Data privacy defines who has access to the information collected by organizations. On the other hand, data protection is a set of strategies and processes to secure information confidentiality, availability, and integrity.
Data privacy involves properly handling information while focusing on compliance with data protection regulations. Here, the focus is on the proper way to collect, store, manage and share data with third parties while conducting business.
There are various privacy laws and acts that ensure data is well protected. Examples: the General Data Protection Regulation (GDPR), Virginia’s Consumer Data Protection Act (CDPA), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), etc.
CPRA is the most recent data privacy law, and as a business, if you do not remain compliant with this Act, it could lead to severe consequences. Some of the consequences of non-compliance to data laws include security breaches, payment of fines, lawsuits, imprisonment, business disruption, revenue loss, damaged brand reputation, etc.
So, being compliant is more beneficial. This article discusses how to remain compliant with CPRA in 2022.
What is CPRA?
CPRA stands for California Privacy Rights Act. It is an updated and amended version of the CCPA (California Consumer Privacy Act). It was passed into law in the general election held on November 3, 2020.
However, the California Privacy Rights Act will take effect on January 1, 2023, and become fully enforceable on July 1, 2023. But it will have a lookback period from January 1, 2022.
Once the legislation of CPRA comes into effect in 2023, it will incorporate the CCPA. This means any further amendments to the CCPA between now and January 1, 2023, will be part of the CPRA.
Compared to CCPA, CPRA excludes smaller businesses and focuses on bigger organizations. This privacy act will also:
- Grant California residents with four new rights and five modified rights
- Place new business regulations on the use of personal information (PI)
- Establish an agency (the California Privacy Protection Agency) that will implement and enforce the Act
To stay compliant with the CPRA, ensure your business is under the obligation to obey the law. For example, the California Privacy Rights Act applies to for-profit organizations with business ties or carry out operations in California.
Also, if your business meets one or more of these criteria, you have to ensure you are compliant with CPRA:
- If you had $25 million in annual gross revenues as of January 1 of the previous year
- If you sell, buy, or share the personal information of 100,000 California consumers
- Lastly, if you derive 50% (or more) of your revenue from sharing or selling consumers’ personal information
Definition of sensitive personal information (SPI) under CPRA
Under the CPRA, a new category called sensitive personal information (SPI) is regulated separately. SPI is more vital than personal information (PI) under the CCPA. Personal information refers to the data that identifies and relates directly or indirectly to a particular consumer or household.
Sensitive personal information has increased compliance requirements, and these include:
- Driver’s license numbers
- State ID numbers
- Social Security Numbers (SSN)
- Passport numbers
- Precise geolocations
- Information about a consumer’s sexual orientation
- User credentials, e.g., usernames and passwords
- Biometric data and genetics
- Ethnic or racial origins
- Religious or philosophical beliefs
- Contents of a consumer’s text and email
Suppose you discover that your business deals with any sensitive personal information listed above. In that case, you have to be cautious about where you store the data and what you use it for. This is because, under the CPRA, consumers have the right to limit the use and disclosure of their SPI.
Five ways to remain compliant with CPRA in 2022
The following are ways to remain compliant with the California Privacy Rights Act.
- Provide consumer notices
You must provide four main types of consumer notices to remain compliant with CPRA in 2022. These notices must be easy to read, visible enough to grab your consumers’ attention, available in various languages, and accessible to consumers with disabilities.
They include the following:
- Notice at the time of collection: Inform your consumers when you collect their data. You should also get their consent when you want to use it for a new purpose.
- Notice of the right to opt-out of the sales of personal information: There are instances when consumers want their personal information to stop being sold by an organization to another. So, ensure you inform them that they can opt out when they want to.
- Notice of financial incentives: If you offer financial incentives, provide a statement that clearly describes the material terms of the program before a consumer subscribes to it. Also, explain how the consumer can opt-in and how to withdraw.
- Sensitive personal information retention: Whatever information you collect as a business under the CPRA, identify if it may be sold or shared. Also, find out the categories that the sensitive information falls under and note the retention period of the data.
- Label your data
CPRA provides consumers with more personal information protection. Under the CPRA, consumers have the right to limit how businesses use their sensitive personal information. The data under this category includes an individual’s social security, passport number, race or ethnic origin, genetic data, etc.
So, label your data under these two categories: sensitive personal information and non-sensitive personal information. It will help you to distinguish between the two.
By dividing consumers’ data into these two groups, you’ll provide the right amount of protection and privacy for sensitive information. This ensures you do not violate any rules under the CPRA, and your business will stay compliant.
- Revisit your contractors’ and service providers’ contract
Your business’s obligations towards consumers’ data do not end with you. Under the CPRA, any other parties involved with the customers’ personal information, whoever you share or sell the data to, also have specific responsibilities. These include contractors, service providers, and third parties.
Under CPRA, a contractor is someone a company shares their clients’ data with for business purposes and with a written official agreement. On the other hand, a service provider receives the consumers’ data when performing a business-related task.
CPRA prevents contractors and service providers from:
- Selling or sharing consumers’ personal information
- Keeping, disclosing, or using the customers’ personal information for reasons other than the one agreed upon
- Combining the clients’ personal information received as a result of the contract with any other personal data it might have for a business purpose.
- Retaining, disclosing, or using customers’ data outside of the direct business relationship established under this agreement
One way to ensure you remain compliant is to go over the contractual provisions under the CPRA. Then amend your contracts and business agreements with third parties, contractors, and service providers.
For instance, if your business is involved with digital advertising, you might need to share your consumers’ information with third parties. So, you must ensure these third parties, contractors, and service providers understand the regulations and requirements under CPRA.
If you discover that contractors, service providers, and third parties are not or are unwilling to be compliant, find new vendors. Alternatively, review existing contracts or draft new ones to ensure the relevant partners remain compliant with CPRA.
The new rights are:
- Right to restrict sensitive personal information
- Right to correct information
- The right to opt-out of automated decision-making technology
- The right to access information about automated decision making
The Act prevents businesses from keeping such data longer than stated. So, your company will be at risk of non-compliance if you hold information for too long. Also, you cannot save data for ‘any business purpose’; use them only for the intents disclosed during collection.
- Conduct a detailed gap analysis
A gap analysis helps determine whether the CPRA applies to your business and if you have any compliance gaps in your current data privacy and protection program. Also, it assists in identifying the key areas you need to address to stay compliant with the Act.
By conducting a detailed CPRA gap analysis, you’ll understand and improve your current practices to comply with the law. This protects you from facing the penalties attached to non-compliance.
The gap analysis should focus on data governance, risk management, the scope of compliance, rights of consumers, CPRA project management, etc. Also, it provides a framework you can work with for your data privacy program.
Finally, ensure the person in charge of the gap analysis has an in-depth knowledge of the CPRA requirements and your company’s data collection, processing, and protection practices.
Keeping consumers’ personal information is important, and businesses must comply with enacted laws. This article discussed the California Privacy Rights Act and how your business can remain compliant in 2022.
Lydia Iseh is a writer with years of experience writing SEO content that provides value to the reader. As someone who believes in the power of SEO to transform businesses, she enjoys being part of the process that helps websites rank high on search engines.