California Privacy Rights Act (CPRA) Compliance Checklist

The road towards CPRA compliance is hard but it becomes slightly easier if you have a thorough CPRA compliance checklist to follow. This can include the following:

• Right to know data collected and purpose.
• Right to access and alter persona data.
• Right to delete data.
• Right to know categories of third parties.
• Right to consent to collection, sharing & use.
• Right to opt-out.
• Right to equal treatment.

Does The CPRA Impact Your Business?

The first step to becoming properly CPRA compliant is to know whether your business falls within the CPRA’s scope. Unlike the GDPR, which applies to both for-profit and nonprofit entities - including government bodies - the CPRA is only meant to regulate data collection, storage, processing, and sharing practices of for-profit businesses doing business in California. Furthermore, a for-profit business conducting business in California would need to be CRPA compliant if they fulfill the following criteria:

• Buy, sell, or share personal information of 100,000 or more households or consumers;
• Have an annual gross revenue of more than $25 million;
• Generate 50% or more of their annual revenues as a result of selling, and sharing consumers’ personal information.

CPRA Compliance Checklist

In case a business fulfills the criteria above, it is essential that it begins devising a plan to meet any and all CPRA compliance requirements as soon as possible. Here’s a rundown of things to get started on:

Conduct a Thorough Gap Analysis

Figuring out where to start can be tough. Hence, the wise thing to do would be to conduct a thorough gap analysis of your current data collection practices. Once you’ve done so, you’ll know what kind of data you’re currently collecting, storing, using, and whether these current practices are compliant with the requirements under the law. More importantly, you’ll know how drastically the company needs to alter its current practices.

A gap analysis can provide you with a framework to work with. Make sure the personnel, in charge of this analysis, have an in-depth understanding of both the CPRA compliance requirements and the company’s own data collection, processing, and protection practices.

Privacy Policy

Updating the website’s privacy policy is the most logical way to get started with CPRA compliance. For data handlers operating in California, and already complying with the CCPA, there are some updates that need to be made to the existing privacy policies.

The most important of these updates include informing whether the data handler collects any sensitive personal information (SPI) on its users. CPRA defines SPI as the consumers’ social security number, driver’s license number, passport number, financial information, racial and ethnic origin, geo-location, health data, religious affiliation, and trade union membership. By going into such details, CPRA has mandated businesses to be transparent with their users if they collect any of this information.

If a business does collect any of this information, it should be reflected in the privacy policy and educate the users on what rights they have with regards to the data being collected. Additionally, it should contain reasonably educational information for the consumer on

• How to request more information on how a business collected their data
• Whom their data is shared with
• How long this data is retained
• How customers can request deletion of their data
• How customers can request correction of data
• How customers can request disclosure of information shared or sold to other parties
• How customers can request to opt-out of having their data collected, shared, or sold

Lastly, a business must have a toll-free number and email address for a customer to contact if they ever want to exercise any of the above-mentioned rights.

DSR Fulfillment

As per CPRA, the customer has a right to know exactly what information the business has collected on them. These include information that falls under these criteria:

• Personal information categories collected on the consumer
• Personal information categories collected on the consumer shared or sold to any third party
• The personal information categories collected on the consumer that was disclosed to any third party for a business purpose

A business must only respond to a customer’s request to know about their data once a Verifiable Customer Request (VCR) is made. It is the business's responsibility to create two methods for the customer to submit a VCR. These can include a toll-free number and an email channel.

A business must respond to a legitimate request within 45 days, with a further 45 allowed if necessary, provided the customer is properly informed of this extension within the first 45 days. Afterward, a report covering the previous 12-month period from when the request was made must be sent to the customer via mail or email, depending on the mode the customer chooses.
Educating the users includes establishing an easy and simple way for any customer to request access, change, and deletion of any data collected on them, including SPI. The best practice to follow in this case would be to embed a DSR form on your website as it makes it convenient for users to make any sort of requests related to their data.

Additionally, it is highly advisable that data handlers should set up a verification process for data subjects to ensure that only the right person gets access to their data when they file a DSR request.

Consent from Minors

Another key facet that differentiates CPRA from CCPA is that failure of compliance with CPRA requirements in the case of minors can lead to a hefty $7,500 penalty per violation. Hence, businesses should have mechanisms in place that would require special opt-in consent from any consumer below the age of 16 for the sale or sharing of their personal information. Moreover, data handlers are prohibited to request consent within 12 months of the previous consent’s refusal. .

