Published on April 26, 2022
If your company transacts business with residents of the State of California, you have likely heard a lot about California’s Privacy Rights Act (CPRA). The CPRA is a legal evolution from California’s first privacy regulation, the California Consumer Privacy Act (“CCPA”) and is commonly referred to as CCPA 2.0. The CPRA is viewed by many as California’s version of the European Union's General Data Protection Regulation (GDPR) and there are significant parallels between the two regulations.
For instance, the CCPA provides California residents with a myriad of privacy-related rights such as the right to know the types and categories of personal information (PI) collected by the business, the purposes for collection, to whom the information is being shared, the right to access any such personal information belonging to the individual, and even the right to have this PI deleted from the business’s databases. The CPRA was signed into law in November 2020 and will become enforceable on January 1, 2023.
The first consideration for every business should be whether it falls under the purview of the CPRA. The CPRA applies to any for-profit business transacting business in California that:
If your business satisfies one or more of the categories above, we can assist you with developing, implementing, and maintaining a CPRA compliance program.
We ensure that your website privacy notice is CPRA compliant using our digital Privacy Notice platform. Where a business collects PI from California residents, it must advise them of the following:
In addition, the CPRA includes a new data category - sensitive personal information (“SPI”), which includes:
With a simple installation of our privacy notice code on your website, we will build, display, and manage your CPRA compliant privacy notice.
Request a Demo
In addition to advising California residents of their privacy rights, a business must allow California customers the ability to exercise these rights. This is often referred to as data subject access requests (“DSAR”). Under the CCPA/CPRA, a regulated business must provide its California customers with at least two ways of requesting the exercise of their rights such as an email address and a toll-free number. The business must respond to a legitimate request within 45 days (with an additional 45-day extension period for the business under certain limited circumstances).
The DSAR process is complicated as a business holding PI must be able to search its databases to find the data belonging to an inquiring customer. We can do this for our clients using our AI-driven data discovery tools to search for, classify, and catalog personally identifiable information, both structured and unstructured, residing in the cloud or on-premises. By doing so, we provide our clients with a comprehensive and dynamic view of their PII across their data inventories. This includes identifying, retrieving, and deleting data belonging to a single customer. We can do this nearly instantaneously.
Not surprisingly, the CPRA requires that a business properly verify the identity of any customer submitting a DSAR. We are able to do this using a variety of electronic means. Moreover, we provide our clients with a customized electronic data request portal where their customers can go to the business’s branded portal and submit a DSAR. Using this same portal, the customer can retrieve any requested data from this secure portal. Just as importantly, all activities are electronically documented for compliance purposes.