CPRA Amends and Expands CCPA. Starts January 1 - Get Ready!

5 minute read. Learn how the amendment and expansion of the California Consumer Privacy Act (CCPA) affects your business.

‍

To protect consumer data privacy, California has introduced legislation, the California Consumer Privacy Act (CCPA), that defines how companies can gather, use, store, and manage consumer data. On January 1, 2023, California will amend and expand the CCPA creating new requirements, consumer privacy rights, and enforcement mechanisms for applicable organizations. Once the California Privacy Rights Act (CPRA) comes into effect, it will effectively replace the CCPA.

It doesn’t matter where your business is located-–the CPRA applies to your company if your customers reside in California. If you fail to comply with CPRA regulations, you may face expensive financial penalties and possible damage to your reputation. It’s important to note that CPRA defines sensitive personal information more broadly than CCPA. Under CPRA, personal information includes race, ethnicity, sexual orientation, and health data.

In this article, we provide steps that business owners can take to successfully navigate CPRA regulations:

1. Involve the Organization

CPRA compliance is more than just an IT issue. Because it involves functions from across the organization, the development and execution of your compliance program should include most functions–from IT to HR, legal, operations, and marketing. Form a cross-functional team that can identify compliance gaps and share the work of filling them.

2. Identify Gaps in Your Privacy Practices

To achieve CPRA compliance, you need to understand where your privacy practices fail to meet CPRA standards. Start by analyzing how you collect, store and share data for both customers and employees. You should identify and evaluate:

• The categories of personal information involved.
• How the information is processed.
• Where the information is stored and accessed.
• Whether service providers are involved in the process.
• The retention period of this data.

With this information, you can start building a strategy for CPRA compliance.

3. Update Your Privacy Policy

Once you understand where your gaps exist, you should update your privacy policy. The policy should be clear, concise, and comprehensive. Be sure to include information on the personal data you collect, why you collect it, how you use it, and how long you retain it.

4. Implement Changes to Your Data Management Practices

Once you've updated your privacy policy, you should implement changes to your data management practices. If CPRA requires you to change how you collect or process data, be sure to reflect those changes in your systems and processes.

5. Review and Update Vendor Contracts

If you share personal data with third parties, you should review and amend your contracts to ensure they meet the obligations for agreements under the CPRA. These contracts should stipulate that the third party will only use the data for the purpose specified in the contract and that they will protect the data in accordance with CPRA's requirements.

6.  Train Your Employees

Your employees are vital to the success of your CPRA compliance program. They must understand what they can and can't do with personal data, CPRA's opt-out provisions, and your company's privacy practices.

7.  Give Customers Access to Mandated Consent and Disclosures

Before collecting personal data, you must provide customers with your company's contact information and a description of the customer's rights under CPRA. Because you must also get explicit consent from customers, you should include the mandated links for opt-out and personal information usage.

8. Review and Update Incident Response Policies and Procedures

Review your incident response processes and procedures to ensure that the policies are updated. If needed, your organization should strengthen your technical and organizational infrastructure to decrease the risk of exposure.

9.  Adopt Data Minimization

By only collecting and retaining the data you need for a specific purpose, you can reduce the risk of data breaches and unauthorized use of personal data.

Satisfying the California Privacy Rights Act

To cost-effectively ensure they are complying with CPRA, businesses will have to manage and track consumers’ requests to opt-out, review, access, delete, and obtain their data.

Business owners and leaders need a system for tracking consumer requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, business owners risk costly penalties and damage to their reputations.

To strengthen your brand and enhance customer loyalty, PrivacyCare offers a system that features:

1. Customizable data-subject-request (DSR) forms that consumers can use to initiate their data request.
2. Consumer authentication.
3. A flexible record-keeping system that can support any DSR process, helping businesses comply with multi-state data privacy laws.
4. A database of the DSRs and their status.
5. A cost-effective solution that avoids unnecessary upgrades involving data analytics, data management, and data security functions.
6. A SaaS platform that eliminates the need for businesses to purchase and manage hardware or software.
7. Up-to-date with latest changes to data privacy laws across the U.S.

Get started with PrivacyCare for help with your data privacy compliance.