The residents of California have a legal right to know what personal information is collected by companies following the implementation of the California Consumer Privacy Act (CCPA) in 2020, which is a data privacy law. Californians also have the right to opt out of the sale of their personal information and could also ask an organization to permanently delete their data as part of CPRA compliance.

Recently, a new law passed that builds on the CCPA and includes more amendments to strengthen the data privacy law in California. The California Privacy Rights Act (CPRA) is in full action today, as it went into effect on January 1, 2023, and provides new rights to the residents of California.

Complying with this law and updating practices should be on every business’ priority list to avoid legal consequences and provide additional transparency to customers. This law specifically applies to for-profit businesses based in California or those businesses outside the state that collect, sell, and share personal information of California residents. CPRA compliance applies to businesses that:

  • Have annual gross revenues of $25 million or more and do business in California.
  • Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices.
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

Explore this checklist outlining crucial areas for businesses to update their policies in adherence to CPRA guidelines. Ensure your organization implements the necessary changes to stay compliant.

Map data flows

Under CPRA, customers are empowered with the right to understand the personal information collected and processed by businesses. Given the diverse endpoints and data storage systems utilized by businesses, mapping data flows becomes crucial for safeguarding customer data. Data mapping offers insights into the movement and processing of data within the organization, as well as who has access to it. This enables businesses to pinpoint potential risks across their data landscape and take significant steps to address security vulnerabilities.

Revise privacy policies for CPRA Compliance

CPRA mandates informing customers through both a comprehensive privacy policy and specific privacy notifications. The privacy policy should include the following:

  • Categories of personal information your business processes
  • Purpose of collecting, using, selling, and sharing personal data
  • Categories of third parties with whom data is shared
  • How long will the data be retained
  • How to opt out of selling or sharing of personal information
  • Details about customers’ right to delete their personal data
  • Details about customers’ right to correct their personal data
  • Effective date of the notice and other information

Updating privacy policies every year is a good practice for businesses to stay compliant with data laws.

Understand data minimization and retention

While CCPA lacked coverage of data minimization and retention principles, CPRA emerged as the inaugural data privacy law in the USA mandating businesses to minimize data collection and retain it only as long as needed. Under the data minimization requirement, there isn’t a specific time boundary to retain data, but businesses should eliminate data collection that doesn’t serve their purpose or else risk fines from the California Attorney General.. 

Review your data processing contracts

A business shares data with many third parties, service providers, and contractors for specific data processing purposes. CPRA requires businesses to update their data processing agreements and include a granular description of how service providers and contractors will use the personal information of customers. Evaluating and identifying all the vendors and third parties allows businesses to easily comply with CPRA by updating and reviewing the agreements presented to them.

Perform audits and assessments

Annually carrying out cybersecurity audits helps businesses identify potential gaps in security to avoid data breaches. Complying with CPRA will be an on-going process for businesses, so internal assessments of existing policies and data processing procedures are a must to continuously protect data and avoid privacy risks. These audits and assessments provide actionable insights so relevant policies are followed to stay compliant with CPRA.

Train employees to adhere to CPRA compliance

Creating a culture of data privacy within the organization is the best way to avoid data breaches and compliance violations. Training all personnel by educating them about CPRA compliance allows them to be responsible with handling customer data, data subject requests, and ensuring data hygiene.

Secuvy’s Data Privacy Platform Streamlines CPRA Compliance for Businesses

Ensure your organization’s compliance with the CPRA and mitigate the impact of this data privacy law with Secuvy’s unified data privacy compliance and data protection platform. It helps you meet compliance through capabilities such as data inventory mapping, managing opt-out requests, generating cookie consent banners, and much more.

 Secuvy’s data mapping feature offers a comprehensive view of your entire data inventory. Fulfilling CPRA’s mandates on data governance, minimization, and retention, this tool enables businesses to precisely identify stored data types and locations. With automated scans, it seamlessly discovers personal data across various sources, ensuring a thorough understanding of your data holdings.

Managing a data subject’s request can be streamlined on our platform to develop a faster workflow when there is a high volume of requests. It is easy to access, correct, and delete requests from an  employeeor customer  to meet regulatory compliance.

Secuvy understands the customer is your organization’s most important asset. You want to protect their privacy and secure your data. Contact us today to see how our platform automates and simplifies data security through our low touch self-learning AI — providing customers with 360° continuous visibility into all their personal and sensitive data with the greatest accuracy, unparalleled speed and the lowest cost.