What California Privacy Rights Act (CPRA) Means for Businesses
By VOS Consulting Group on September 6, 2023
According to PEW Research Report, about 79% of consumers in the US have serious concerns about how companies use their personal information. As a result, most consumers are hesitant to share their information with businesses.
To help safeguard its residents, California has taken a progressive and strict approach to data privacy regulation. Implemented in January 2020, the California Consumer Privacy Act (CCPA) is at the forefront of such initiatives. However, in 2023 and beyond, businesses targeting consumers in California will also have to abide by sterner regulations under the California Privacy Rights Act (CPRA), which is an extension of CCPA.
In this article, we take a look at the key aspects of the CPRA, its implications on businesses, and how companies can ensure compliance with the ever-changing regulations by seeking professional help.
In this article, we take a look at the key aspects of the CPRA, its implications on businesses, and how companies can ensure compliance with the ever-changing regulations by seeking professional help.
What is CPRA?
The California Privacy Rights Act becomes effective on January 1, 2023, amending the CCPA. Similar to the CCPA, the CPRA gives Californian residents more control over their personal information by giving them the right to know what data is being gathered about them.
CPRA necessitates companies and employers to give a privacy notice to employees and job candidates at the time of collecting their personal data. Moreover, it also extends the CCPA’s consumer privacy rights to employees. This means that companies must implement processes and methods to respond to information requests from employees, such as the right to access or correct personal data.
The California Privacy Rights Act becomes effective on January 1, 2023, amending the CCPA. Similar to the CCPA, the CPRA gives Californian residents more control over their personal information by giving them the right to know what data is being gathered about them.
CPRA necessitates companies and employers to give a privacy notice to employees and job candidates at the time of collecting their personal data. Moreover, it also extends the CCPA’s consumer privacy rights to employees. This means that companies must implement processes and methods to respond to information requests from employees, such as the right to access or correct personal data.
Key Components of the CPRA
The CPRA applies only to companies with over 100,000 consumers that have earned $25 million in gross revenue the previous calendar year; and if they generate at least 50% of yearly revenue from selling or sharing consumer personal information. It puts forward well-defined regulations for businesses that apply to both employees and consumers. Some of the key points are:
Under the CPRA, California-based employees, job candidates, independent contractors, beneficiaries, and emergency contacts possess the same rights as any other consumers.
Employees and consumers may also direct the company not to sell or share their personal data for cross-context behavioral advertising or any other purpose.
Employees and consumers may request a company to reveal to them all the data collected on them and/or request that the company to delete or correct the data.
Companies must provide employees with a notice of their rights. If an employee requests such a notice, the company has limited time to respond and they must correctly document all responses.
Companies must inform consumers of their data retention policies. They aren’t allowed to keep data longer than is reasonably necessary.
Business-to-business (B2B) transactions are also now subject to the CPRA.
The CPRA applies only to companies with over 100,000 consumers that have earned $25 million in gross revenue the previous calendar year; and if they generate at least 50% of yearly revenue from selling or sharing consumer personal information. It puts forward well-defined regulations for businesses that apply to both employees and consumers. Some of the key points are:
Under the CPRA, California-based employees, job candidates, independent contractors, beneficiaries, and emergency contacts possess the same rights as any other consumers.
Employees and consumers may also direct the company not to sell or share their personal data for cross-context behavioral advertising or any other purpose.
Employees and consumers may request a company to reveal to them all the data collected on them and/or request that the company to delete or correct the data.
Companies must provide employees with a notice of their rights. If an employee requests such a notice, the company has limited time to respond and they must correctly document all responses.
Companies must inform consumers of their data retention policies. They aren’t allowed to keep data longer than is reasonably necessary.
Business-to-business (B2B) transactions are also now subject to the CPRA.
How Businesses Can Prepare for CPRA Compliance
Fines for violating the CPRA can be as high as $2,500 per violation. Under the CPRA, regulators can now penalize companies up to $7,500 for every violation. To help your company avoid any risk of non-compliance, we have outlined a few simple steps:
1. Evaluate & Assess
The first step is to evaluate the thresholds to see if the CPRA applies to your business. If applicable, you need to perform a gap assessment to find areas where your privacy practices do not meet CPRA standards.
2. Focus on the Data
Next, identify all the personal data your company collects about its consumers and employees and determine if you truly still need all of it. It’s best to create a data map that will help you keep track of all the personal information you collect, where it comes from, and where it goes.
3. Update Your Privacy Policy
Based on your findings, develop a privacy notice that clearly discloses your reasons for collecting and using personal data, and how long you retain it.
