The California Privacy Rights Act (CPRA) amendments took effect on January 1, 2023, businesses processing the data of California residents must update their Privacy Policies to comply with these new regulations. Building on the California Consumer Privacy Act (CCPA), the CPRA introduces enhanced consumer rights and stricter obligations for businesses, significantly bolstering privacy protections for California residents. In this article, we will walk you through the necessary steps to update your Privacy Policy, ensuring your business meets the new legal requirements and fosters consumer trust.
Understanding the CPRA
The CPRA, often referred to as CCPA 2.0, is an expansion and amendment of the original CCPA. Its primary objective is to strengthen privacy protections for California residents by introducing more robust consumer rights and imposing stricter obligations on businesses. The CPRA aims to prevent the dilution of privacy rights by special interests and politicians while allowing legislative amendments to enhance consumer privacy protections further.
Key Objectives
The CPRA aims to:
- a. Strengthen Privacy Protections: Ensure that privacy rights are not easily weakened in the future.
- b. Enhance Consumer Rights: Provide greater control over personal data for consumers.
- c. Improve Enforcement: Establish the California Privacy Protection Agency to oversee and enforce compliance.
Applicability
Does the CPRA Apply to Your Business?
The CPRA applies to for-profit organizations that:
-
- a. Have gross annual revenue exceeding $25 million.
- b. Buy, receive, or sell the personal info. of 100,000 or more CA residents, households, or devices.
- c. Derive 50% or more of their annual revenue from selling or sharing personal information.
If your business meets any of these criteria, you are required to comply with the CPRA.
Exemptions
The CPRA retains the CCPA’s exemptions while improving some. Exemptions include:
-
- a. Data related to job applicants, employees, and business-to-business (B2B) contacts.
- b. Personal information collected as part of a clinical trial or biomedical research study conducted according to the Federal Policy for the Protection of Human Subjects.
- c. Healthcare providers and medical data protected by the Confidentiality of Medical Information Act.
Significant Requirements
- Service Provider Data Restrictions: Service providers are prohibited from combining personal data received from different sources for business purposes.Â
- Third-Party Contracts: Businesses must enter into contracts with third parties to whom they sell or share personal data, including data transfers for cross-contextual advertising.
- Data Retention, Minimization, and Security: Disclose the retention period for each category of personal data or the criteria used to determine this period. Abolish the 30-day “cure” period before non-compliance results in a violation.
- Expanded Consumer Rights: Consumers can: (a) Correct erroneous personal data; (b) Restrict the use of their sensitive personal information; (c) Restrict the use of their sensitive personal information;Â (d) Opt-out of data sharing for cross-contextual advertising; & (e) Opt-out of automated profiling and decision-making
CPRA-Compliant Policy
Your Privacy Policy must clearly outline:
-
- Users’ rights and the data access request process.
- A category-by-category explanation of the data you collect, its sources, purposes, and disclosures.
i. Addressing New Consumer Rights: The CPRA introduces a new category of data called sensitive personal information, which includes:
-
- Government-issued identifiers (e.g., driver’s license, passport, social security number).
- Financial account details.
- Genetic and biometric data.
- Precise geolocation.
- Data revealing racial or ethnic origin, religious beliefs, union membership, or sexual orientation.
If your business collects sensitive personal information, you need to:
-
- Update your Privacy Policy to notify users.
- Explain where the data was collected, the purpose of collecting it, and who you have shared it with.
ii. Right to Correct Personal Information: Under the CPRA, users have the right to correct inaccuracies in their personal information. Your Privacy Policy must:
-
- Explain this right.
- Provide methods for users to correct their information (e.g., a toll-free number and an email address).
- Commit to making “commercially reasonable efforts” to correct the inaccurate information within 45 days of receiving a request.
iii. Right to Opt-Out of Data Sharing: Users can opt out of their personal data being shared with third parties, which includes data transfers for cross-contextual advertising. To comply:
-
- Notify users of this right in your Privacy Policy.
- Provide a clear link on your homepage to a page where users can opt out of data sharing.
iv. Data Retention Notification: The CPRA requires businesses to inform users how long they intend to keep their information, for each category of data collected. This can be:
-
- Specified in your notice at collection.
- Included as a clause in your Privacy Policy, explaining either a specific timeframe or the criteria for disposal of the data.
v. Automated Decision-Making Notification: If your business uses automated decision-making (including data profiling), you must:
-
- Notify users of this practice.
- Allow users to opt out of automated decision-making.
- Include a general statement in your Privacy Policy, detailing this practice and the types of data used.
Implementing the CPRA
- Updating Your Privacy Policy: To ensure your business complies with the CPRA, start by conducting a thorough review of your current Privacy Policy. Identify areas that need updating to align with the new regulations. One of the critical updates involves adding a new category for sensitive personal information. Clearly explain how this data is collected, used, and shared within your organization. Next, detail the new consumer rights introduced by the CPRA. This includes the right for users to correct their personal information and opt out of data sharing. These rights should be prominently outlined in your Privacy Policy. Additionally, specify your data retention policies. Clearly state how long you intend to retain each category of personal data or the criteria used for determining these retention periods. Inform users about any automated decision-making processes your business employs. Provide clear opt-out options for these processes, ensuring users have control over how their data is used in profiling or automated decision-making.
- Ensuring Compliance: To reinforce compliance with the CPRA, ensure users actively agree to your Privacy Policy by including an “I Agree” checkbox during account creation, purchases, or subscriptions. Make your Privacy Policy easily accessible by placing links in prominent locations such as the website footer, navigation menu, and during user interactions like sign-ups and purchases. Regularly review and update your Privacy Policy to stay compliant with evolving privacy laws and best practices. This ongoing vigilance helps maintain compliance and fosters trust with your users.
- Educating Your Team: Conduct training sessions for employees to familiarize them with the new requirements under the CPRA and emphasize the importance of compliance. Updating internal data handling practices is also crucial. Ensure these practices align with CPRA requirements, focusing on data minimization, security, and proper data retention. By educating your team and updating your practices, you can ensure your business stays compliant with the CPRA while maintaining high standards of data protection and user trust.
Penalties for Non-Compliance
Non-compliance with the CPRA can result in significant fines, especially for violations involving the sensitive personal information of minors. Penalties can reach up to $7,500 per violation. It’s crucial to understand the potential legal and financial repercussions of failing to comply with the CPRA and take proactive steps to ensure adherence to its regulations.
Tools and Resources
- Privacy Policy Generators
- Using tools like our Privacy Policy Generator can help you quickly create a CPRA-compliant Privacy Policy tailored to your business needs. These tools provide templates and guidance to ensure you meet all legal standards while maintaining user confidence in your data-handling practices.
- Legal Consultation
- Consulting with legal professionals who specialize in data privacy laws can provide valuable insights and help you navigate the complexities of CPRA compliance. They can assist in drafting your Privacy Policy, ensuring it covers all necessary aspects, and advising on best practices for data protection.
Wrapping Up
The CPRA enhances the privacy rights of California residents and imposes new obligations on businesses. By reviewing and updating your Privacy Policy to comply with the CPRA amendments, you ensure your business meets legal standards and maintains user trust. Staying informed and proactive in updating your Privacy Policy will help protect your business and provide a solid foundation for building trust with your users. With the CPRA’s comprehensive requirements, businesses have a clear roadmap to strengthen their privacy practices and ensure compliance with evolving data protection laws.