Overwhelming doesn’t even begin to cover it.
If you’re a business owner located in California or you simply do business with Californians, you know how strict the rules can be.
And as of January 1, 2023, they’ve only gotten stricter.
The California Privacy Rights Act (CPRA) has introduced a raft of new requirements that make understanding compliance essential for any business owner who:
- Collects consumers’ personal information
- Does business in California
- And (i) had annual gross revenues for the preceding calendar year of at least $25 million, (ii) annually buys, sells, or shares the personal information of at least 100,000 consumers, OR (iii) derives at least 50% of its revenue from selling or sharing consumers’ personal information.
(Where a “consumer” is any person who is a California resident.)
Tackle the overwhelm and unpack what the CPRA laws mean for you by familiarizing yourself with key details and ensuring your compliance is up to date.
**And just before we go any further:
Everything I share is legal education and information. It’s not business, financial, or legal advice, and it doesn’t create an attorney-client relationship between us.
Please chat with an attorney in your area to make sure you’re protecting your business.**
How the new CPRA law affects your online business
The CPRA is a groundbreaking piece of legislation.
Because it requires companies to provide consumers with more control over their personal information and grants them new rights – including the right to correction, the right to limit the use and disclosure of sensitive personal information, and the right to opt out of the sale and sharing of their personal information– it offers you a unique opportunity.
You have the chance to seriously level up client/customer trust by committing to privacy and data protection.
Where others may be trying to find ways around the law, you can stand out by embracing it.
But it’s not without its challenges.
The new CPRA law imposes stricter requirements for data security, accountability, and transparency.
And companies are expected to implement and comply with the policies quickly…or face penalties up to 7 figures.
So aside from reviewing existing practices, you may find yourself:
- Revising privacy policies and notices
- Implementing stronger safeguards for customer data
- Updating compliance programs
- Providing training for staff
- Creating systems for responding to customer requests
- Conducting regular internal audits
- Identifying third-party vendors who need access to customer data
- And regularly monitoring changes in state privacy law
But rather than viewing this as an inconvenience to avoid fines or legal action, you can view it from the angle of opportunity and proactively use these changes to increase customer trust.
And gain a competitive edge in today’s digital marketplace.
The difference between CPRA law and CCPA law
There are only a couple letters of difference between the two acts, but a whole lot of nuance.
The California Privacy Rights Act (CPRA) is a far-reaching law that builds on the California Consumer Privacy Act (CCPA).
A key difference between them is how organizations collect and use personal data.
While the CCPA applies broad restrictions to businesses on the collection and processing of consumers’ personal information without explicit consent, the CPRA takes it even further.
Under the CPRA, organizations must provide a detailed explanation of their purpose for collecting specific types of personal data.
And they must clearly explain how requests to delete or limit the use of customers’ personal information will be processed before consent is obtained.
The CPRA also provides more protection around sensitive categories of information, including:
- Religious beliefs;
- Geolocation data;
- Health or medical-related information;
- Professional or educational information;
- Protected classifications such as race or gender;
- Biometric data such as fingerprints or voice recordings;
- And account numbers connected with financial accounts like credit cards
Companies must also provide direct notice to consumers about any changes in their policies regarding sensitive categories of personal information used by them.
In other words, the California Privacy Rights Act brings a whole new level of protection to Californians’ personal data privacy rights.
Requirements for collecting and using sensitive personal information
Most online service providers have to collect and use sensitive personal data.
-If you’re a VA, you might need your client’s credit card information to make purchases.
-Career coaches would need professional experience and educational background.
-A health coach could collect medical history.
So here’s how the law applies to you:
Obtain explicit consent
Using our VA example, before you collect sensitive personal data like your client’s credit card number, you must obtain explicit consent from your client to keep it on file.
And you would want to limit the data you collect to only necessary information – just take information for their primary business VISA and not every card in their wallet.
It also goes without saying (but I’m going to say it anyways!) that personal information should never be shared with third parties without express written consent of the individuals involved.
Provide clear policies
Create and share clear policies on how you’ll handle incidents involving sensitive personal data breaches.
This includes a detailed set of procedures for
- How to respond to incidents
- How long breached information will be kept on record
- How notifications about breaches will be sent out
And, of course, make sure your systems have been properly secured against unauthorized access and intentional or unintentional misuse of any collected information.
Keep accurate records
All activities involving collecting and using sensitive personal data must have detailed, updated records in place.
For example, if you’re a health coach collecting medical history, you need your records to include details such as
- What type of data was collected from each individual (medical history)
- When it was collected from them
- Why it was collected
- Who had access
And so on.
More steps business owners can take to prepare for compliance with the new regulations
The first step in compliance is ensuring you have a comprehensive Privacy Policy in place.
And as with any good business strategy, you need to understand what your Privacy Policy says and why it says it.
You also want to be sure all employees — including service providers and contractors — know the regulations and their roles in adhering to them.
Keeping records of all transactions and creating policies and procedures can help ensure your business and employee actions stay compliant with the CPRA law.
And don’t forget to review your business practices regularly to stay up to date on the current regulations.
A lot of businesses will only be starting their compliance journey now, and it’s much easier to make updates when you already have policies in place.
You can stay prepared and adjust accordingly by keeping aware of new laws or regulations that affect your operations.
Understand the new CPRA law to strengthen your business
The California Privacy Rights Act (CPRA) became effective on January 1, 2023.
This law amends and builds on the landmark 2018 California Consumer Privacy Act (CCPA).
The CPRA strengthens privacy rights for residents of California by providing new protections, greater control over personal information, and enhanced enforcement mechanisms.
Businesses that collect or use Californians’ personal information must take steps to develop a plan that meets compliance expectations with the CPRA.
And by understanding the rules that apply to you, you can build on your customers’ trust and stand out in the digital marketplace.
To take your first step in complying with the new CPRA law, grab your up-to-date Privacy Policy in the Legal Shop.
If you’re based in California and need more personalized guidance, consider booking a consultation through our law firm.
Template Shop
