CPRA Compliance
The California Privacy Rights Act (CPRA) amends and expands upon California’s existing California Consumer Privacy Act (CCPA). It is a state law that gives California residents the right to know what personal information companies collect about them, why it is collected, and what is done with it. The law also gives residents the right to ask companies to delete or correct their personal information, as well as the right to opt out of selling their personal information.
The California Privacy Rights Act (CPRA) expands upon a host of requirements for companies doing business in the Golden State, even if they’re not based in California. The act is intended to give California residents more control over how companies collect and use their personally identifiable information (PII) by granting them rights to view and control the PII that companies collect about them, similar to the goal of GDPR in the E.U. Companies subject to the CPRA must comply with the data privacy law by creating mechanisms that allow California residents to exercise those rights.
Risks from regulatory non-compliance and litigation can be severe. The CPRA establishes the first state enforcement agency dedicated to privacy. The CPRA allows the state to seek civil monetary penalties for each infraction, and consumers can file their own civil litigation seeking damages arising from personal information breaches. Compliance requires organizations to have effective risk management practices.
Unfortunately, there is still a lot of uncertainty around how to systematize and comply with the CPRA in a way that aligns with the organization’s other compliance efforts.
Development and disclosure of privacy policies to align with CPRA compliance.
Employees must be trained on the company’s responsibilities under the data privacy law on how to handle consumer inquiries.
Mechanisms to allow consumers to submit data subject requests.
Processes to research and vet third parties that handle consumers’ PII on the company’s behalf.
The company should identify PII it collects about California residents, how that data is processed, and where the data resides.
Protocol to disclose a breach once discovered, or to investigate allegations of a breach brought to the company’s attention.
Understand what data you have, why it is collected, how it is used, and how it travels through your organization. Assess for risk to that data and develop and implement plans to protect it.
Make sure your policies and procedure management program remains in alignment with California’s data privacy law as it evolves.
Offer multiple methods for consumers to submit data subject requests, including a toll-free telephone number and a streamlined information-gathering process. The CPRA requires a minimum of two opt-out methods for the majority of companies.
Perform a risk assessment on third parties you share data with and service providers that handle PII on your company’s behalf. Confirm that your policies and procedures for working with those third parties and service providers address CPRA compliance issues.
Learn more
Learn more