The California Bill of Rights went into effect on January 1, 2023, expanding the consumer protections offered by the California Consumer Privacy Act.
Enforcement of the CPRA will not begin until July 1 and only applies to offenses occurring on or after that date. Companies have been given six months to comply with this new law.
Whether a company needs to create privacy or security programs or update existing programs to comply, there are some main steps to follow to comply.
Specify supervision
If a company was subject to the Consumer Privacy Act, it is likely to be subject to the CPRA as well.
The Act expanded the definition of a business to include any for-profit entity doing business in California that collects personal information from consumers in California and had annual gross revenue of more than $25 million in the preceding year; buys, sells or shares personal data of 100,000 California consumers or households; or derives 50% or more of its annual income from the sale or sharing of information.
The CPRA expanded the number of organizations subject to the CCPA to include all companies that share data.
In addition, the CPRA now also covers third-party service providers, contractors, and organizations that process, hold, or receive consumer personal information in California on behalf of a business, pursuant to the statute.
Evaluate the personal data collected
The CPRA increases burdens on companies to minimize data and limit uses. Accordingly, companies must evaluate the types of personal data they collect and determine how they use, share and store that data to achieve business purposes.
Only personal data that is reasonably necessary and appropriate for business purposes is collected, processed and stored. If a company collects sensitive personal information, such as social security numbers, bank account numbers and passwords, or geolocation data, the CPRA has added additional requirements regarding its use.
Update the Privacy Policy
The new CPRA requirements also require businesses to update their privacy policies by requiring the identification of the categories of third parties to whom information is disclosed and/or sold, the business purposes for collecting and/or selling personal information, and the categories of sources from which personal information is collected.
Businesses must now also notify California consumers of their additional rights under the CPRA, including the rights to correct inaccurate personal information and to limit the use and/or disclosure of sensitive personal information, the right to information about the business’s data retention practices, and the right to opt out of the use of technology automated decision-making. This technology involves the automated processing of personal data for the purpose of assessing or predicting personal aspects of a consumer’s job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement.
Consumer Notice Update
The CPRA also subjects businesses to new notification requirements, including notifying California consumers of the categories of personal information collected and the purposes for which that personal information is collected and/or used, whether personal information is sold and/or shared, and how long the company retains personal information consumer.
If the company collects sensitive personal data, it must obtain the consumer’s consent before processing it and publish a separate notice related to the collection and use of this data. These notices must be provided to consumers at or before pickup and link directly to specific sections of the company’s privacy policy.
Update internal rules
Additional obligations imposed by the ZIPD require increased communication between entrepreneurs and consumers, primarily in accordance with consumers exercising their new rights.
Companies should also prepare to establish internal processes to forward these requests to service providers, contractors and other third parties with whom the company has shared personal information.
Additionally, given the CPRA’s goal of data minimization and purpose limitation, businesses will likely need to develop more detailed data retention policies.
They should specify the purpose for which personal data is collected and the period of time for which it is kept, and identify the scope associated with the collection and use of such data that is proportionate to the purpose for which it was collected.
Finally, the ZIPD imposes new obligations on companies to conduct privacy and data protection impact assessments. This will require companies to assess the personal data they collect, identify the systems used to collect and store that information, and address any data protection risks to keep that information protected.
Establishing a policy for evaluating privacy programs and practices is critical when processing requests from the California Privacy Protection Agency and the California Attorney General, as well as other audits.
Update contracts
ZIKV requires updating of contract forms and existing contracts with service providers and contractors. In addition, it now also requires written agreements with third parties.
Update websites and backend systems
In addition to implementing CCPA-compliant service provider agreements with each provider of cookies, tags, and tracking technologies for a website, a website should also honor a global privacy control signal, a setting that notifies websites of user privacy preferences and non- – consumer requests for sales.
The requirements of the new CPRA are extensive, but by following the steps above, a company can ensure compliance with the new law.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for us: Guidelines for authors
Information about the author
Simran Mahal, an active litigator at Hanson Blodgett and a Certified Information Privacy Professional (CIPP/US), focuses her practice on litigation and dispute resolution for public agencies and companies.