Top 10 Action Items for 2022: The California Privacy Rights Act (CPRA)

Orrick, Herrington & Sutcliffe LLP

The California Privacy Rights Act (CPRA) became law on December 16, 2020, and amended the California Consumer Privacy Act (CCPA). When the CPRA becomes fully operative on January 1, 2023, these important changes, among others, come into play:

  • California residents will have new rights with respect to their personal information (“PI”).
  • Previously exempted business-to-business (“B2B”) and employee-related PI will likely be subject to the law’s requirements, and (3) heightened technical standards for honoring requests to opt out of online behavioral advertising will be further developed.

With less than a year to go, it is critical for organizations to carefully evaluate whether and to what extent the CPRA may impact their business processes and practices. Even organizations that have implemented a CCPA compliance program will need to consider how to enhance their compliance program to meet CPRA requirements and address the ever-changing privacy regulatory landscape.

Building on last year's CPRA checklist, we've developed an updated list of the 10 essential steps that companies can consider taking now to prepare for the CPRA:

  1. Conduct a gap assessment to determine whether the CPRA applies to your organization or any CPRA compliance gaps in the current CCPA program.
  2. Update the CPRA compliance roadmap with definitive target dates and begin implementation. Consider leveraging any existing efforts by your organization to come into compliance with upcoming changes to consumer privacy laws in other states, including Virginia and Colorado.
  3. Update senior management on the potential impact on your organization, and work with your designated CPRA compliance team to ensure regular meetings are scheduled to address CPRA compliance.
  4. Determine if software development work is required and ensure software development teams update this year's development roadmap.
  5. Because the CPRA includes a one-year look-back period starting January 1, 2022, update your organization’s data maps as soon as possible to include new CPRA-specific details, including sensitive personal information designations, data retention periods, and information regarding B2B and employee data.
  6. Begin updating customer and vendor contracts to incorporate CPRA-specific language.
  7. Identify privacy notices that will need to be updated, and update notices before January 1, 2023.
  8. Update your consumer rights response protocol to account for the new categories of PI, including sensitive PI, and the additional rights granted to consumers (e.g., opt out of selling or sharing PI for targeted advertising) under the CPRA.
  9. Review your organization’s current security posture and identify potential security enhancements to be implemented this year.
  10. Make any applicable changes to your websites, apps, and related online properties to address new compliance requirements (e.g., update opt-out button to also include opt out of “sharing” personal information).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick, Herrington & Sutcliffe LLP | Attorney Advertising

Written by:

Orrick, Herrington & Sutcliffe LLP
Contact
more
less

Orrick, Herrington & Sutcliffe LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.