California was the first state in the United States to have its very own data protection regulation thanks to the California Consumer Protection Act (CCPA). This regulation was amended by the California Privacy Rights Act (CPRA) in January 2023.
One of the critical obligations that the CPRA places on subject organizations is transparency related to their data collection and processing practices, especially in their interaction with the users. The privacy policy page is the most effective and efficient way of meeting this obligation.
If created, deployed, and managed properly, a website's privacy policy webpage can help a business ensure CPRA compliance, thereby increasing the likelihood of users consenting to data collection.
Read to learn more about when a business is expected to have a CPRA-compliant privacy policy page, what content such a page should include, and the best way to deploy it on its website.
Does the CPRA Apply to Your Business?
The CPRA has clear guidelines related to its application/ scope. A legal entity that does business in California for profit is subject to CPRA if it:
- Collects consumers' personal information, or on behalf of which such information is collected;
- Alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information; and
- Meets one or more of the following conditions:
- Annual gross revenues in excess of $25,000,000;
- Annually buys, sells, or shares the personal information of 100,000 or more consumers or households; and/or
- Derives 50% or more of its annual revenues from selling or sharing consumers' personal information.
If a business is subject to the CPRA as per the above criteria, it must have a fully compliant privacy policy on its website. This policy should communicate its data collection, usage, and sharing practices and outline the various consumer rights that users are entitled to.
CPRA Requirements and Impact on Privacy Policy?
The CPRA amends the CCPA. In most cases, businesses subject to the CPRA will already have a CCPA-compliant privacy policy. By making slight changes and adjustments, organizations can ensure the privacy policy on their website is CPRA-compliant.
The most crucial change is considering a concept known as "sensitive personal information." According to the CPRA, sensitive personal information includes the following:
- Geolocation;
- Social security number;
- Passport number;
- Debit/credit card information;
- Racial or ethnic origin;
- Religious or philosophical beliefs;
- Sexual orientation;
- Union membership;
- Genetic information;
- Biometric information;
- State identification card;
- Health-related Information.
As a result, organizations are legally obligated to ensure transparency, whether their data collection practices collect any of the aforementioned information.
Similarly, the privacy policy must contain detailed information on how the consumers can launch a "verifiable consumer request," exercising their consumer data rights. These consumer rights include the following:
- Right to Correct
- Right to Access
- Right to Know
- Right to Deletion
- Right to Opt-Out of Personal Information Sharing
- Right to Opt-Out of Automated Decision-Making
- Right to Data Portability
- Right to Limit the Use and Disclosure of Sensitive Personal Information
Lastly, the privacy policy must contain detailed information about the website's data retention periods. Suppose a business cannot accurately determine how long it intends to retain a consumer's personal information. In that case, it must have developed criteria to demonstrate how it determines its data retention periods.
In any case, it is advisable not to retain the information for a period longer than is reasonably necessary for a specific purpose disclosed to the consumer.
People Also Ask
Here are some other commonly asked questions organizations have about CPRA privacy policy:
1. Where to display the Privacy Policy under CPRA?
As per the CPRA, organizations must inform the users "at or before the point of collection" about how their collected information will be used and stored. Hence, organizations may opt for dedicated webpages for the Privacy Policy on their website's homepage detailing their data processing and collection practices. The link to this webpage must be clearly visible in either the header or footer of all the website's web pages.
2. Can I write my own privacy policy?
Of course. However, it would be a highly unwise decision since a privacy policy should dynamically represent your data collection and processing practices. These practices are changing frequently. Hence, you'd be required to manually make these changes when there's a change. More importantly, this increases the likelihood of your privacy policy needing to be compliant. An automated solution that gives you clarity and insight into what information to communicate to users and allows for proactive changes that guarantee compliance and greater efficiency.
3. How to get users to agree to the Privacy Policy?
There's no secret to getting users to agree to any website's privacy policy. The privacy policy's primary purpose is to communicate the website's data collection practices as clearly and transparently as possible. Afterward, it is up to the users whether they feel comfortable with these practices and consent to allow the website to collect their data.
How Does Securiti Help?
As explained earlier, privacy policy obligations may appear fairly straightforward, but only if done correctly. OpenAI's regulatory issues are an open testament to that.
Securiti is a global leader in data security, privacy, governance, and compliance solutions.
Thanks to its Data Command Center™, organizations can monitor and ensure regulatory compliance across various obligations such as access controls, DSR requests, consent, data lineage, privacy notice management, and several other relevant use cases.
In this particular case, the Privacy Notice Management module allows for proactive edits and upgrades to your privacy policy based on any changes in the regulation or your data practices.
Moreover, the centralized portal gives unprecedented clarity and insights into all your deployed policies across multiple jurisdictions in real-time to ensure any necessary actions and revisions to your practices can be made proactively for greater efficiency and compliance.
Request a demo today and learn more about how Securiti can help your organization comply with the CPRA Privacy Policy requirements.
