The CPRA Compliance Checklist Every Business Should Follow in 2023


By Adil Advani

If you run a business, it’s essential to be aware of and comply with all relevant regulations. One such regulation is the California Privacy Rights Act (
CPRA) which was approved by California voters in November 2020 and went into effect on January 1, 2023. The CPRA builds on the California Consumer Privacy Act (CCPA), which became law in 2018, and provides additional rights for California consumers regarding the collection of their personal information and how it is collected, used, and shared by businesses.

Understanding the CPRA

The CPRA applies to companies that do business in California and meet certain criteria, including having gross annual revenues over $25 million, collecting personal information from more than 100,000 consumers or households, or deriving 50% or more of their annual revenues from selling consumers’ personal information.

Personal information is defined as any information that relates to, or could reasonably be linked to, a particular consumer or household. This includes names, addresses, email addresses, IP addresses, and more sensitive information like biometric data and personal financial information.

Some of the fundamental rights that the CPRA gives to California consumers include:

  • The right to know what personal information a business has collected about them
  • The right to request that a business delete the consumer’s personal information
  • The right to opt-out of the sale of their personal information
  • The right to opt-out of automated conclusions, such as profiling for targeted behavioral advertising
  • The right to know how automated decision technologies work and their likely outcomes
  • The right to correction in the event the personal information is incorrect
  • The right to limit the use of a consumer’s sensitive personal information
  • The right to data portability where an organization share data with other entities
  • The right to notify minors if the business intends to sell or share their personal data

Ensuring your business is compliant

1. Make a plan

It’s essential to have a plan in place for how your business will handle requests from California consumers, including who will be responsible for responding to them and how long it will take to respond. The CPRA mandates that these requests must be addressed within ten days and processed within 45 days.

2. Review and update your privacy policies and notices

The CPRA requires businesses to provide clear and conspicuous notice to consumers about their rights under the law, as well as information about the personal information the business collects and how it is used. This means taking a close look at the personal information that your business collects, how it is collected, and how it is used and shared. You should also review any contracts or agreements with third parties involving the collection, use, or sharing of personal information. Ensure your privacy policies and notices are up-to-date and compliant with the requirements of the CPRA.

3. Designate a data controller

Designate a contact person or team to handle CPRA-related requests from consumers. This could be a privacy officer or a
customer service team with the necessary training and resources to handle these requests.

4. Train staff

Train your employees on the CPRA and its requirements. This will help ensure that everyone in your organization is aware of the new law and knows how to handle CPRA-related requests from consumers.

5. Introduce privacy and security measures

Implement procedures for verifying the identity of consumers who make CPRA-related requests. This is important to protect the privacy of consumers and prevent fraud. Additionally, keep thorough records of all CPRA-related requests and how they were handled. This will help you demonstrate compliance with the law and provide evidence in the event of a dispute or investigation.

Consequences for non-compliance

Keep in mind that there can be financial consequences if a business is not complying with CPRA’s requirements. The severity of the offenses determines the penalties for violations, where each infraction carries a $2,000 fine, negligence-based errors are subject to a $2,500 fine per offense, and intentional disregard of the law carries a $7,500 fine per offense.

About the Author

Post by: Adil Advani

Adil Advani is a digital marketing strategist at
Securiti.ai, a company that specializes in AI and machine learning based security solutions. He has an extensive background in business development, marketing, and technology consulting.

Company:
Securiti

Website:
https://securiti.ai

Connect with me on
Twitter and LinkedIn.

The SEC Is Expanding Oversight Into Private Companies: What You Need to Know

When most of us think about the Securities and Exchange Commission (SEC), we think about a government agency designed to ensure public companies provide investors with accurate information, that employees who have access to “inside information” don’t trade on it, and that investment professionals don’t exploit, misinform or defraud the average investor on Main Street, USA. We certainly don’t think of the SEC as a means for broadly regulating private companies trying to raise capital, especially during a down economy many think is heading into recession.

President Ronald Reagan famously answered his rhetorical question of what are the nine most terrifying words in the English language as: “I’m from the government, and I’m here to help.” While we can take that notion with a grain of salt, the truth of the matter is that the SEC is one of the most powerful government agencies you may know the least about, and under current leadership, it is seeking a dramatic increase in its oversight, regulatory demands, and enforcement among all American companies, including, more and more, privately held ones.

