California Privacy Rights Act (CPRA) Compliance Checklist
The California Privacy Rights Act (CPRA) is California’s equivalent of the European Union’s General Data Protection Regulation (GDPR). Its principal purpose is to ensure that businesses dealing with California consumers’ personal information take the appropriate measures to protect the privacy and integrity of their data.
Furthermore, it requires businesses to undertake several changes within their standard practices to ensure users are properly educated and informed about what personal information about them is being collected and what are their rights in relation to the captured personal information.
In view of that, CPRA compliance must take the front seat for businesses still catering to California’s consumers. To make that process easier, the following CPRA compliance checklist will allow companies to decide what direction they must take going forward.
Does The CPRA Impact Your Business?
The first step to becoming properly CPRA compliant is to know whether your business falls within the CPRA’s scope. Unlike the GDPR, which applies to both for profit and nonprofit entities — including government bodies — the CPRA is only meant to regulate data collection, storage, processing and sharing practices of for-profit businesses doing business in California. Furthermore, a for profit business conducting business in California would need to be CRPA compliant if they fulfill the following criteria:
- Buy, sell, or share personal information of 100,000 or more households or consumers;
- Have an annual gross revenue of more than $25 million;
- Generate 50% or more of their annual revenues as a result of selling, and sharing consumers’ personal information.
CPRA Compliance Checklist
In case a business fulfills the criteria above, it is essential that it begins devising a plan to meet any and all CPRA compliance requirements as soon as possible. Here’s a rundown of things to get started on:
Conduct a Thorough Gap Analysis
Figuring out where to start can be tough. Hence, the wise thing to do would be to conduct a thorough gap analysis of your current data collection practices. Once you’ve done so, you’ll know what kind of data you’re currently collecting, storing, using, and whether these current practices are compliant with the requirements under the law. More importantly, you’ll know how drastically the company needs to alter its current practices.
A gap analysis can provide you with a framework to work with. Make sure the personnel, in charge of this analysis, have an in-depth understanding of both the CPRA compliance requirements and the company’s own data collection, processing, and protection practices.
The most important of these updates include informing whether the data handler collects any sensitive personal information (SPI) on its users. CPRA defines SPI as the consumers’ social security number, driver’s license number, passport number, financial information, racial and ethnic origin, geo-location, health data, religious affiliation, and trade union membership. By going into such details, CPRA has mandated businesses to be transparent with their users if they collect any of this information.
- How to request more information on how a business collected their data
- Whom their data is shared with
- How long this data is retained
- How customers can request deletion of their data
- How customers can request correction of data
- How customers can request disclosure of information shared or sold to other parties
- How customers can request to opt-out of having their data collected, shared, or sold
Lastly, a business must have a toll-free number and email address for a customer to contact if they ever want to exercise any of the above-mentioned rights.
As per CPRA, the customer has a right to know exactly what information the business has collected on them. These include information that falls under these criteria:
- Personal information categories collected on the consumer
- Personal information categories collected on the consumer shared or sold to any third party
- The personal information categories collected on the consumer that was disclosed to any third party for a business purpose
A business must only respond to a customer’s request to know about their data once a Verifiable Customer Request (VCR) is made. It is the business’s responsibility to create two methods for the customer to submit a VCR. These can include a toll-free number and an email channel.
A business must respond to a legitimate request within 45 days, with a further 45 allowed if necessary, provided the customer is properly informed of this extension within the first 45 days. Afterward, a report covering the previous 12-month period from when the request was made must be sent to the customer via mail or email, depending on the mode the customer chooses.
Educating the users includes establishing an easy and simple way for any customer to request access, change, and deletion of any data collected on them, including SPI. The best practice to follow in this case would be to embed a DSR form on your website as it makes it convenient for users to make any sort of requests related to their data.
Additionally, it is highly advisable that data handlers should set up a verification process for data subjects to ensure that only the right person gets access to their data when they file a DSR request.
Consent from Minors
Another key facet that differentiates CPRA from CCPA is that failure of compliance with CPRA requirements in the case of minors can lead to a hefty $7,500 penalty per violation. Hence, businesses should have mechanisms in place that would require special opt-in consent from any consumer below the age of 16 for the sale or sharing of their personal information. Moreover, data handlers are prohibited to request consent within 12 months of the previous consent’s refusal. .
