The California Privacy Rights Act (CPRA)'s effective date is 1 January 2023, and its lookback period is 1 January 2022. That means that if you are not compliant by now, it is time to get on the right side of the law. The California Privacy Protection Agency (CPPA) and the California Attorney General may come after you for any violations committed regarding the data you process at the moment.
The California Privacy Rights Act (CPRA)'s effective date is 1 January 2023, and its lookback period is 1 January 2022. That means that if you are not compliant by now, it is time to get on the right side of the law. The California Privacy Protection Agency (CPPA) and the California Attorney General may come after you for any violations committed regarding the data you process at the moment.
But before we get into the CPRA compliance checklist, we need to figure out if the CPRA applies to you.
CPRA applies only to for-profit businesses whose work is related to California and meets some thresholds.
Explore more privacy compliance insights and best practices
The business is related to California if they operate from there or offer products and services to California residents. However, not all such businesses need to comply with California's data privacy laws.
They also need to meet at least one of the following thresholds:
Your CPRA compliance checklist depends on your business’s CPRA requirements as well as your business’s specifics. Some of the requirements apply only if you do certain activities. For example, you must only present users with opt-out links if you share or sell consumers’ personal information.
CPRA is the first ever US state data protection law to introduce the data minimization principle. It requires you to process only the minimum necessary to fulfill the processing purposes. Therefore, ensure that you process only the data you must process to reach your goals and no more than that.
You need to provide multiple privacy notices to your consumers, the most important of which must be provided at the moment of data collection. It must include the following:
Other notices include the notice on the sale or sharing of personal information, limiting the use of sensitive personal information, and financial incentives.
CPRA introduces new rights and some new general duties for businesses. These have to be part of your privacy policy. CPRA and CCPA privacy policy requirements are very similar, yet you may need to make some tweaks to accommodate the new CRPA requirements. Make sure you do it.
The purpose limitation principle in CPRA requires you to process adequate amounts of consumers’ personal information for your processing purposes. You should not process data that doesn’t fit the purpose. For example, you cannot collect and process phone numbers in cases where you need to process only email addresses.
You have collected and processed some personal information for the purposes you have listed in your CPRA privacy policy. Now you want to process the same data for a new purpose. You must obtain consumers’ consent before processing the data.
You must only store personal data for a while. You have to delete the personal information you don’t need anymore. Establishing a data retention policy is an excellent first step toward compliance with the retention requirements of the CPRA (CPRA Full Text Summary). In the policy, you need to list all the categories of personal information you process, the purpose of processing it, and the length of time you plan to store it before removing it from your servers.
CPRA obliges businesses to ensure that their service providers process personal information within the boundaries set by the law. That’s why, in your written agreements with them, you must:
These are measures for avoiding data breaches. Risk assessments and cybersecurity audits will point out the vulnerabilities of your systems and inform your decision-making on data security.
You can start with a data mapping exercise to determine how personal information flows within your organization and identify potential risks. Once you know your risks, you’ll be able to protect your data better and avoid privacy risks.
Consumers have the right to know, access, correct, delete, port their data, and opt out. You must honor their requests within the CPRA deadlines, and you’ll do that easily if you have proper procedures.
If you are already compliant with the CCPA, you may have some procedures in place already. But the CPRA gave consumers new rights, so make sure that your internal policies and procedures also cover them.
Ensure that your procedures include methods for receiving requests as well as methods for verifying the requester's identity. Confirming the requester’s identity is essential to avoid disclosing personal information to an unauthorized person.
You can read more about responding to CPRA consumer requests here.
Consumers have their rights, and you are obliged to comply with them. Do not retaliate against those who exercise their rights. The CPRA explicitly forbids it.
If you sell consumers’ personal information or share it with third parties, you must provide a link to "Do Not Sell or Share My Personal Information." That link should allow consumers to opt-out of the sale or share of their data.
Process or disclose to third parties consumers’ sensitive personal information, such as biometric data, health data, precise geolocation, social security numbers, driver’s license number, and similar data. You must allow users to limit their use of such information.
The CPRA requires you to do this by giving customers a link that says "Limit the Use of My Sensitive Personal Information." This link should take them to a page where they can change how you use their information.
Instead of posting separate links for opting out of the sale, sharing, and processing of sensitive data, the CCPA and CPRA allow you to post single alternative opt-out link named “Your California Privacy Choices”.
Clicking the link shall take the consumer to a page where they could learn about their privacy options to make their mind and choose what is best for them.
Global Privacy Controls (GPC) is considered to be a valid request for opting out of the sale of sharing personal information. CCPA and CPRA-compliant businesses must honor such signals.
You can opt-in consumers into your financial incentives programs, such as rewards and loyalty programs, only if they opt-in themselves. If they refuse, wait for 12 months before asking for opt-in again.
Collecting children’s personal information requires obtaining consent from the child's parents. The consent must be explicit, freely given, informed, and unambiguous. You must not share or sell such information without consent.
Finally, ensure that all your personnel are educated about the CPRA requirements to ensure that they won’t get your business into trouble with the California Attorney General and the CPPA.
California Consumer Privacy Act (CCPA) and CPRA requirements are similar and will become even more aligned as the CPPA passes new CPRA regulations. Consequently, compliance with the CCPA and the CPRA takes similar efforts (Achieve CCPA/CPRA Certification with Secure Privacy). In many cases, privacy compliance with one of the laws will lead to compliance with the other one. Moreover, it may mean alignment with some new consumer privacy laws of the US states, such as Utah, Virginia, Colorado, and Connecticut. They all have passed new laws, and if you operate all around the United States, you have to consider their provisions.
In contrast to them, the European General Data Protection Regulation (GDPR) has different and more strict rules.
