CPRA – Let’s Get You There

Published on April 26, 2022

If your company transacts business with residents of the State of California, you have likely heard a lot about California’s Privacy Rights Act (“CPRA”). The CPRA is a legal evolution from California’s first privacy regulation, the California Consumer Privacy Act (“CCPA”) and is commonly referred to as CCPA 2.0. The CPRA is viewed by many as California’s version of the European Union’s General Data Protection Regulation (“GDPR”) and there are significant parallels between the two regulations.

For instance, the CCPA provides California residents with a myriad of privacy-related rights such as the right to know the types and categories of personal information (“PI”) collected by the business, the purposes for collection, to whom the information is being shared, the right to access any such personal information belonging to the individual, and even the right to have this PI deleted from the business’s databases. The CPRA was signed into law in November 2020 and will become enforceable on January 1, 2023.

The first consideration for every business should be whether it falls under the purview of the CPRA. The CPRA applies to any for-profit business transacting business in California that:

  • As of January 1, of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year;
  • Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or, households; or
  • Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

If your business satisfies one or more of the categories above, we can assist you with developing, implementing, and maintaining a CPRA compliance program.

Advisori’s Automated Privacy Notice

We ensure that your website privacy notice is CPRA compliant using our digital Privacy Notice platform. Where a business collects PI from California residents, it must advise them of the following:

  • How their PI is collected by the business, i.e., website cookies/trackers,
  • What types and categories of PI are collected,
  • With whom their PI is shared,
  • How long their PI is retained by the business,
  • How the data subject can request a copy of their PI,
  • How they can request correction of their PI,
  • How they can request deletion of their PI, and
  • How they can request to opt-out of having their PI collected, shared, or sold.

In addition, the CPRA includes a new data category – sensitive personal information (“SPI”), which includes:

  • Social Security Numbers,
  • Driver’s License Numbers,
  • Passport Numbers,
  • Financial Information,
  • Racial and ethnic origin data,
  • Geo-location data,
  • Health data,
  • Religious affiliation, and
  • Trade union membership.

With a simple installation of our privacy notice code on your website, we will build, display, and manage your CPRA compliant privacy notice.
Request a Demo

DSAR Fulfillment

In addition to advising California residents of their privacy rights, a business must allow California customers the ability to exercise these rights. This is often referred to as data subject access requests (“DSAR”). Under the CCPA/CPRA, a regulated business must provide its California customers with at least two ways of requesting the exercise of their rights such as an email address and a toll-free number. The business must respond to a legitimate request within 45 days (with an additional 45-day extension period for the business under certain limited circumstances).

The DSAR process is complicated as a business holding PI must be able to search its databases to find the data belonging to an inquiring customer. We can do this for our clients using our AI-driven data discovery tools to search for, classify, and catalog personally identifiable information, both structured and unstructured, residing in the cloud or on-premises. By doing so, we provide our clients with a comprehensive and dynamic view of their PII across their data inventories. This includes identifying, retrieving, and deleting data belonging to a single customer. We can do this nearly instantaneously.

Not surprisingly, the CPRA requires that a business properly verify the identity of any customer submitting a DSAR. We are able to do this using a variety of electronic means. Moreover, we provide our clients with a customized electronic data request portal where their customers can go to the business’s branded portal and submit a DSAR. Using this same portal, the customer can retrieve any requested data from this secure portal. Just as importantly, all activities are electronically documented for compliance purposes.
See more

Read more on our blog and contact us today to learn more about our CCPA/CPRA solutions.

Visit us at www.advisori.com or drop us a line at [email protected] to learn more about our CCPA/CPRA solutions.