Typical mechanisms to be used may include requiring an adult’s email to ensure proper consent is given.

Opt-In and Opt-Out Information

Unlike the GDPR which follows an opt-in approach where a business is required to seek a user’s consent before processing their data, the CPRA follows an opt-out model where the onus is on the customer to request their data not be shared, sold, or forwarded to any other parties.

However, the CPRA does require all data handlers to make opting-out easier for all customers since each page must carry a “Do Not Sell or Share My Personal Information” and a ‘Limit the use of my Sensitive Personal Information’ button across the website.

Additionally, it is advisable to have a visible opt-out banner on the website’s homepage in addition to dedicated resources on the website educating customers on things such as the difference between opt-in and opt-out, how the data collected on them is used, and most importantly, how to opt-out of having their data shared, sold, or forwarded to any other parties.

Data Governance

This is arguably the most important part of being CPRA compliant as it is the most volatile part. Make sure that all the data collected on users is properly stored, backed up, and encrypted, whether on the company’s own premises or any other remote location such as data lakes, hybrid, or multi-clouds. All data handlers must maintain proper data maps, records, and inventories on the data they collect. Some other practices that make up a good data governance regime include the following:

• Data Minimization - Data minimization is a key principle entrenched in almost all data protection regulations. Organizations must only collect the absolutely essential data that is required to carry out their functions and tasks.
• Purpose Limitation - It is vital when requesting a user’s consent to collect data, the collected data should always be used only for the purpose that was revealed to the user in the consent request. Any change in the purpose for which the personal information is being processed would require a new notice to be sent out to the user.
• Storage Limitation - Once data is collected with proper consent and for an appropriate reason, an organization cannot hold onto the data indefinitely. An organisation must reveal to a user when seeking their consent how long they plan to store this collected data and have appropriate deletion policies for retained data.

Any follow-up steps differ from regulation to regulation. Hence, an organization must ensure its data storage practices are in compliance with the statutes of the regulation tehya re subject to.

Obligations When Sharing PI with Service Providers or Contractors

A business’ responsibility towards their users’ data does not end with themselves. Under CPRA, any other parties involved with whom the consumers’ personal information was shared or sold to, will have certain obligations and restrictions placed on them as well.

Contractors

As per CPRA, a “contractor” is defined as someone that a business shares their users’ data with for a business purpose in the presence of a written formal agreement. This agreement, pursuant to CPRA, shall bar all such contractors from:

• Selling or sharing the consumers’ personal information
• Retaining, disclosing, or using the consumers’ personal information for any other reason than the one agreed upon in the contract
• Retaining, disclosing, or using the consumers’ personal information outside of the direct business relationship established under this agreement
• Combining the consumers’ personal information received as a result of the agreement with any other personal information it might have for a business purpose

Service Providers

Similar to a contractor, the CPRA defines “service providers” as someone that might receive the users’ data to perform a business-related task for the business. Similar to a contractor, the CPRA prohibits service providers from:

• Selling or sharing the users’ data
• Retaining, disclosing, or using the users’ data for any other reason than the one agreed upon in the contract
• Retaining, disclosing, or using the users’ data outside of the direct business relationship established under this agreement
• Combining the users’ data received as a result of the agreement with any other data it might have for a business purpose

Third-Parties

The CPRA defines a “third party” as an umbrella term for anyone that the consumer does not interact intentionally and to whom the consumer’s personal information may be shared or sold. They can be anyone apart from the following:

• A service provider
• A contractor
• A business with whom the user initially interacted in order for their data to be collected

As per the CPRA, even third parties must agree to provide the data similar protections to the CPRA for the transfer to be valid.

Final Words

The CPRA will come into effect on January 1, 2023. Businesses have until then to audit their current practices, come up with a new framework that adheres to the CPRA regulation on data protection, train their staff accordingly, and reinvent how they handle their customers’ data. It wouldn’t be wrong to state that this presents a significant challenge for all corporations.

Securiti is a market leader in AI-driven solutions to data privacy and data compliance software. Using robotic automation, artificial intelligence, and machine learning, it automates most of the organizations’ compliance tasks at the click of a single button. To learn more about how Securiti and its several privacy compliance tools can help your business, request a demo today.