The Great Depression spawned the SEC

The SEC was created by Congress in the wake of the Great Depression through the passage of the Securities Act of 1933 and the Securities Exchange Act of 1934. In a nutshell, one of the reasons for the stock market crash of 1929 was public companies providing false and misleading information to investors. In order to restore public confidence in the securities markets, Congress created the SEC with a mandate to ensure that companies made truthful statements, and that brokers, dealers, and exchanges treated investors honestly and fairly.

The SEC is considered an independent agency, which means that while it is part of the executive branch, it has regulatory and rulemaking authority outside of presidential control. This is largely because the president’s ability to dismiss the agency head or a commissioner is limited. The SEC can also bring civil enforcement actions seeking injunctions to prevent future violations and civil monetary penalties and disgorgement of illegal profits. The SEC cannot bring criminal actions, but does work closely with the Justice Department in support of criminal enforcement or securities violations.

The SEC is also meant to be bipartisan, requiring three of its five commissioners to be from one party and two from the other. Commissioners are appointed by the president and confirmed by the Senate. SEC rules or regulations have the same power as federal law. Other similar independent agencies include the Central Intelligence Agency, the Consumer Financial Protection Bureau, and the Commodity Futures Trading Commission.

Private companies survive and thrive on debt

For privately held companies, small or large, access to debt is one of the key drivers of growth and is critical to effectively running a business. For decades, surveys have identified access to capital as the number one concern of American business owners.

Many private companies would prefer to secure capital through debt instead of equity investments for a couple of reasons. First, most business owners do not want to dilute their ownership in the business they founded or give up management control of the entity unless absolutely necessary. Second, and related, investors do not want to provide equity investments in companies, small or large, that may not scale adequately or quickly enough for a significant return on investment, or in ones where they would have little to no control.

Therefore, private companies often look for debt instruments from lines of credit or loans from their bank, SBA loans, crowdfunding debt, or by issuing debt securities also known as bonds. It is this last type of debt that the SEC has decided to regulate without much reason or by soliciting feedback from the public as it typically does in the rulemaking process.

SEC seeks to regulate private company debt securities

How did the SEC accomplish this feat? They did so by taking a rule that was intended to protect investors trading in the over-the-counter securities market, also known as “pink sheets” or penny stocks, and deciding it also applied to this debt offered by private companies. The rule they used is 15c2-11, which came into effect in 1971 to protect investors from being bullied into purchasing worthless penny stocks from unscrupulous and nefarious cold callers pretending to be stock brokers. You can watch the movies Boiler Room or The Wolf of Wall Street to get a picture of this phenomenon.

In 2020 the SEC decided it needed to update Rule 15c2-11 to correspond with advances in technology that have changed how people invest. Many investors don’t even have landlines anymore to accept cold calls, but are participating in chat rooms in Reddit and other social media sites to make investment decisions—often poor ones. This signaled a need for change.

However, in a surprising move a year later, the SEC staff declared that the requirements of Rule 15c2-11 also applied to privately issued debt instruments, and in December 2021 the SEC affirmed this viewpoint. In addition, the SEC did not follow its typical rulemaking process where it provides time for public comments on the proposed change. On November 30, 2022, the SEC declared that enforcement of the new rule will go into effect in January 2025.

It is important to note that one of the main reasons companies stay private is that they don’t have to disclose their financial information to the public and incur the accounting and legal costs of doing so under SEC regulations. Rule 15c2-11 is an exception to SEC Rule 144A, which exempts private companies from making public financial filings like those companies that are publicly traded. Debt securities issued by private companies under Rule 144A can generally only be purchased by qualified institutional buyers (QIBs), which are institutions with over $100 million in assets under management.

The average investor on the street cannot purchase these securities. QIBs can request financial information from companies issuing this debt, but they are not forced to disclose it to the public at large. In addition, there is currently no proposed rule change to allow retail investors to purchase this debt. So, instead of following its mandate to protect investors, by changing this rule, the SEC could cause a chilling effect on private companies accessing capital during a volatile time in our economy.

Is the SEC overstepping its authority?

Whether you own a privately held business, work for a public company, or invest in the securities markets, you should be aware of the role the SEC plays in regulating these fundamental aspects of our economy, which is the strongest in the world.

The SEC is critical to transparent and fair markets, but that doesn’t mean it should overstep its authority. Certainly, placing the same disclosure requirements and regulatory burdens on private companies as on public ones is one area that should be monitored closely.