California Privacy Rights Act CPRA (California)
- Overview
The California Privacy Rights Act (CPRA) is a data privacy law that was passed in California in November 2020, and went into effect on January 1, 2023. The CPRA applies to businesses that meet certain criteria, such as having annual gross revenues over $25 million, or annually buying, receiving, selling, or sharing the personal information of more than 50,000 California residents, households, or devices.
The CPRA amends the California Consumer Privacy Act (CCPA) which was passed in 2018, providing California residents with additional rights and protections with regards to their personal information.
Some of the key provisions of the CPRA include:
- Right to know about sensitive personal information: The CPRA expands the scope of the CCPA to include sensitive personal information, such as precise geolocation data, race, and sexual orientation, and gives California residents the right to know about the collection, use, and sharing of this information.
- Right to correct personal information: California residents have the right to request that a business correct any inaccurate personal information that it has collected about them.
- Right to delete personal information: California residents have the right to request that a business delete any personal information that it has collected about them.
- Right to opt-out of data sharing: California residents have the right to opt-out of the sharing of their personal information with third parties for the purpose of targeted advertising.
- New data protection requirements for businesses: The CPRA requires businesses to implement and maintain reasonable data security practices and to appoint a data protection officer if they process a significant amount of personal information.
- Enhanced enforcement: The CPRA authorizes the California attorney general to enforce the law and provides for private rights of action for certain data breaches.
- Approach
The California Privacy Rights Act (CPRA) is a new comprehensive consumer privacy law. It was adopted via referendum by the state of California and aims to protect individuals’ data privacy rights, including those of employees. The CPRA expands pre-existing consumer privacy legislation and outlines how businesses, including employers, must operate when it comes to collecting, storing, using, and sharing consumer data.
It defines different types of “personal information” and lays out the rights employees have when it comes to collection and use as well as correction and deletion of their data. It also requires service providers to make contractual commitments on the protection and use of data as well as requires businesses to include details regarding the retention period — how long they will keep the data — for each category of personal data or explain how retention is determined in the consumer privacy notice. In addition, the CPRA also expands the breach liability to include unauthorized access or disclosure of certain data elements (e.g., email address, passwords, or security questions).
- Benefits
The California Privacy Rights Act (CPRA) provides several benefits for California residents, including:
- Greater control over personal information: The CPRA gives California residents additional rights and controls over their personal information, including the right to know about the collection, use, and sharing of sensitive personal information, the right to correct inaccurate personal information, and the right to delete personal information.
- Enhanced data security: The CPRA requires businesses to implement and maintain reasonable data security practices, which can help to protect California residents’ personal information from breaches and unauthorized access.
- Greater transparency: The CPRA requires businesses to be more transparent about their data practices, including providing clear and conspicuous notice of their data collection and sharing practices, and providing California residents with the ability to opt-out of the sharing of their personal information with third parties for targeted advertising.
- Stronger enforcement: The CPRA provides for enhanced enforcement of data privacy laws, including the ability of the California attorney general to enforce the law and private rights of action for certain data breaches.
- Better Data Governance: The CPRA requires businesses to appoint a data protection officer if they process a significant amount of personal information, which can help to ensure the protection of the personal data of California residents.
- Better Compliance: The CPRA helps the businesses to be compliant with the California state law and it can also help the businesses to be compliant with the other state laws, federal laws and international laws.
- Better Data Quality: The CPRA can help the businesses to maintain the data quality by implementing data protection rules and procedures, and by appointing a data protection officer.
- Deliverables
The key deliverables for a CPRA compliance project will vary depending on the size and complexity of the organization, but generally include the following:
- Compliance assessment: An assessment of the organization’s current data privacy practices to identify areas where changes are needed to comply with the CPRA.
- Privacy policy and notice: A privacy policy and notice that complies with the CPRA’s requirements for transparency and consent, including clear and conspicuous notice of data collection, use, and sharing practices, and the right to opt-out of targeted advertising.
- Data inventory: An inventory of the types of personal information that the organization collects, uses, and shares, and an assessment of the risk associated with each type of data.
- Data protection procedures: Procedures for protecting personal information from unauthorized access, use, and disclosure, including data security, data retention, and data disposal policies and procedures.
- Data governance: Procedures for maintaining the accuracy, completeness, and integrity of personal information, including data quality controls, data validation rules, and data correction and deletion requests.
- Training: training for employees, contractors, and other relevant parties on the organization’s data privacy practices, policies, and procedures.
- Data protection officer: Appointing a data protection officer if the organization processes a significant amount of personal information, and ensuring that they have the necessary skills, knowledge and resources to carry out their duties.
- Compliance monitoring: Regular monitoring of the organization’s data privacy practices to ensure ongoing compliance with the CPRA and other applicable laws and regulations.
- Incident response: Procedures for responding to data breaches and other incidents involving personal information, including reporting to authorities and notifying affected individuals.
- Auditing: Regular Auditing of the organization’s data privacy practices and reporting the results to the appropriate parties, including the Board of Directors, management and the regulatory authorities.
- Training
One way to ensure compliance with the CPRA is to provide training to employees on the new requirements of the law and how they should handle personal information. This might include information on how to handle requests from California residents to access or delete their personal information, how to handle data breaches, and how to provide notices to California residents about the collection and use of their personal information. It is also important for businesses to regularly review and update their privacy policies and practices to ensure they are in compliance with the CPRA.
The California Privacy Rights Act (CPRA) is a privacy law that expands on the California Consumer Privacy Act (CCPA) and further strengthens consumer privacy rights. Here are some of CPRA training courses:
- CPRA Foundation Training: This training course provides an overview of the key concepts and principles of the CPRA. The course covers topics such as the expanded rights of California consumers, the obligations of businesses under the CPRA, and the penalties for non-compliance.
- CPRA Awareness Training: This training course provides an overview of the key concepts and principles of the CPRA. The course is designed for all employees who handle personal data and covers topics such as the expanded rights of California consumers, the obligations of businesses under the CPRA, and the penalties for non-compliance.
- CPRA Practitioner Training: This training course is designed for professionals who are responsible for implementing the CPRA in their organizations. The course covers topics such as data protection impact assessments, data breach notifications, and the appointment of a chief privacy officer.
- CPRA Auditor Training: This training course is designed for professionals who are responsible for auditing organizations’ compliance with the CPRA. The course covers topics such as audit planning, audit execution, and audit reporting.
- CPRA for Marketing Professionals Training: This training course is designed for marketing professionals who are responsible for data processing activities related to marketing. The course covers topics such as consent management, data profiling, and direct marketing.
- CPRA for HR Professionals Training: This training course is designed for HR professionals who are responsible for data processing activities related to human resources. The course covers topics such as employee data protection, data subject rights, and cross-border data transfers.
Overall, CPRA training courses can help organizations ensure compliance with the CPRA by providing professionals with the knowledge and skills necessary to implement CPRA requirements. The above training courses can help professionals learn how to conduct data protection impact assessments, manage consent, handle data breaches, and comply with the rights of California consumers.
It is recommended to consult with a legal expert or an attorney who specializes in data privacy in order to understand the specific requirements of the CPRA and how they apply to your business.
REACH US TO ENSURE THAT WHEN EVEN WHEN A CRISIS STRIKES, YOUR BUSINESS MUST GO ON AS USUAL.