The CPRA Action Plan: Step-by-Step Compliance for California's Privacy Rights Act
The California Consumer Privacy Act of 2020 (CCPA) was a landmark legislation that has had significant implications for businesses operating in California.
Though it was colloquially known as America's GDPR, it fell short of genuinely holding businesses accountable for their data privacy and data protection practices.
That's why California's Privacy Rights Act 2020 (CPRA) was introduced.
So, if you're a business based in California or out of California, with most of your company dealing with Californian consumers, this article is for you.
And also, you are responsible for data privacy and security at your company; it's critical that you understand the CPRA law and how it will affect your business.
CPRA and its Effects on Your Business and Website
CPRA in a Nutshell
1. California Privacy Protection Agency (CPPA): Establishes CPPA as the lead enforcer and supervisor of the CPRA/CCPA data privacy regime for the Golden State.
2. Revised Business Definition: Redefines the term "business," excluding smaller businesses and including larger ones generating significant income from collecting, sharing, and selling Californians' personal information (PI).
3. New and Enhanced Consumer Rights: Empowers California residents with four new rights and modifies five existing rights, granting greater control over personal information.
4. Sensitive Personal Information (SPI): Introduces a separate category, SPI, with more robust protections than personal information (PI).
5. Adding a Link to Your Website for CPRA Compliance: CPRA requires websites to provide a "Do Not Sell or Share My Personal Information" link and a "Limit the Use of My Sensitive Personal Information" link. It also encourages a single, clearly labeled link for consumers to opt out of PI sale or sharing and limit SPI use or disclosure.
6. Enhanced Regulation of Cross-Contextual Behavioral Advertising: Specific regulation of opt-out rights for cross-contextual behavioral advertising and personal information usage.
7. Business Accountability for Third-Party Data Usage: Holds businesses responsible for third-party use, sharing, or selling personal information the company collects.
8. GDPR-Inspired Provisions: Incorporates provisions resembling GDPR, expanding the privacy framework established by CCPA.
9. Expanded Consent Requirement: Broadens the consent requirement, extending its coverage to a broader range of scenarios involving personal information use.
CPRA Compliance with Adzapier
Adzapier is a Net-Gen Privacy-by-Desing Platform offering Global Compliance and California Privacy Rights Act in minutes.
Built to scale as your business grows, Adzapier's Plug and Play integration makes it among the best Consent Management and Data Privacy Compliance Solutions in the market.
Adzapier automates all US data privacy compliance without any technical hotchpotch and provides multi-platform and multi-domain interfaces helping organizations keep track of every single data set in their business operations.
With geotargeting that automatically detects the user's region, Adzapier's Consent Management provides an accurate cookie consent banner that is customizable and speaks your brand's voice.
What is CPRA? CPRA in Detail
California's Privacy Rights Act (2020), also known as Proposition 24, was approved by most Californian voters in the US general election on November 3, 2020, and will be fully effective from July 1, 2023.
CPRA is an addendum to the California Consumer Protection Act (CCPA) that expands on the current regulation and provision, making California's Privacy Laws more enforceable and stringent.
CPRA enactment will put CCPA and US's Data Privacy landscape at par with its European counterpart General Data Protection Regulation (GDPR).
When will CPRA become Effective?
January 1, 2021: CPRA becomes law and establishes CPPA.
July 1, 2021: Formulation and adoption process for CPRA regulations commence.
January 1, 2022: CPRA's one-year lookback period begins, holding PI collection accountable.
July 1, 2022: Deadline for CPPA to adopt final CPRA regulations.
January 1, 2023: CPRA comes into full force.
July 1, 2023: CPPA begins enforcing the CPRA.
Though CPRA was initially scheduled to be effective from January 1, 2023, the revised and final effective date of CPRA is July 1, 2023.
However, it does have a lookback period.
This means that some of the provisions of CPRA have been effective from January 1, 2022.
So, businesses that meet specific provisions of CPRA's "look back period" must have been compliant from January 1, 2022.
But with CPRA coming July 2023, businesses must look beyond normal CCPA compliance and prepare for CCPA 2.0 (CPRA).
To whom Does the CPRA Apply?
CPRA mainly applies to for-profit entities that do business in California or target customers based in California and meet specific regulatory criteria. CPRA applies to businesses that:
Have a gross annual revenue of at least $25 million in the previous calendar year or;
Have at least 50% or more of their yearly income from sharing or selling personal data of California's citizens or;
Buys, deals, or receives personal data of at least 100,000 or more Californian consumers, households, or devices.
Who Enforces CPRA?
CPRA has authorized the California attorney general to enforce the CPRA regulation in the Golden State.
Under California's attorney general, California Privacy Protection Agency has "full administrative power, authority, and jurisdiction to implement and enforce CCPA/CPRA regulation.
What are the fines under CPRA?
As a business owner, you must be familiar with the California Privacy Rights Act and its effects on your business. The CPRA was enacted to protect consumers from companies that violate their privacy rights by collecting personal information about them without their knowledge.
