If you conduct business in California, it is important to take steps necessary to ensure compliance with the California Privacy Rights Act (CPRA). Why? Because the CPRA went into full effect on January 1, 2023. At that point, all covered businesses will be subject to a set of rigorous requirements related to the collection, retention and use of consumer information. In addition, covered companies will be required to do the following:
- publish privacy policies applicable to consumer data;
- provide certain notices; and
- be prepared to respond to data access requests
California Businesses Subject to the CPRA
It is important to note that the CPRA only applies to a “covered” businesses in California. The CPRA defines a “covered” business as the following:
- A company or other legal entity that collects consumers’ personal information;
- does business in California; and
- the California business had (i) annual gross revenues for the preceding calendar year of at least $25 million, (ii) annually buys, sells or shares the personal information of at least 100,000 consumers, or (iii) derives at least 50 percent of its revenue from selling or sharing consumers’ personal information.
The CPRA defines “consumer” as any person who is a resident of California.
Personal Information Defined
The CPRA defines what constitutes “personal information” and provides a separate legal category for “sensitive” personal information. The CPRA defines personal information as any “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of personal information include:
- Individual’s name
- Biometric information (e.g., facial image, fingerprint, etc.)
- postal address
- any unique personal identifier
- Internet Protocol (IP) address
- email address
- geolocation data
Sensitive Personal Information Defined
The CPRA provides a separate definition for “sensitive personal information” which includes any information that reveals an individual’s Social Security, driver’s license, state identification card or passport number, precise geolocation, the contents of the individual’s mail, email and text messages (unless the business is the recipient of the communication), and racial or ethnic origin, religious or philosophical beliefs, or union membership, among others.
Individual Rights Under the CPRA
Under the CPRA, individuals are afforded a set of specific legal rights when it comes to the collection, processing and use of their personal data. For example, the CPRA affords individuals the right to request the deletion of their personal data.This right means that a covered business will be required to delete any personal information about the individual that the business collected concerning the individual.In addition, covered businesses are obligated to notify individuals of this right.
Another right afforded to individuals is the right to request a covered business correct any information concerning the individual that is inaccurate. Just like the right to deletion, a business is obligated to notify individuals of the right to correct. In addition, businesses are obligated to utilize“commercially reasonable efforts” to correct the inaccurate personal information.
The CPRA also affords individuals the right to direct a business involved in the collection of sensitive personal information to limit the use of such information to only such uses that are necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
Have Questions About What Needs to Be Done to Comply with the CPRA? Contact an Experienced Business Attorney in Los Angeles
If you have questions about the steps necessary for your business to achieve compliance with the CPRA, contact the Hakim Law Group. Our team of business attorneys in Los Angeles stand ready to help your small business meet the administrative and regulatory requirements associated with the CPRA that went into effect January 1, 2023. For further information or to schedule an appointment with a leading business attorney, please contact Hakim Law Group at 310-993-2203 or visit www.HakimLawGroup.com to learn more.