Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

CPRA Privacy Policy : Important Bits to Know

Download: CPRA Decision-Making Guide
Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Senior Data Privacy Consultant at Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

California was the first state in the United States to have its very own data protection regulation thanks to the California Consumer Protection Act (CCPA). This regulation was amended by the California Privacy Rights Act (CPRA) in January 2023.

One of the critical obligations that the CPRA places on subject organizations is transparency related to their data collection and processing practices, especially in their interaction with the  users. The privacy policy page is the most effective and efficient way of meeting this obligation.

If created, deployed, and managed properly, a website's privacy policy webpage can help a business ensure CPRA compliance, thereby increasing the likelihood of users consenting to data collection.

Read to learn more about when a business is expected to have a CPRA-compliant privacy policy page, what content such a page should include, and the best way to deploy it on its website.

Does the CPRA Apply to Your Business?

The CPRA has clear guidelines related to its application/ scope. A legal entity that does business in California for profit is subject to CPRA if it:

  1. Collects consumers' personal information, or on behalf of which such information is collected;
  2. Alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information; and
  3. Meets one or more of the following conditions:
    1. Annual gross revenues in excess of $25,000,000;
    2. Annually buys, sells, or shares the personal information of 100,000 or more consumers or households; and/or
    3. Derives 50% or more of its annual revenues from selling or sharing consumers' personal information.

If a business is subject to the CPRA as per the above criteria, it must have a fully compliant privacy policy on its website. This policy should communicate its data collection, usage, and sharing practices and outline the various consumer rights that users are entitled to.

CPRA Requirements and Impact on Privacy Policy?

The CPRA amends the CCPA. In most cases, businesses subject to the CPRA will already have a CCPA-compliant privacy policy. By making slight changes and adjustments, organizations can ensure the privacy policy on their website is CPRA-compliant.

The most crucial change is considering a concept known as "sensitive personal information." According to the CPRA, sensitive personal information includes the following:

  • Geolocation;
  • Social security number;
  • Passport number;
  • Debit/credit card information;
  • Racial or ethnic origin;
  • Religious or philosophical beliefs;
  • Sexual orientation;
  • Union membership;
  • Genetic information;
  • Biometric information;
  • State identification card;
  • Health-related Information.

As a result, organizations are legally obligated to ensure transparency, whether their data collection practices collect any of the aforementioned information.

Similarly, the privacy policy must contain detailed information on how the consumers can launch a "verifiable consumer request," exercising their consumer data rights. These consumer rights include the following:

  • Right to Correct
  • Right to Access
  • Right to Know
  • Right to Deletion
  • Right to Opt-Out of Personal Information Sharing
  • Right to Opt-Out of Automated Decision-Making
  • Right to Data Portability
  • Right to Limit the Use and Disclosure of Sensitive Personal Information

Lastly, the privacy policy must contain detailed information about the website's data retention periods. Suppose a business cannot accurately determine how long it intends to retain a consumer's personal information. In that case, it must have developed criteria to demonstrate how it determines its data retention periods.

In any case, it is advisable not to retain the information for a period longer than is reasonably necessary for a specific purpose disclosed to the consumer.

People Also Ask

Here are some other commonly asked questions organizations have about CPRA privacy policy:

1. Where to display the Privacy Policy under CPRA?

As per the CPRA, organizations must inform the users "at or before the point of collection" about how their collected information will be used and stored. Hence, organizations may opt for dedicated webpages for the Privacy Policy on their website's homepage detailing their data processing and collection practices. The link to this webpage must be clearly visible in either the header or footer of all the website's web pages.

2. Can I write my own privacy policy?

Of course. However, it would be a highly unwise decision since a privacy policy should dynamically represent your data collection and processing practices. These practices are changing frequently. Hence, you'd be required to manually make these changes when there's a change. More importantly, this increases the likelihood of your privacy policy needing to be compliant. An automated solution that gives you clarity and insight into what information to communicate to users and allows for proactive changes that guarantee compliance and greater efficiency.

3. How to get users to agree to the Privacy Policy?

There's no secret to getting users to agree to any website's privacy policy. The privacy policy's primary purpose is to communicate the website's data collection practices as clearly and transparently as possible. Afterward, it is up to the users whether they feel comfortable with these practices and consent to allow the website to collect their data.

How Does Securiti Help?

As explained earlier, privacy policy obligations may appear fairly straightforward, but only if done correctly. OpenAI's regulatory issues are an open testament to that.

Securiti is a global leader in data security, privacy, governance, and compliance solutions.

Thanks to its Data Command Center™, organizations can monitor and ensure regulatory compliance across various obligations such as access controls, DSR requests, consent, data lineage, privacy notice management, and several other relevant use cases.

In this particular case, the Privacy Notice Management module allows for proactive edits and upgrades to your privacy policy based on any changes in the regulation or your data practices.

Moreover, the centralized portal gives unprecedented clarity and insights into all your deployed policies across multiple jurisdictions in real-time to ensure any necessary actions and revisions to your practices can be made proactively for greater efficiency and compliance.

Request a demo today and learn more about how Securiti can help your organization comply with the CPRA Privacy Policy requirements.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View
Spotlight 21:30

Companies Cannot Grow If CISOs Don’t Allow Experimentation

Watch Now View
Spotlight 2:48

Unlocking Gen AI For Enterprise With Rehan Jalil

Rehan Jalil
Watch Now View
Spotlight 13:35

The Better Organized We’re from the Beginning, the Easier it is to Use Data

Watch Now View
Spotlight 13:11

Securing GenAI: From SaaS Copilots to Enterprise Applications

Rehan Jalil
Watch Now View
Spotlight 47:02

Navigating Emerging Technologies: AI for Security/Security for AI

Rehan Jalil
Watch Now View

Latest

View More

Accelerating Safe Enterprise AI with Gencore Sync & Databricks

We are delighted to announce new capabilities in Gencore AI to support Databricks' Mosaic AI and Delta Tables! This support enables organizations to selectively...

View More

Building Safe, Enterprise-grade AI with Securiti’s Gencore AI and NVIDIA NIM

Businesses are rapidly adopting generative AI (GenAI) to boost efficiency, productivity, innovation, customer service, and growth. However, IT & AI executives—particularly in highly regulated...

Key Differences from DLP & CNAPP View More

Why DSPM is Critical: Key Differences from DLP & CNAPP

Learn about the critical differences between DSPM vs DLP vs CNAPP and why a unified, data-centric approach is an optimal solution for robust data...

DSPM Trends View More

DSPM in 2025: Key Trends Transforming Data Security

DSPM trends in 2025 provides a quick glance at the challenges, risks, and best practices that can help security leaders evolve their data security...

The Future of Privacy View More

The Future of Privacy: Top Emerging Privacy Trends in 2025

Download the whitepaper to gain insights into the top emerging privacy trends in 2025. Analyze trends and embed necessary measures to stay ahead.

View More

Personalization vs. Privacy: Data Privacy Challenges in Retail

Download the whitepaper to learn about the regulatory landscape and enforcement actions in the retail industry, data privacy challenges, practical recommendations, and how Securiti...

Nigeria's DPA View More

Navigating Nigeria’s DPA: A Step-by-Step Compliance Roadmap

Download the infographic to learn how Nigeria's Data Protection Act (DPA) mapping impacts your organization and compliance strategy.

Decoding Data Retention Requirements Across US State Privacy Laws View More

Decoding Data Retention Requirements Across US State Privacy Laws

Download the infographic to explore data retention requirements across US state privacy laws. Understand key retention requirements and noncompliance penalties.

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New