In a July post (available here), we discussed a new rush of state data privacy laws that will affect businesses nationwide. In that post, we discussed new laws coming online in California, Colorado, Connecticut, Utah, and Virginia.
Of these, the law that is (or should be) on every business’s mind right now is the California Privacy Rights Act or “CPRA”. This law will usher in significant changes to privacy at many organizations. Effective January 1, 2023, it will apply a broad range of individual rights (think access, correction, deletion) and other legal obligations to broad swaths of employee/HR, contractor/1099, and B2B data held by businesses. Other changes will affect a business’s vendor agreements, risk assessments, and privacy strategy for new initiatives.
The reach of this law is nationwide, meaning it will apply to companies both located in and out of California provided that other criteria are satisfied. Do you collect data from California residents or have employees in California? If so, this law may be for you.
Given the impending effective date, we’ve prepared the following checklist for businesses to use with their advisors when evaluating if and how the CPRA applies to their organization and its operations.
- Evaluate whether your business is subject to the CPRA
- Use the CPRA as an opportunity to review and refresh your CCPA compliance program
- Apply your CCPA policies (or new CPRA policies) to employee information
- Update your personal data inventory
- Determine if you collect “sensitive personal information”
- Establish a process to implement the right to correct personal information
- If applicable, establish a process to implement the right to limit use and disclosure of sensitive personal information
- Address compliance obligations for your “contractors” and “service providers”
- Determine if and how CPRA’s sell/share distinction affects your organization
- Address CPRA’s data collection, use, and retention limitations
- Analyze whether your business engages in “profiling”
- Update your current privacy training programs
- Update your privacy policies
- Implement annual risk assessment to comply with updated reporting requirements
- Add additional information about sensitive personal information to your consent forms and other disclosures
- Build an appeals process for individuals to contest decisions in individual right requests
- Evaluate automated decision-making processes
- Adjust collection and storage to reflect updated minimization, purpose limitation, and storage restrictions
This sounds like a lot, doesn’t it? While the law is comprehensive, starting now and tackling compliance items on a systematic basis will allow your organization to comply in full. Moreover, while the CPRA is effective January 1, 2023, California is offering businesses a grace period until July 1, 2023 before the state commences enforcement.
William Roberts is a data privacy and cybersecurity attorney with the law firm of Day Pitney LLP and is based out of the firm’s Hartford, Connecticut office.