It also gives consumers access to certain information about themselves, which a business may have collected or sold without their knowledge or consent.
The penalties for non-compliance can be severe. A violation may result in the following:
A fine range from $2,500 per violation to up to $7,500 for each violation in severe cases;
CPRA offers Californians a Private Right of Action, i.e., consumers can take legal action against businesses;
A cure period of 30 days is provided for business to rectify their violation before California's attorney general takes action;
Orders requiring you to delete data you have collected illegally; and
Orders require you not only to stop violating the law but also to make sure all violations cease immediately.
CCPA vs. CPRA: What's the difference?
The California Consumer Privacy Act (CCPA) of 2018 is the first data privacy law in the United States.
With the extensive and influential California population, it's no surprise that this legislation has become a model for other states to adopt stringent data privacy laws.
The purpose of the CCPA is to give consumers more control over how businesses collect and use their personal information.
Also, the CCPA requires companies to disclose critical information about how they collect and use consumers' data, including:
What type of personally identifiable information (PII) is collected from customers?
How was their PII collected?
Where did the collection take place?
Why did they need their PII?
How long do they keep customers' PII?
CCPA (California Consumer Privacy Act):
Scope: Applies to organizations collecting personal information from over 50,000 consumers or deriving 50%+ annual revenue from selling personal information.
Sensitive Personal Information: Includes SSNs, driver's licenses, IDs, passports, log-in accounts, financial info, precise geolocation, and data on origin/beliefs.
Penalties: Violations fined $2500 per violation, including minors and personal info.
Consumer Requests: Consumers can request personal info categories and specific data.
Consumer Rights: Existing rights include deletion requests.
CPRA (California Privacy Rights Act):
Scope: Applies to organizations collecting data from over 100,000 consumers and expands to sharing personal info.
Sensitive Personal Information: Adds new category (similar to GDPR) covering SSNs, driver's licenses, IDs, passports, log-in accounts, financial info, precise geolocation, and data on origin/beliefs.
Penalties: Violations fined $7500 per violation, including minors and personal info.
Consumer Requests: Consumers can request personal info categories, collection sources, purpose, third-party access, and specific data.
Consumer Rights: Four new rights were added, including correction, limiting sensitive info, access/opt-out, and data portability.
Right to Delete: Organizations must notify and instruct third parties to comply with deletion requests.
Similarly, the California Privacy Rights Act (CPRA) of 2020 establishes a new right for Californians.
It helps them to know what data businesses collect about them and how they use it.
It also creates transparency around companies' sharing and selling consumer data with third parties.
The CPRA requires businesses to be transparent about what information they collect from the customers, how they use it, and whom they share or sell it with.
Reputational Damage: Biggest penalty for CPRA non-compliance
CPRA compliance consumer privacy act protects consumers and ensures they can control how businesses use their personal information.
The enforcement of this law is seen as a significant win for privacy advocates, but it will have an even more significant impact on brands that do not comply with the new rules.
This law comes when consumers are increasingly concerned about their online privacy and personal data and the brands that have it.
Please comply to ensure your brand's reputation among Californians.
Customers want to know what information you're collecting from them and how it's being used—or they'll go elsewhere.
The CPRA Action Plan: Step-by-Step Compliance for California's Privacy Rights Act
We've compiled an overview of everything you need to know about complying with CCPA and CPRA and the steps you can take now.
1. Prepare Your Team To prepare your team, it is essential to be aware of the new law. The following sections will help you understand how the CPRA applies to your business and what steps you should take to comply. As a business owner or manager, you must understand how this law applies to your organization and all its services.
This includes understanding new requirements for compliance and consumer rights and data protection and privacy issues related to California residents' information.
2. Review Your Data Inventory A critical step in CCPA is to review your data inventory.
This involves identifying what data is being collected, for what purpose it's being collected, how long the information is stored, and where it's stored.
It will also help you think about who has access to this information, how it is used, and whether there are any risks associated with that information.
3. Map Your Data Flows California has no laws or regulations requiring companies to notify customers when a data breach occurs, but businesses that fail will face serious consequences.
In California, it is now a crime for businesses not to disclose personal information they've collected from their customers.
Violating this law can result in heavy fines per violation and jail time for individuals charged with multiple offenses.
The California Consumer Protection Act protects consumers from unfair business practices by outlining specific standards for privacy protection and data security for companies in the state - including what information must be shown if there's a breach.
In addition, it requires businesses to provide notice when they experience any event that poses a risk of identity theft or fraud due to unauthorized access or disclosure of personal information (PDPI).
4. Evaluate Your Data Protection and Privacy Policies Review your data protection and privacy policies. Make sure your policies comply with the CCPA and update them if needed.
Your CPRA compliance consumer privacy act policies should align with your business model and industry.
They should align with your company's values. Clear, concise communication is always crucial, so make sure you've considered how to articulate the following:
How data is collected and stored
How long will information be retained (and what happens after it expires)
How is it accessed by your company's employees or third parties working for you?
