How Can My Company Prepare for CPRA?
In November 2020, California voters approved Proposition 24, including the California Privacy Rights Act, or CPRA. This law amends and expands regulations under the original California Consumer Privacy Act (CCPA).
One question that affected businesses asks is, “how can I prepare for CPRA compliance?” With the law taking effect on January 1, 2022, the clock is ticking, and many organizations are looking for ways to complete final compliance preparations.
Here, we will talk about some of the basic steps for CRPA compliance.
What Are CCPA and CRPA?
Voters approved the CPRA to amend and address limitations in the original CCPA law. CCPA is a unique legislative effort in that the technical and privacy laws it implements more closely resemble EU laws. CPRA Takes this approach further by aligning privacy laws with the General Data Privacy Regulations (GDPR).
Some of the rights introduced by CCPA include the following:
- The Right to Know: This right includes the right for consumers to request that businesses disclose any personal information collected, including the purposes for such collection and who it has been sold to or shared with.
- The Right to Delete: Consumers can demand that a business and relevant third parties delete their private information.
- The Right to Non-Discrimination: A business may never discriminate against or adjust prices for consumers exercising their rights.
- The Right to Opt-Out: Consumers can restrict businesses from selling their information to third parties.
- The Right to Opt-In: Minors under the age of 16 must opt-in to data collection, with clear descriptions of what those consumers are opting into. Minors under the age of 13 must have parent or guardian consent.
Businesses in California fall under CCPA jurisdiction if one or more of the following three conditions are met:
- The company makes more than $25M annually.
- The company generates revenue from selling the personal information of 50,000 or more consumers.
- The company derives at least 50% of its annual revenue from the sale of consumer information.
CPRA expands CCPA in a few critical areas:
- Sensitive Personal Information: Alongside personal information, CPRA defines SPI as items like social security numbers, military IDs, driver’s license numbers, biometric data and other pieces of data. SPI calls for more strict security and privacy controls.
- The California Privacy Protection Agency (CPPA): This new organization manages and enforces CPRA law.
- GDPR Alignment: CPRA adds several GDPR-inspired laws, including the right to limit business data processing and sharing.
- Expanded Opt-Out Policies: In addition to the right to opt-out to data collection or usage, consumers can opt-out of the sale or share of data with third parties.
CPRA also shifts the requirements for businesses to qualify. While the annual revenue requirements remain the same, the revenue requirement from the sale of personal information is raised to 100,000 or higher, shifting some burden off of small businesses.
How Can I Prepare for CPRA Compliance?
With the deadline approaching, businesses need to begin planning and implementing their compliance strategies. This includes the following best practices:
- Audit Your Website Capabilities: Websites using portals and online account access should support compliant user activity like data deletion, data requests and consent provision. For example, a user account portal can allow users to delete relevant data, turn third-party data off or on, and offer all disclaimers and disclosures on data usage and user rights.
- Audit Internal Customer Service: Your employees should have the training and support to fulfill CPRA requirements like data deletion and disclosure. There should also be mechanisms to document these requests, including opt-in and opt-out requests.
- Perform Data Mapping: It’s critical that you understand what systems contain personal information and even more essential that you know where any SPI is located.
- Update All Policy and Privacy Notices: Across your websites, user access areas, data collection points (cookie requests, email list requests, etc.), and any other customer contact point make sure that notices are clear, unambiguous and specific.
- Review All Contracts with Third-Party Vendors: All vendor relationships that include personal information are subject to regulations and security protections. Performing some form of third-party management will help you scope out compliance obligations.
- Maintain Training and Education Programs: It’s not enough for your IT and data management systems to be compliant. Your employees and customer service representatives must handle customer information and requests according to CPRA requirements.
- Get IT and Business Leadership On the Same Page: Compliance will become an exponentially more difficult experience if different parts of the organization aren’t working together. They are coordinated between executives in the organization to get insights from all relevant stakeholders.
- Develop Policies: Every consumer right, including rights to deletion or opting out, should have policies in place outlining operations, outcomes and processes related to executing these rights.
Automate Audits and Security Insights with Continuum GRC
CPRA compliance will require regular auditing of privacy controls, security measures and overall adherence to policies. Continuum GRC offers modules to support CCPA and (now upcoming) CPRA attestation. Furthermore, our privacy service experts are experienced with frameworks such as GDPR, which can align with and inform further organization security issues.
Preparing for CPRA Compliance?
Call Continuum GRC at 1-888-896-6207 or complete the form below.