The California Privacy Rights Act (CPRA) is a new privacy law that expands the privacy rights of California residents and the obligations of businesses operating in the state. The CPRA, which was approved by California voters in November 2020 and goes into effect on January 1, 2023, builds upon the California Consumer Privacy Act (CCPA) and provides additional protections for personal information.
Companies that collect, store, or process personal information of California residents must take steps to comply with the CPRA in order to avoid significant penalties.
What is the CPRA?
The CPRA is a comprehensive privacy law that gives California residents new rights over their personal information. The law applies to businesses that collect personal information from California residents, regardless of where the business is located.
Personal information is defined broadly to include any information that can be used to identify an individual, such as names, addresses, phone numbers, email addresses, social security numbers, and more.
Under the CPRA, California residents have the right to:
- Know what personal information is being collected about them
- Request that their personal information be deleted
- Opt out of the sale of their personal information
- Receive equal service and pricing, even if they exercise their privacy rights
- Receive specific information about the categories and specific pieces of personal information that a business has collected about them in the previous 12 months, and the categories of sources from which that information was collected
What do companies need to do to comply with the CPRA?
To comply with the CPRA, companies must take several steps, including:
- Assess their data collection, storage, and processing practices: Companies must examine the personal information they collect, how they collect it, and how they store and process it. They must also identify any third-party service providers that have access to personal information.
- Update privacy policies and notices: Companies must update their privacy policies and notices to reflect the CPRA’s requirements and provide California residents with the information they need to exercise their rights under the law.
- Establish data deletion and opt-out processes: Companies must establish processes for responding to requests from California residents to delete their personal information and to opt out of the sale of their personal information.
- 4. Train employees: Companies must train their employees on the CPRA’s requirements and the company’s compliance processes.
- Implement technical safeguards: Companies must implement technical safeguards to protect personal information from unauthorized access, disclosure, or deletion.
- Work with third-party service providers: Companies must work with their third-party service providers to ensure that they are also in compliance with the CPRA.
What are the penalties for non-compliance?
Non-compliance with the CPRA can result in significant penalties. The California Attorney General can impose fines of up to $2,500 per violation or $7,500 per intentional violation. In addition, individuals can bring private lawsuits against companies for non-compliance, which can result in damages and attorneys’ fees.
In conclusion, the California Privacy Rights Act is a comprehensive privacy law that expands the privacy rights of California residents and the obligations of businesses operating in the state. Companies that collect, store, or process personal information of California residents must take steps to comply with the CPRA in order to avoid significant penalties.
To be ready for the CPRA, companies must assess their data collection and processing practices, update their privacy policies and notices, establish data deletion and opt-out processes, train employees, implement technical safeguards, and work with third-party service providers.