On November 3, 2020, Californians went to the polls and voted in favor of making sweeping changes to their existing state privacy law. Proposition 24, known as the California Privacy Rights Act of 2020 (“CPRA”), modifies and expands on the California Consumer Privacy Act of 2018 (“CCPA”). The CPRA creates new and expanded rights for California residents and new compliance obligations for businesses. It creates a new agency, the California Privacy Protection Agency, that is tasked with implementing regulations and conducting investigations and enforcement actions. This article explains the key aspects of the CPRA and provides recommendations for how to go about complying with the law.
Does the CPRA Apply to Your Company?
First, you will need to determine whether the CPRA applies to your company. The CPRA applies to any for-profit entity that does business in California, collects and uses the personal information of Californians, and either (a) has annual gross revenues of at least $25 mm in the preceding calendar year, (b) buys, sells, or shares the personal information of at least 100,000 California residents or households, or (c) derives at least 50% of its revenue from selling or sharing personal information.
The CPRA also can apply if your company is a contractor or service provider for a business that is covered by the CPRA and it collects or uses personal information as part of providing those services to the business, or if your company buys personal information from a business or receives that information for cross-context behavioral advertising purposes.
New and Expanded Obligations on Businesses
New and Expanded Rights for California Residents
How to Comply with the CPRA
If the CPRA applies to your business, you should consider taking the following steps to comply. First, create a “data inventory” that catalogs the sources of personal information collected or used by the business, the categories of personal information, the purposes of the collection, any entities to which your business discloses the personal information, the retention period or criteria used to determine the retention period for the information, and the security measures applied to protect the personal information. From here, your business can create and/or update its privacy notices and privacy policies so that they accurately describe the company’s practices with respect to the personal information. Consider how your company will deliver those notices to individuals, depending on how they are interacting with your company – via a website, app, by email, in person, or on the phone. Review your existing contracts with third parties, contractors, and service providers to which your company discloses personal information to determine whether they need to include certain provisions required by the CPRA. Create or update any internal policies or handbook that describe how the company’s employees should handle and respond to individuals when they seek to exercise their privacy rights. Finally, consider updating your training and auditing programs to ensure that your company’s employees know how to comply and that the company redresses any compliance gaps going forward.
The CPRA becomes effective on January 1, 2023, and enforcement will begin on July 1, 2023. Although that may seem like a long time away, it should be evident that compliance with the CPRA is no easy task. The time to complete the compliance process is ticking.