The California Privacy Rights Act (CPRA) is a new privacy law that was passed by California voters in November 2020. It is an amendment to the California Consumer Privacy Act (CCPA) and is set to go into effect on January 1, 2023. The CPRA expands and strengthens the privacy rights of California residents and imposes new obligations on businesses that collect and use personal information.
The CPRA also creates a new agency, the California Privacy Protection Agency (CPPA), which will be responsible for enforcing privacy laws and regulations in California. The CPPA will have the authority to investigate violations of the CPRA, issue fines, and bring legal action against businesses that fail to comply with the law.
Overall, the CPRA provides California residents with enhanced privacy rights and protections, while imposing new obligations and requirements on businesses that collect and use personal information. Businesses operating in California should start preparing for compliance with the new law to avoid penalties and fines.
Understand the new requirements: Businesses should become familiar with the new requirements and obligations under the CPRA. This includes new data retention requirements, limitations on the use of sensitive personal information, new rules regarding data sharing and third-party disclosure practices, and the establishment of data inventory and mapping procedures.
Conduct a privacy assessment: Businesses should conduct a comprehensive privacy assessment to identify the personal information that they collect, use, and share. This includes an inventory of personal information and an analysis of the business’s privacy practices, policies, and procedures.
Implement data protection measures: Businesses should implement reasonable security measures to protect personal information. This includes measures such as access controls, data encryption, and incident response plans.
Review and update privacy policies: Businesses should review and update their privacy policies to ensure compliance with the CPRA. This includes updating policies related to sensitive personal information, data retention, and data sharing practices.
Establish procedures for responding to consumer requests: Businesses should establish procedures for responding to consumer requests related to their personal information. This includes procedures for deleting personal information, providing access to personal information, and opting-out of the sale or sharing of personal information.
Train employees: Businesses should train employees on the new requirements and obligations under the CPRA. This includes training on data protection measures, data inventory and mapping procedures, and procedures for responding to consumer requests.
Work with service providers and vendors: Businesses should work with their service providers and vendors to ensure compliance with the new requirements under the CPRA.