4. Review Contracts & Agreements
Assess contracts with service providers that obtain and/or process the personal data of employees and consumers. Also, update any agreements with third parties and ensure they are prepared to securely process your sensitive information and can do so within the limits of your privacy policy.
5. Restructure & Update Internal Processes
Create internal procedures to accept, analyze, and honor employee and consumer data requests promptly, including access, change, deletion, and opt-out requests.
6. Update Your Website
If your business sells or shares consumer personal data, you must put a ‘Do Not Sell or Share My Personal Information’ link on your website. Likewise, if your business uses or discloses sensitive personal data, you must put a ‘Limit the Use of My Sensitive Personal Information’ link on your website.
7. Educate Your Employees
Your workforce is the key to CPRA compliance. Train your employees so that they are up-to-date on the CPRA law and your organization’s privacy practices. Make sure they know what they can and cannot do with personal information and understand CPRA’s opt-out provisions.
Fines for violating the CPRA can be as high as $2,500 per violation. Under the CPRA, regulators can now penalize companies up to $7,500 for every violation. To help your company avoid any risk of non-compliance, we have outlined a few simple steps:
1. Evaluate & Assess
The first step is to evaluate the thresholds to see if the CPRA applies to your business. If applicable, you need to perform a gap assessment to find areas where your privacy practices do not meet CPRA standards.
2. Focus on the Data
Next, identify all the personal data your company collects about its consumers and employees and determine if you truly still need all of it. It’s best to create a data map that will help you keep track of all the personal information you collect, where it comes from, and where it goes.
3. Update Your Privacy Policy
Based on your findings, develop a privacy notice that clearly discloses your reasons for collecting and using personal data, and how long you retain it.
4. Review Contracts & Agreements
Assess contracts with service providers that obtain and/or process the personal data of employees and consumers. Also, update any agreements with third parties and ensure they are prepared to securely process your sensitive information and can do so within the limits of your privacy policy.
5. Restructure & Update Internal Processes
Create internal procedures to accept, analyze, and honor employee and consumer data requests promptly, including access, change, deletion, and opt-out requests.
6. Update Your Website
If your business sells or shares consumer personal data, you must put a ‘Do Not Sell or Share My Personal Information’ link on your website. Likewise, if your business uses or discloses sensitive personal data, you must put a ‘Limit the Use of My Sensitive Personal Information’ link on your website.
7. Educate Your Employees
Your workforce is the key to CPRA compliance. Train your employees so that they are up-to-date on the CPRA law and your organization’s privacy practices. Make sure they know what they can and cannot do with personal information and understand CPRA’s opt-out provisions.
Achieve CPRA Compliance with VOS CONSULTING GROUP
CPRA is the most comprehensive privacy law in the US and other states will likely follow California’s lead and pass similar regulations of their own. This means that CPRA compliance is not just a good idea; it is crucial for companies that want to stay ahead of the curve. So if your company collects the personal information of Californian residents, you must prepare for CPRA now to ensure seamless compliance.
At VOS CONSULTING GROUP, our highly experienced team can help you navigate the ever-changing regulatory landscape. Headquartered in California, our full-service Compliance, Privacy, and Risk consultancy boutique successfully services clients worldwide in a number of industries, including media, entertainment, technology, sports, and more. Our international team of consultants can help you fortify your compliance and privacy programs.
We provide cost-effective solutions to mitigate any risks, ensuring your business meets compliance, privacy, and data protection expectations. We empower you to develop and maintain CPRA compliance by conducting the following:
Regulatory and Compliance Risk Assessments
Mergers and Acquisitions Due Diligence
Risk Remediation and Mitigation Management
Policy Review and Drafting
Get in touch to learn more about how we can help your business comply with CPRA and other regulations.
CPRA is the most comprehensive privacy law in the US and other states will likely follow California’s lead and pass similar regulations of their own. This means that CPRA compliance is not just a good idea; it is crucial for companies that want to stay ahead of the curve. So if your company collects the personal information of Californian residents, you must prepare for CPRA now to ensure seamless compliance.
At VOS CONSULTING GROUP, our highly experienced team can help you navigate the ever-changing regulatory landscape. Headquartered in California, our full-service Compliance, Privacy, and Risk consultancy boutique successfully services clients worldwide in a number of industries, including media, entertainment, technology, sports, and more. Our international team of consultants can help you fortify your compliance and privacy programs.
We provide cost-effective solutions to mitigate any risks, ensuring your business meets compliance, privacy, and data protection expectations. We empower you to develop and maintain CPRA compliance by conducting the following:
Regulatory and Compliance Risk Assessments
Mergers and Acquisitions Due Diligence
Risk Remediation and Mitigation Management
Policy Review and Drafting
Get in touch to learn more about how we can help your business comply with CPRA and other regulations.