By Adil Advani
If you run a business, it’s essential to be aware of and comply with all relevant regulations. One such regulation is the California Privacy Rights Act (
CPRA) which was approved by California voters in November 2020 and went into effect on January 1, 2023. The CPRA builds on the California Consumer Privacy Act (CCPA), which became law in 2018, and provides additional rights for California consumers regarding the collection of their personal information and how it is collected, used, and shared by businesses.
Understanding the CPRA
The CPRA applies to companies that do business in California and meet certain criteria, including having gross annual revenues over $25 million, collecting personal information from more than 100,000 consumers or households, or deriving 50% or more of their annual revenues from selling consumers’ personal information.
Personal information is defined as any information that relates to, or could reasonably be linked to, a particular consumer or household. This includes names, addresses, email addresses, IP addresses, and more sensitive information like biometric data and personal financial information.
Some of the fundamental rights that the CPRA gives to California consumers include:
- The right to know what personal information a business has collected about them
- The right to request that a business delete the consumer’s personal information
- The right to opt-out of the sale of their personal information
- The right to opt-out of automated conclusions, such as profiling for targeted behavioral advertising
- The right to know how automated decision technologies work and their likely outcomes
- The right to correction in the event the personal information is incorrect
- The right to limit the use of a consumer’s sensitive personal information
- The right to data portability where an organization share data with other entities
- The right to notify minors if the business intends to sell or share their personal data
Ensuring your business is compliant
1. Make a plan
It’s essential to have a plan in place for how your business will handle requests from California consumers, including who will be responsible for responding to them and how long it will take to respond. The CPRA mandates that these requests must be addressed within ten days and processed within 45 days.
2. Review and update your privacy policies and notices
The CPRA requires businesses to provide clear and conspicuous notice to consumers about their rights under the law, as well as information about the personal information the business collects and how it is used. This means taking a close look at the personal information that your business collects, how it is collected, and how it is used and shared. You should also review any contracts or agreements with third parties involving the collection, use, or sharing of personal information. Ensure your privacy policies and notices are up-to-date and compliant with the requirements of the CPRA.
3. Designate a data controller
Designate a contact person or team to handle CPRA-related requests from consumers. This could be a privacy officer or a
customer service team with the necessary training and resources to handle these requests.
4. Train staff
Train your employees on the CPRA and its requirements. This will help ensure that everyone in your organization is aware of the new law and knows how to handle CPRA-related requests from consumers.
5. Introduce privacy and security measures
Implement procedures for verifying the identity of consumers who make CPRA-related requests. This is important to protect the privacy of consumers and prevent fraud. Additionally, keep thorough records of all CPRA-related requests and how they were handled. This will help you demonstrate compliance with the law and provide evidence in the event of a dispute or investigation.
Consequences for non-compliance
Keep in mind that there can be financial consequences if a business is not complying with CPRA’s requirements. The severity of the offenses determines the penalties for violations, where each infraction carries a $2,000 fine, negligence-based errors are subject to a $2,500 fine per offense, and intentional disregard of the law carries a $7,500 fine per offense.
