If you are a business owner in California, protecting your customer’s personal information and sensitive data is no longer optional – it is legally required. This is due to the passage of the California Privacy Rights Act (the “CPRA”), a ballot initiative that passed by public vote on November 3, 2020. The CPRA is a groundbreaking law that sets California apart from virtually every other state in the country when it comes to consumer privacy rights and administrative requirements that must be followed by business owners.
The CPRA amends the California Consumer Privacy Act of 2018 (the “CCPA”) and creates an omnibus privacy regulation that applies throughout California. The CPRA establishes additional consumer rights, modifies existing rights set forth in the CCPA, creates a new category of consumer personal information with associated rules, and calls for the creation of a new privacy enforcement agency.
Impact of the CPRA on Businesses
Despite the CPRA receiving a majority of votes on November 3, 2020, business owners have some time to take the necessary steps to achieve compliance, as it does not go into full effect until January 1, 2023.
Nevertheless, you need to be proactive and take action now to ensure your business complies with the various regulatory and reporting requirements contained within the CPRA. For example, your business should perform an in-depth data mapping exercise to assess which aspects of personal information you collect and whether that personal information meets the CPRA’s standard as “sensitive personal information.” In addition, businesses should consider taking the following actions:
- Evaluating current data retention policies;
- Updating privacy statements with newly required disclosures,
- Implementing a mechanism for enabling consumers to request corrections to their personal data; and
- Considering modifying the current data structure to allow data correction on demand.
Finally, your business should conduct an update of your “Do Not Sell” mechanism to either include a second “Limit the Use of My Sensitive Personal Information” button, or bundle both mechanisms under one button on your business website. You should also consider updating your “Do Not Sell My Personal Information” disclaimer to read “Do Not Sell Or Share My Personal Information” and ensure that it covers sharing personal data, along with selling personal data.
New Category of Personal Information
In addition to creating a series of administrative requirements that businesses must meet when it comes to managing personal information, the CPRA goes even further by requiring businesses to track a new category of data referred to as “sensitive” personal information. Data that would be considered “sensitive” under the CPRA includes:
- Finance information;
- Biometric data;
- Health status;
- Precise geolocation;
- Contents of emails or texts; and
- Race or ethnic origin of a consumer
New Data Retention Disclosure Requirements
For each category of personal information that a business collects, including “sensitive personal information,” a business owner is now legally required to disclose, by category, the applicable retention periods for that piece of data. This is important because businesses in California are prohibited from retaining personal information for longer than is “reasonably necessary” to perform each of the purposes for which the data was collected, and for each purpose disclosed to the consumer.
For further information or concerns regarding the impact of the CPRA, take action by consulting with a reputable business attorney in Los Angeles, such as Afshin Hakim of Hakim Law Group, who is always on top of the latest changes regarding the efficacy of busines law. Hakim Law Group represents a wide range of entrepreneurs, operating companies, venture capital firms, and financiers in numerous sectors of the economy. We possess the experience, knowledge and professionalism to produce more efficient, responsive and effective results for our clients. To schedule a consultation or for further information please contact HLG at (310) 993-2203 or visit www.HakimLawGroup.com to learn more.