There are a number of different rules and regulations that businesses need to abide by, and the CPRA is one of these. CPRA stands for the California Privacy Rights Act, and you cannot afford to cut corners when implementing this at your business.
In this guide, we are going to reveal more about CPRA, how it applies to your business, and how to implement it effectively.
What is CPRA?
The California Privacy Rights Act was approved by California voters in November of 2020. It is a representation of the CCPA – California Consumer Privacy Act – that was approved by voters in 2018.
The CPRA is a modification, expansion, and clearer version of the CCPA. It has taken inspiration from the GDPR policy that is in place in the EU.
For instance, a new enforcement agency has been created. Prior to this, the California Office of the Attorney General enforced CCPA. However, data protection authorities enforce GDPR in the EU. Now, California has a data protection authority; the California Privacy Protection Agency (CPPA).
What does the California Privacy Protection Agency (CPPA) do?
The agency has rulemaking, investigative, and enforcement powers. More significantly for companies, the agency is not required to allow a 30-day cure period.
They can also implement penalties, which are now 3x more than what they used to be, i.e. they can be up to $7,500 for each violation.
Who does CPRA impact?
The CPRA will impact big companies and organizations the most. Any business that engages in the storage, analysis, and collection of data of any individual that is based within California is subject to CPRA so long as the following criteria are applicable:
- You run a for-profit company that does business in California
- You have more than $25 million in yearly revenue
- You have a business that shares, sells, or purchases personal information (PI) of more than 100,000 households or consumers
- You derive at least half of your yearly revenue from sharing or selling consumer PI
It is vital to recognize that your business does not need to be legally or physically based in California in order to be subject to these regulations. If you have users within California or you conduct any sort of business within the state, you could still be subject to CPRA, so this is not something to be ignored.
Businesses that are impacted will need to enhance their consent and opt-in processes on their digital channels, from emails to websites. You also need to implement more robust internal practices for responding to consumer data privacy-related requests.
What are the new regulations implemented by the CPRA?
A lot of the new regulations are modifications of the CCPA. However, there is one new area that has been introduced, and this surrounds sensitive personal information. This is a dataset that is now going to be regulated in the state of California.
Some of the personal sensitive information as per CPRA is as follows:
- Sexual orientation or information pertaining to a person’s sex life.
- Health, biometric, or genetic data information.
- Content of non-public communications, with examples including text messages, email, or mail.
- Philosophical, religious, ethnicity, or race beliefs, as well as union membership
- Precise geolocation
- Financial account and log-in data, with examples including debit or credit card number together with your log-in credentials
- Government identifiers, with examples including driver’s licenses and Social Security numbers
Businesses or organizations that are sharing, selling, or collecting this information are going to be required to disclose that they are doing this and consumers must be permitted to opt-in and opt-out.
Why your business must understand CPRA and the implications
Now that you have an understanding of what CPRA is, it is imperative to understand what this means for the data privacy program at your business.
If you are a company that has more than 100,000 consumers or with data on more than 100,000 consumers, and you utilize that data for advertising or marketing, or to create revenue for your company, then CPRA means a number of different things in terms of your data privacy program.
Storage and purpose limitations
As touched upon earlier, a lot of the inspiration for CPRA has been taken from the GDPR policy in the EU.
These include storage limitation, purpose limitation, and data minimisation.
These requirements mean that companies must collect the minimal amount of information they require, and they must state why they are gathering this data, i.e. how it will be used, and for how long you are going to keep this information.
For example, if you state that you are going to be keeping data in the system for two years, you are going to want to automate the information to be removed as soon as the 24 months are up.
This will be incredibly helpful when carrying out audits, ensuring there is no forgetfulness or manual mistakes on part of the workers.
Enhanced security measures
Under the CPRA, it has been made easier for customers to bring claims against companies that enable their information to be accessed without their authorization. This includes data breaches that disclose log-in data and passwords, answer their security questions, and supply other forms of personal information.
Because of this, businesses need to be prepared to bulk up their security so that they are prepared for CPRA. This is one of the reasons why it is critical that you take the steps to adhere to these new regulations sooner rather than later, as it is going to take time to make sure that your business is set up properly.
The last thing you want to do is end up suffering from a data breach because your security measures were not sufficient, and then have the double penalty of being subject to a much higher fine as a consequence of CDPA.
Right to access information
As per CDPA, customers are now able to see what data you have collated on them, and how that is impacting the personalized experience they have with your business.
In fact, customers are able to request a meaningful description of the logic you have used to make decisions about automated ads, campaigns, and such like. It is critical to have a data privacy plan.
To make this simpler for teams, a CDP will be helpful, particularly one that is integrated with a CRM solution. Together, these tools can be utilized to generate personalized logins and pages for customers so they can view all of their data, what streams they are in as a consequence, and manage their own preferences in terms of data.
On-going and consent opt-out policies
The CPRA has strengthened consent regulations, particularly for minors. This means that to collect data for a user they must provide explicit consent with the knowledge of how their data is going to be utilized and for the length of time it will be used.
Furthermore, customers have the ability to request (and companies must confirm) their opting out of certain programs, which includes data being deleted, even if consent was given previously.
For businesses, it is going to be imperative to utilize tools like a consumer data platform (CDP) for automation of what customers are opted into, what they are opted out of, and the deletion of data when requested.
This is also going to make the audit obligations that have been introduced in this bill much simply for businesses to manage because CDP aids compliance with governance and data privacy requirements.
You need to update your privacy and website policies
Companies that need to adhere to the new CPRA restrictions must update their websites and the websites’ privacy policies to convey compliance with the newly added requirements that the law has brought in.
When do businesses need to take action?
A lot of the provisions in the CPRA of 2020 will not take effect until January 2, 2023. However, do not let that fool you into thinking you do not need to act now. Data protection changes take time to implement, and it requires a lot of planning and resources to get it right, so there is no time to waste.
Moreover, personal data collected on or after January 1, 2022, will be part of the expansion of the “Right to Know” section.
Understanding “Right to Know”
Your company is going to be required to enable consumers the “Right to Know” what data you have collected on them and how it is being used. This refers to any data you have collected from the 1st of January 2022.
Final words on understanding CPRA
So there you have it: everything you need to know about CPRA and what this means for your business. We hope that this has helped you to get a better understanding of the steps you need to take to adhere to CPRA at your business and why this is so important.
Top of the month
INNOVATORS VS COVID 1910 months ago
Storets: The Coziest Styles you will Never Want to Take Off
INNOVATORS VS COVID 191 year ago
Education could be so much more Valuable in Building Brand Loyalty than Sales and Promo Codes, Jeremy Miller Founder and CEO of FSAstore.com Speaks out
Resources2 years ago
How To Earn Money From Survey Sites
Lifestyle2 years ago
15 Effective Ways of Dealing with Criticism & negative comments