5. Review and Update Your Privacy Policies for Consumers Privacy disclosure is one of the essential elements of any data security program and should be reviewed carefully.
It serves two purposes: it informs individuals about how you will use or disclose their personal information and rights over it.
CPRA compliance consumer privacy act requires that you provide a privacy notice when collecting personal information from an individual.
This notice is also needed when you change your privacy practices that may affect them. These notices should include the following:
A description of the types of consumers whose records are collected;
How these consumer records are used or disclosed (e.g., whether you share them with other companies);
The consumer's right to access or correct such information;
An opt-out mechanism for sharing such data with third parties without consent;
How long will this information be maintained before deletion (i.e., retention period)?
6. Implement a Data Governance Program Data governance is the process of managing and governing data within an organization. It includes setting up policies, procedures, and standards to control access to data across your organization.
Data governance helps ensure compliance with privacy laws by establishing clear rules for when people can access personal information and how to use it.
Implementing a solid data governance program aims to protect customer information from being used in ways that are not intended or expected by customers.
This means you can demonstrate your commitment to protecting user privacy if you are under scrutiny from regulators or customers.
7. Test Your Opt-Out Processes
You should test your opt-out processes with a small group of consumers, then with a larger group. You can also experiment with a sample of your entire customer base.
Test to see how long it takes to opt out and the percentage of people who try to opt out succeed. If the process is too cumbersome or complicated, you could lose potential customers for good.
8. Document All Calls from Consumers
Record the date, time, and name of the person who called.
When you receive a call from someone asking for information about your organization or requesting action, take down their contact information.
This can include their name, phone number, and email address. Record the nature of the call and what was discussed. Record the outcome of the ring.
Whatever happened during this interaction should be documented in detail so that proper follow-up actions can be taken to secure PII.
9. Hire A Data Protection Officer (DPO)
Hiring a data protection officer (DPO) to meet the California Privacy Rights Act (CPRA) requirements is a good idea.
A DPO's role is to ensure that your company complies with regulations and provides adequate protection for data privacy.
They must be "independent from any business function, not an employee of the controller or processor, and able to perform their duties independently."
This means that if you hire someone who works for the company itself, it will not be considered sufficiently independent.
They would have a conflict of interest since they would have interests both as an independent third party and as part of the company.
They are responsible for ensuring compliance with data protection laws.
This may include advising on policies related to processing personal information and monitoring CCPA and CPRA compliance.
They should provide advice/training on security measures, monitor staff awareness, prepare reports on findings/recommendations under regulations, and conduct audits/inspections to ensure compliance.
10. Install the Do Not Sell Opt-Out Notice You must install the Do Not Sell Opt-Out Notice on your website.
The notice must be in the form of a link to a web page on your website that is accessible from the homepage of your website.
You must use this link in your email to customers or prospects who do not want their personal information sold or shared with anyone else.
If someone signs up for your email list and wants to receive emails from you, they should receive an email with the Do Not Sell Opt-Out Notice link (and instructions) within 24 hours of signing up.
If a customer or prospect clicks on this link, they will be taken to a page where they can opt out of sharing their personal information with other companies outside your business entities.
If they don't click on this link within 30 days after being notified by mail or email about how they may opt out, then there is no obligation under California law for any further action by you.
11. Go Cookie-Less (Almost) and Tell People About It! Cookies are a great way to track people's browsing habits and are helpful for marketing purposes. But they're also being used more and more for nefarious reasons.
The good news is that there are alternatives to cookies that can help marketers retain valuable information about their customers while protecting their privacy. You can still provide your users with an excellent experience using other methods:
First party data
However, it's important to remember that not all cookies are gone. You need consent for the cookies to continue with your marketing or advertising.
12. Respect Individual Choice Consumers have the right to opt out of data collection and sharing. As a CPRA-compliant company, you must allow consumers to opt out of information collection.
In addition, you cannot use deceptive practices that prevent individuals from opting out of data collection or sharing programs—for example, by tricking them into consenting when they don't want to give it (see below).
13. Educate Your Employees Educating your employees on data protection is essential to ensure that California privacy rights are protected.
Your employees should be taught how to handle data and protect it. They must also be taught about transparency and accountability when dealing with personal information.
14. Require Responsible Corporate Behavior The California Privacy Rights Act (CPRA) imposes data protection requirements on all companies that collect and process personal information.
The CPRA requires companies to have a data protection policy in place, as well as a data protection officer.
It also mandates that companies train their employees on how they are expected to treat customers' personal information.
Companies should take this responsibility seriously since failing to comply can result in fines of up to $7,500 per violation!
That's why it is critical for all businesses operating within California, whether large or small-scale, to implement these best practices into their corporate structure.
The CCPA is critical legislation that will significantly impact how businesses operate in California.
As technology advances, modern technologies like biometrics continue to emerge and create unknown privacy risks for consumers.
Companies must understand how to comply with the law while still collecting data and delivering personalized services to their customers.