Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

CPRA Privacy Policy : Important Bits to Know

Download: CPRA Decision-Making Guide
Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Senior Data Privacy Consultant at Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

California was the first state in the United States to have its very own data protection regulation thanks to the California Consumer Protection Act (CCPA). This regulation was amended by the California Privacy Rights Act (CPRA) in January 2023.

One of the critical obligations that the CPRA places on subject organizations is transparency related to their data collection and processing practices, especially in their interaction with the  users. The privacy policy page is the most effective and efficient way of meeting this obligation.

If created, deployed, and managed properly, a website's privacy policy webpage can help a business ensure CPRA compliance, thereby increasing the likelihood of users consenting to data collection.

Read to learn more about when a business is expected to have a CPRA-compliant privacy policy page, what content such a page should include, and the best way to deploy it on its website.

Does the CPRA Apply to Your Business?

The CPRA has clear guidelines related to its application/ scope. A legal entity that does business in California for profit is subject to CPRA if it:

  1. Collects consumers' personal information, or on behalf of which such information is collected;
  2. Alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information; and
  3. Meets one or more of the following conditions:
    1. Annual gross revenues in excess of $25,000,000;
    2. Annually buys, sells, or shares the personal information of 100,000 or more consumers or households; and/or
    3. Derives 50% or more of its annual revenues from selling or sharing consumers' personal information.

If a business is subject to the CPRA as per the above criteria, it must have a fully compliant privacy policy on its website. This policy should communicate its data collection, usage, and sharing practices and outline the various consumer rights that users are entitled to.

CPRA Requirements and Impact on Privacy Policy?

The CPRA amends the CCPA. In most cases, businesses subject to the CPRA will already have a CCPA-compliant privacy policy. By making slight changes and adjustments, organizations can ensure the privacy policy on their website is CPRA-compliant.

The most crucial change is considering a concept known as "sensitive personal information." According to the CPRA, sensitive personal information includes the following:

  • Geolocation;
  • Social security number;
  • Passport number;
  • Debit/credit card information;
  • Racial or ethnic origin;
  • Religious or philosophical beliefs;
  • Sexual orientation;
  • Union membership;
  • Genetic information;
  • Biometric information;
  • State identification card;
  • Health-related Information.

As a result, organizations are legally obligated to ensure transparency, whether their data collection practices collect any of the aforementioned information.

Similarly, the privacy policy must contain detailed information on how the consumers can launch a "verifiable consumer request," exercising their consumer data rights. These consumer rights include the following:

  • Right to Correct
  • Right to Access
  • Right to Know
  • Right to Deletion
  • Right to Opt-Out of Personal Information Sharing
  • Right to Opt-Out of Automated Decision-Making
  • Right to Data Portability
  • Right to Limit the Use and Disclosure of Sensitive Personal Information

Lastly, the privacy policy must contain detailed information about the website's data retention periods. Suppose a business cannot accurately determine how long it intends to retain a consumer's personal information. In that case, it must have developed criteria to demonstrate how it determines its data retention periods.

In any case, it is advisable not to retain the information for a period longer than is reasonably necessary for a specific purpose disclosed to the consumer.

People Also Ask

Here are some other commonly asked questions organizations have about CPRA privacy policy:

1. Where to display the Privacy Policy under CPRA?

As per the CPRA, organizations must inform the users "at or before the point of collection" about how their collected information will be used and stored. Hence, organizations may opt for dedicated webpages for the Privacy Policy on their website's homepage detailing their data processing and collection practices. The link to this webpage must be clearly visible in either the header or footer of all the website's web pages.

2. Can I write my own privacy policy?

Of course. However, it would be a highly unwise decision since a privacy policy should dynamically represent your data collection and processing practices. These practices are changing frequently. Hence, you'd be required to manually make these changes when there's a change. More importantly, this increases the likelihood of your privacy policy needing to be compliant. An automated solution that gives you clarity and insight into what information to communicate to users and allows for proactive changes that guarantee compliance and greater efficiency.

3. How to get users to agree to the Privacy Policy?

There's no secret to getting users to agree to any website's privacy policy. The privacy policy's primary purpose is to communicate the website's data collection practices as clearly and transparently as possible. Afterward, it is up to the users whether they feel comfortable with these practices and consent to allow the website to collect their data.

How Does Securiti Help?

As explained earlier, privacy policy obligations may appear fairly straightforward, but only if done correctly. OpenAI's regulatory issues are an open testament to that.

Securiti is a global leader in data security, privacy, governance, and compliance solutions.

Thanks to its Data Command Center™, organizations can monitor and ensure regulatory compliance across various obligations such as access controls, DSR requests, consent, data lineage, privacy notice management, and several other relevant use cases.

In this particular case, the Privacy Notice Management module allows for proactive edits and upgrades to your privacy policy based on any changes in the regulation or your data practices.

Moreover, the centralized portal gives unprecedented clarity and insights into all your deployed policies across multiple jurisdictions in real-time to ensure any necessary actions and revisions to your practices can be made proactively for greater efficiency and compliance.

Request a demo today and learn more about how Securiti can help your organization comply with the CPRA Privacy Policy requirements.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 12:!3

You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge

Watch Now View
Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 27:29

Building Safe AI with Databricks and Gencore

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View
Spotlight 21:30

Companies Cannot Grow If CISOs Don’t Allow Experimentation

Watch Now View
Spotlight 2:48

Unlocking Gen AI For Enterprise With Rehan Jalil

Rehan Jalil
Watch Now View
Spotlight 13:35

The Better Organized We’re from the Beginning, the Easier it is to Use Data

Watch Now View

Latest

View More

Accelerating Safe Enterprise AI: Securiti’s Gencore AI with Databricks and Anthropic Claude

Securiti AI collaborates with the largest firms in the world who are racing to adopt and deploy safe generative AI systems, leveraging their own...

View More

CAIO’s Guide to Building Safe Knowledge Agents

AI is rapidly moving from test cases to real-world implementation like internal knowledge agents and customer service chatbots, and a PwC report predicts 2025...

View More

What are Data Security Controls & Its Types

Learn what are data security controls, the types of data security controls, best practices for implementing them, and how Securiti can help.

View More

What is cloud Security? – Definition

Discover the ins and outs of cloud security, what it is, how it works, risks and challenges, benefits, tips to secure the cloud, and...

2025 Privacy Law Updates: Key Developments You Need to Know View More

2025 Privacy Law Updates: Key Developments You Need to Know

Download the whitepaper to discover privacy law updates in 2025 and the key developments you need to know. Learn how Securiti helps ensure swift...

View More

Verifiable Parental Consent Requirements Under Global Privacy Laws

Download the whitepaper to learn about verifiable parental consent requirements under global privacy laws and simplify your compliance journey.

Navigating Kenya’s Data Protection Act View More

Navigating Kenya’s Data Protection Act: What Organizations Need To Know

Download the infographic to discover key details about navigating Kenya’s Data Protection Act and simplify your compliance journey.

India’s Telecom Security & Privacy Regulations View More

India’s Telecom Security & Privacy Regulations: A High-Level Overview

Download the infographic to gain a high-level overview of India’s telecom security and privacy regulations. Learn how Securiti helps ensure swift compliance.

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New