Typical mechanisms to be used may include requiring an adult’s email to ensure proper consent is given.
Opt-In and Opt-Out Information
Unlike the GDPR which follows an opt-in approach where a business is required to seek a user’s consent before processing their data, the CPRA follows an opt-out model where the onus is on the customer to request their data not be shared, sold, or forwarded to any other parties.
However, the CPRA does require all data handlers to make opting-out easier for all customers since each page must carry a “Do Not Sell or Share My Personal Information” and a ‘Limit the use of my Sensitive Personal Information’ button across the website.
Additionally, it is advisable to have a visible opt-out banner on the website’s homepage in addition to dedicated resources on the website educating customers on things such as the difference between opt-in and opt-out, how the data collected on them is used, and most importantly, how to opt-out of having their data shared, sold, or forwarded to any other parties.
This is arguably the most important part of being CPRA compliant as it is the most volatile part. Make sure that all the data collected on users is properly stored, backed up, and encrypted, whether on the company’s own premises or any other remote location such as data lakes, hybrid, or multi-clouds. All data handlers must maintain proper data maps, records, and inventories on the data they collect. Some other practices that make up a good data governance regime include the following:
- Data Minimization — Data minimization is a key principle entrenched in almost all data protection regulations. Organizations must only collect the absolutely essential data that is required to carry out their functions and tasks.
- Purpose Limitation — It is vital when requesting a user’s consent to collect data, the collected data should always be used only for the purpose that was revealed to the user in the consent request. Any change in the purpose for which the personal information is being processed would require a new notice to be sent out to the user.
- Storage Limitation — Once data is collected with proper consent and for an appropriate reason, an organsiation cannot hold onto the data indefinitely. An organisation must reveal to a user when seeking their consent how long they plan to store this collected data and have appropriate deletion policies for retained data.
Any follow up steps differ from regulation to regulation. Hence, an organisation must ensure its data storage practices are in compliance with the statutes of the regulation tehya re subject to.
Obligations When Sharing PI with Service Providers or Contractors
A business’ responsibility towards their users’ data does not end with themselves. Under CPRA, any other parties involved with whom the consumers’ personal information was shared or sold to, will have certain obligations and restrictions placed on them as well.
As per CPRA, a “contractor” is defined as someone that a business shares their users’ data with for a business purpose in the presence of a written formal agreement. This agreement, pursuant to CPRA, shall bar all such contractors from:
- Selling or sharing the consumers’ personal information
- Retaining, disclosing, or using the consumers’ personal information for any other reason than the one agreed upon in the contract
- Retaining, disclosing, or using the consumers’ personal information outside of the direct business relationship established under this agreement
- Combining the consumers’ personal information received as a result of the agreement with any other personal information it might have for a business purpose
Similar to a contractor, the CPRA defines “service providers” as someone that might receive the users’ data to perform a business-related task for the business. Similar to a contractor, the CPRA prohibits service providers from:
- Selling or sharing the users’ data
- Retaining, disclosing, or using the users’ data for any other reason than the one agreed upon in the contract
- Retaining, disclosing, or using the users’ data outside of the direct business relationship established under this agreement
- Combining the users’ data received as a result of the agreement with any other data it might have for a business purpose
The CPRA defines a “third party” as an umbrella term for anyone that the consumer does not interact intentionally and to whom the consumer’s personal information may be shared or sold. They can be anyone apart from the following:
- A service provider
- A contractor
- A business with whom the user initially interacted in order for their data to be collected
As per the CPRA, even third parties must agree to provide the data similar protections to the CPRA for the transfer to be valid.
The CPRA will come into effect on January 1, 2023. Businesses have until then to audit their current practices, come up with a new framework that adheres to the CPRA regulation on data protection, train their staff accordingly, and reinvent how they handle their customers’ data. It wouldn’t be wrong to state that this presents a significant challenge for all corporations.
Securiti is a market leader in AI-driven solutions to data privacy and data compliance software. Using robotic automation, artificial intelligence, and machine learning, it automates most of the organizations’ compliance tasks at the click of a single button. To learn more about how Securiti and its several privacy compliance tools can help your business, request a demo today.