How the New California Privacy Rights Act (CPRA) Compliance Law Impacts Businesses
The California Privacy Rights Act (CPRA) is a state statute that went into effect on January 1st, 2023 and is now officially being enforced. It is imperative that all companies in California understand their responsibilities under the CPRA and its parent law, the California Consumer Privacy Act (CCPA). In this article, our Fremont business attorney provides an overview of the key things that companies should know about compliance with the CPRA.
Background: The CPRA Clarifies a 2018 California Privacy Law
The California Consumer Privacy Act (CCPA) is a state law that was passed to provide consumers with control of the personal information that businesses collect. The California Privacy Rights Act (CPRA) is a law that significantly amends the CCPA. Notably, the CPRA was passed through a ballot initiative in 2020. At that time, it was known as Proposition 24. As noted above, enforcement of the CCPA/CPRA officially started on July 1st, 2023.
Which Businesses are Required to Comply With the CPRA?
It is important to emphasize that not every business is required to comply with the CPRA. It applies to all companies that are either based in California or sell products/services in California and meet one of the following three criteria:
- The business has gross annual revenue of $25 million or more
- The business generates at least 50 percent of its annual revenue from selling or sharing the personal information of consumers
- The business buys, sells, or shares the personal information of residents of at least 100,000 households in California during the year
While the first criterion is relatively straightforward—larger businesses ($25 million in annual revenue) must comply—it is the third that could affect many smaller or mid-sized businesses under the scope of the CPRA.
Note: The CPRA does not apply to non-profit organizations or government agencies.
How to Comply with the New California Privacy Rights Act
Is your company covered by the scope of California’s revised consumer privacy law? It is crucial that you are in full compliance with the regulations. Here is the key thing to know about compliance: California businesses that are covered by the new CPRA need to have a comprehensive written privacy policy in place. That policy must meet all the requirements of the law. Among other things, a written privacy compliance policy should address:
- The process for disclosing that your business collects personal information about a consumer at or before the point of data collection.
- A clear statement that consumers have the right to request that information that you collected about them as well as your CPRA privacy policy.
- An acknowledgment of and process for addressing the fact that consumers have the “right to be forgotten” under California’s privacy law—meaning they can request that you delete personal data.
- A process for allowing consumers to “opt-out” of having their personal information sold to or shared with third parties.
- A statement affirming compliance with the “right to fair treatment”—as California law holds that consumers cannot face unfair treatment for restricting access to their personal data.
Schedule a Confidential Consultation with Our California Business Lawyer Today
Lynnette Ariathurai provides solutions-focused guidance and support to business owners and entrepreneurs. If you have any questions about the new California Privacy Rights Act or CPRA compliance, we are here to help. Contact us today for a confidential consultation. We serve businesses throughout the Bay Area, including in Fremont, Newark, Hayward, East Bay, Milpitas, Union City, San Leandro, San Jose, and Santa Clara.