In today’s world, it’s crucial for businesses to comply with the relevant regulations. One such regulation that every business needs to be aware of is the California Privacy Rights Act (CPRA) which was endorsed by California voters in November 2020 and went into effect on January 1, 2023. The CPRA builds on the California Consumer Privacy Act (CCPA) and provides additional rights for California consumers concerning the collection of their personal information and how businesses collect, use and share it.
Businesses that operate in California and meet certain criteria, such as having gross annual revenues over $25 million or collecting personal information from more than 100,000 consumers, need to comply with the CPRA. Personal information is defined as any information that relates to or can be linked to a particular consumer or household, including sensitive information such as biometric data and personal financial information.
Under the CPRA, California consumers have several fundamental rights that enable them to safeguard their personal information. These include the right to know what personal information a business has collected about them, the right to request the deletion of their data, the right to opt-out of the sale of their information, and the right to limit the use of their sensitive information, among others.
To ensure your business is complying with the CPRA, there are several actions you can take. Firstly, it’s essential to make a plan on how to handle requests from California consumers, including who will be responsible for responding to them and how long it will take to respond. This should be done within 10 days of receiving a request, and processed within 45 days of receiving it.
Secondly, businesses should review and update their privacy policies and notices to comply with the CPRA requirements. Privacy policies and notices should provide clear and conspicuous notice to consumers about their rights under the law, as well as how their personal information is collected, used, and shared.
Thirdly, designate a contact person or team to handle CPRA-related requests from consumers, such as a privacy officer or customer service team with the necessary training and resources to handle these requests.
Fourthly, train your employees on the CPRA and its requirements to ensure that everyone in your organization is aware of the new law and knows how to handle requests from consumers.
Finally, implement procedures for verifying the identity of consumers who make CPRA-related requests, as this is crucial in protecting the privacy of consumers and preventing fraud. Keep thorough records of all CPRA-related requests and how they were handled to demonstrate compliance with the law and provide evidence in the event of an investigation.
Non-compliance with the CPRA can lead to significant financial penalties, ranging from $2,000 for each infraction to $7,500 for intentional disregard of the law. Therefore, it is crucial for businesses to exercise due care and ensure they comply with the CPRA to avoid these penalties.
In conclusion, businesses need to be aware of the CPRA regulations and ensure they comply with them. By following the above steps, businesses can ensure that they are safeguarding the privacy of their consumers and complying with the law, thereby avoiding potential financial penalties.