If your company transacts business with residents of the State of California, you have likely heard a lot about California’s Privacy Rights Act (“CPRA”). The CPRA is a legal evolution from California’s first privacy regulation, the California Consumer Privacy Act (“CCPA”) and is commonly referred to as CCPA 2.0. The CPRA is viewed by many as California’s version of the European Union’s General Data Protection Regulation (“GDPR”) and there are significant parallels between the two regulations.
For instance, the CCPA provides California residents with a myriad of privacy-related rights such as the right to know the types and categories of personal information (“PI”) collected by the business, the purposes for collection, to whom the information is being shared, the right to access any such personal information belonging to the individual, and even the right to have this PI deleted from the business’s databases. The CPRA was signed into law in November 2020 and will become enforceable on January 1, 2023.
The first consideration for every business should be whether it falls under the purview of the CPRA. The CPRA applies to any for-profit business transacting business in California that:
As of January 1, of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year;
Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or, households; or
Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.
If your business satisfies one or more of the categories above, we can assist you with developing, implementing, and maintaining a CPRA compliance program.
Privacy Notice Drafting and Maintenance
We ensure that your website privacy notice is CPRA compliant. Where a business collects PI from California residents, it must advise them of the following:
How their PI is collected by the business, i.e., website cookies/trackers,
What types and categories of PI are collected,
With whom their PI is shared,
How long their PI is retained by the business,
How the data subject can request a copy of their PI,
How they can request correction of their PI,
How they can request deletion of their PI, and
How they can request to opt-out of having their PI collected, shared, or sold.
In addition, the CPRA includes a new data category – sensitive personal information (“SPI”), which includes:
Social Security Numbers,
Driver’s License Numbers,
Passport Numbers,
Financial Information,
Racial and ethnic origin data,
Geo-location data,
Health data,
Religious affiliation, and
Trade union membership.
Visit us at www.advisori.com or drop us a line at info@advisori.com to learn more about our CCPA/CPRA solutions.
コメント