Ready for Growth in California?﹣CPRA Notice Requirements

If your do business in California and process the personal data of its residents, you need to be aware of the California Privacy Rights Act (CPRA).

This legislation, effective since 1 January 2023, succeeded the California Consumer Privacy Act (CCPA) of 2018, and sets stringent privacy requirements comparable to the GDPR in the European Union. Its reach extends to companies doing business in California that meet any of the following:

• annual gross revenues over $25M
• handling the data of 100,000+ California residents/households
• deriving at least half their revenues from selling/sharing Californian residents' personal information.

There are two specific sections of the CPRA (1798.130 and 1798.135) that lay out stringent requirements for privacy policies.

Key takeaways include:

1. Annual Updates: Privacy policies must be updated at least once every 12 months.
2. Consumer Rights: You must provide a clear description of consumer rights regarding notice, disclosure, correction, and deletion of personal data.
3. Methods for Submitting Requests: Online-only businesses must provide at least one method for consumers to submit requests regarding their rights. Others must provide two.
4. Data Collection Disclosure: You must disclose the categories of personal information collected, the sources of such data, the purposes of collection, and the third parties with whom the data is shared or disclosed.
5. Do Not Sell or Share My Personal Information: You must provide a web page where consumers can opt-out of the sale and sharing of their information, if applicable.
6. Limit the Use of My Sensitive Personal Information: You must provide a web page where consumers can constrain the use of their sensitive personal information to only those which are necessary as defined by the CPRA.

In the detailed next chapter of my book Privacy by Design: The Practitioner's Handbook, I expand on each of these points, providing helpful examples to guide your compliance efforts. I also cover general definitions, additional consumer rights, the implications of selling/sharing personal data, and how to handle opt-out preference signals. Read it for free!

Over the last 12 months since launching Practical Data Privacy, I've been asked countless times "Blair, does my privacy policy have what it needs?". I've created the Privacy Essentials assessment to cover the basics, and it's available now for free through my Policy Review AI. You can also run detailed GDPR and CPRA assessments on your policy and others, such as your third-party service providers and marketing partners. Get started for free, no credit card required. https://practicaldp.com/platform

If you want help with understanding the CPRA requirements, you can ask your privacy implementation questions and stay up to date with the latest privacy news and events by joining our growing Slack community. We have over 160 privacy and technology professionals around the world and would love for you to join us too! https://practicaldp.com/slack