How to Prepare for the California Privacy Rights Act
The State of California recently amended the California Consumer Privacy Act of 2018 to include additional data privacy protection for California residents. All companies that do business with California residents and meet certain criteria must follow these new laws. These changes became effective on January 1, 2023, more than two years after the state passed this legislation. Although this gave businesses ample time to adapt their practices to the new law, some companies may still struggle to meet the new requirements.
The state will not enforce these new amendments until July 1, 2023, so businesses still have a few months to become compliant if they are not already. If this applies to your business, the details of the law may feel overwhelming at first. Once you understand what is required, you will feel more prepared to make the necessary changes. Following privacy laws protects your business from lawsuits and fines. More importantly, it can help you build a good reputation as you demonstrate to your customers that their privacy is a high priority.
What Does the California Privacy Rights Act (CPRA) Include?
The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act of 2018 (CCPA). Since the CPRA is not a separate law, it is most appropriate to refer to it as part of the CCPA. This amendment clarifies several points of the CCPA and provides additional guidance. Some aspects of the CPRA include:
- Establishes the California Privacy Protection Agency to administer, implement and enforce data privacy laws. This agency also provides education and guidance to businesses and the public regarding data privacy.
- Changes the criteria that determine which businesses are subject to the law, which creates exemptions for more businesses.
- Gives California residents more control of their personal information by allowing them to make requests to correct inaccuracies, delete personal information, and limit the disclosure and use of sensitive personal information.
- Defines “sensitive personal information” as personal information that is not publicly available. This includes driver’s license, social security number, account login, credit card information, race and ethnicity, and many other pieces of information.
- Encourages businesses only to retain data for a reasonably necessary length of time
- Specifies contractual requirements for data sharing between businesses and contractors, service providers, and other third parties.
- Increases the fine for the unauthorized collection or sale of a child’s personal information.
- Requires businesses to conduct annual cybersecurity audits and risk assessments.
- Clarifies the requirement for businesses to implement reasonable security practices to prevent unauthorized access to personal information.
Which Businesses Must Adhere to the CCPA?
Some businesses are exempt from the CCPA, so it is crucial to understand how this law impacts your specific business. Generally speaking, the law includes companies that do business in the State of California or collect or sell personal information belonging to California residents that meet the following criteria:
- Have a gross annual revenue above $25 million
- Buy, sell, or share information on at least 100,000 California residents annually
- Receive at least 50 percent of annual revenue from selling the personal information of California residents
The CPRA made one significant change to this criteria by doubling the threshold for buying, selling, or sharing information from 50,000 to 100,000 residents annually. This adjustment will likely exempt more small and medium-sized businesses (SMBs) from compliance with this law.
Although this may reduce some financial and time-intensive burdens on small and medium-sized businesses from a short-term perspective, the CCPA still provides guidance that can benefit businesses of any size. Cybercriminals may choose to target SMBs due to their generally weaker data security. When SMBs maintain high levels of data privacy and data security, even when the law does not require it, they can reduce the risk of a security breach and minimize the amount of personal information that is compromised if a breach does occur.
What Type of Information is Protected by the CCPA?
The CCPA only applies to certain identifiable types of information that link, either directly or indirectly, to a specific customer or household. Some of this data is obviously private, such as driver’s licenses and social security numbers. It also includes less-obvious data types like purchase histories, unique personal identifiers, biometric data, and genetic information. It does not include medical records, which fall under HIPPA laws. The CCPA does not apply to aggregated data or federal, state, or local government records that are otherwise available publicly or upon request.
Steps Businesses Can Take To Ensure Compliance
There are several steps that businesses can take to comply with the CCPA. A cybersecurity professional can help you develop a plan that meets the unique needs of your business.
- Understand how the law applies to your business.
- Update privacy policies and privacy notices to match the updated language and definitions included in the amendments to the CCPA.
- Update databases and methods for processing and storing data.
- Make updates to websites that collect or transmit data.
- Update internal data security protocol.
- Create or update protocol for handling customer requests to correct or delete data.
- Update your business associate agreements (BAA).
- Routinely train all employees on data privacy and security, including the CCPA.
Benefits of CCPA Compliance
There are numerous ways businesses can benefit from complying with the CCPA. Initially, avoiding fines and penalties may seem like the most important reason. However, adopting strong data privacy policies can have far-reaching effects on your business.
For businesses that operate internationally, many of the regulations in the CCPA may seem familiar. The CCPA is similar to what the European Union already requires under the General Data Protection Regulation (GDPR). If your business already complies with the GDPR, reaching full compliance with the amended CCPA should be easily attainable.
Additionally, California is one of many states to enact new data privacy laws in 2023, and more states will likely follow in the coming years. By aligning your data privacy protocols with the CCPA, it will be significantly easier to adapt to other state laws in the future, many of which have a lot in common with the CCPA.
In a world where cybercrime is continually increasing, consumers are becoming more conscious about protecting their personal data. Consumers value companies that are transparent with the way they use personal data and those that are responsive to requests to modify or delete personal information. Consumers may prefer to purchase products or do business with companies that value data privacy. Building consumer trust can give you an advantage over competitors who may be less careful about protecting consumer data.
Enforcement and Penalties
The newly created California Privacy Protection Agency is in charge of enforcing the CCPA. If they find that a business is non-compliant, the business has 30 days to prove they have become compliant with the regulations. Failure to comply can result in a fine of up to $7,500 per record, depending on the severity and intention of the violation. These decisions may be subject to judicial review, and the agency must defer to the Attorney General if needed.
However, perhaps the greatest threat to businesses comes from customers affected by a data breach. The CCPA allows consumers a private right of action, which means they can sue a company if their data is compromised due to a company’s negligence with data security. Class action lawsuits require businesses to spend significant time and money handling legal issues. Since lawsuits often make the news, legal trouble can damage a company’s reputation, thus costing them future revenue.
Ensuring Compliance With the California Consumer Privacy Act and Beyond
Complying with state-specific privacy regulations can feel daunting for many businesses, especially as more states add their own data privacy and security legislation. Fortunately, these new regulations follow best practices that will benefit your business. There will be significant overlap among various state laws, and perhaps someday, the federal government will develop more unified guidelines. Until then, it is crucial for businesses, especially those with customers in multiple states, to stay on top of these ever-changing laws.
Complying with data privacy laws does more than protect your business from fines and penalties. It also helps you protect your customers’ information and allows your company to develop a strong reputation. Implementing a comprehensive privacy solution such as uRISQ can make complying with the CCPA easier and will also help you stay on top of additional state privacy regulations so you are also prepared to meet future regulatory standards.