures for CPRA
To comply with the CPRA’s data security requirements, businesses should implement appropriate measures to safeguard personal information. These measures may include:
- Conducting a risk assessment: Businesses should identify and assess the risks associated with the processing of personal information, helping businesses identify potential vulnerabilities and areas to improve.
- Encrypting data: Encryption effectively protects personal information by scrambling data and rendering it useless to unauthorized parties. Businesses should consider encrypting all personal information both at rest and in transit.
- Implementing access controls: Access controls help ensure that only authorized individuals have access to personal information. Controls include multi-factor authentication, access logs, and role-based access controls.
- Conducting regular security audits: Businesses should regularly audit their data security measures to ensure that they remain effective and up to date. Regular audits allow businesses to take proactive risk mitigation.
- Implementing incident response plans: Even with the best security measures in place, security incidents can still occur. Businesses should develop incident response plans outlining the steps to be taken in the event of a security breach.
These plans should include procedures for identifying and containing the breach, notifying affected individuals, and minimizing the impact of the breach.
By implementing these and other data security measures, businesses can help ensure compliance with the CPRA’s data security requirements and protect personal information from unauthorized access, disclosure, or destruction.
The CPRA introduces a new data minimization principle, which requires businesses to limit the collection and retention of personal information to what is necessary to achieve the purpose for which the information was collected.
To comply with this requirement, businesses should review and revise their data collection practices, only collect data that is necessary to achieve the intended purpose, and limit the retention of personal information to a reasonable period of time.
De-Identification and Aggregation
The CPRA requires businesses to establish reasonable processes and technical measures to de-identify personal information or to aggregate it so that it cannot be attributed to an individual. The de-identification of data can help mitigate privacy risks and reduce the impact of data breaches.
To comply with this requirement, businesses should implement technical measures such as data encryption, tokenization, or hashing.
Data Protection Assessments
The CPRA requires businesses to conduct regular data protection assessments to evaluate and minimize privacy risks.
Businesses should carry out a privacy risk assessment when engaging in new processing activities or introducing new systems. The assessment should identify potential risks and provide guidance on how to mitigate them.
Opt-Out of Automated Decision-Making
The CPRA introduces a new right for California residents to opt-out of automated decision-making.
Businesses that use automated decision-making systems producing legal or significant effects on individuals must provide an opt-out mechanism to allow individuals to contest the decision or to obtain human intervention.
To comply with this requirement, businesses should evaluate their automated decision-making systems and provide an opt-out mechanism where necessary.
The CPRA provides several new and expanded consumer rights, including:
- The right to correct inaccurate personal information;
- The right to access and delete personal information;
- The right to know how personal information is collected, used, and shared;
- The right to opt-out of the sale or sharing of personal information; and
- The right to equal service and price, regardless of whether they exercise their privacy rights.
To comply with these requirements, businesses should implement processes to receive and respond to consumer requests, and provide a mechanism for individuals to exercise their rights.
The CPRA represents a significant development in privacy law, and businesses that collect or process the personal information of California residents should take steps to comply with the new requirements.
Businesses already in compliance with the CCPA should review their data protection practices and update them where necessary. Failing to comply with the new law can result in significant fines and legal penalties, and can damage the reputation of the business.
Compliance with the CPRA can be challenging, but businesses that take a proactive approach to privacy and data protection can mitigate risks and demonstrate their commitment to protecting the privacy of their customers.
By implementing robust data protection practices, businesses can create a competitive advantage, increase customer trust, and comply with the evolving privacy landscape. Need help? Jump over to my contact page to set up a free consultation!