New Year, New Regulations – Understanding CPRA

Now that the midnight champagne toasts are complete, it’s time to consider our business goals for 2023. For those of us in a compliance role, that means making sure we know the details of The California Privacy Rights Act (CPRA), passed in November 2020 and fully operative as of January 1 of this year.

CPRA is an amended and more detailed version of the 2018 California Consumer Privacy Act (CCPA), which regulates how businesses and employers operate when it comes to collecting, storing, using, and sharing consumer data. It essentially brings California privacy law closer, in many respects, to Europe’s General Data Protection Regulation (GDPR).

Looking at CPRA through the lens of information management, there are several changes that are especially important to understand and address.

Special rules regarding “sensitive personal information”

The first major change from CCPA to CPRA is the definition of sensitive data. It has been expanded to include government-issued identifiers, account log-in credentials, financial account information, precise geolocation, contents of certain messages, and much more. In the future, categories may also be added or updated to align with technological advancements, changes in data collection practices, and the public’s privacy concerns.

Further limitations on the use of sensitive personal information collected

Through CPRA, a consumer may direct a business to use sensitive personal information only for purposes necessary to perform a service or provide the goods requested, and businesses are required to respect such requests. CPRA requires a business to inform consumers of the length of time the business intends to retain each category of personal information and also directs service providers, contractors, and third parties to cooperate with businesses to address personal information requests from consumers.

Changes to the definition of “publicly available information”

CPRA takes the definition of publicly available information beyond public records from federal, state, or local governments. It now includes:

• Information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer
• Information from widely distributed media
• Information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted its use

Employee data exemption

CPRA states that it does not apply to personal information collected from an individual acting as a job applicant, an employee, owner, director, officer, staff member, or contractor, including benefits administration and maintenance of emergency contact information.

Establishment of the California Privacy Protection Agency

Because of CPRA, California now has the first agency in the country dedicated solely to privacy. The California Privacy Protection Agency, or CPPA, operates to protect the consumer privacy of Californians and to promote public awareness of consumers’ rights and businesses’ obligations under CPRA. Additionally, the agency will be responsible for investigating violations and issuing fines if a violation has occurred.

Compliance Preparation with Access

Alongside CPRA, a new consumer privacy law went into effect in Virginia on January 1, and Colorado’s new law will become effective on July 1, 2023. These are only the beginning of new privacy laws that we will see in the United States.

It is crucial now, more than ever, for organizations to develop a compliant privacy program that can adapt to the current privacy laws as well as future legislation.

Don’t let these new laws catch you unprepared in the new year. Virgo™, the retention and privacy compliance software from Access, can help you keep your business records compliant by providing continuously updated legal research in 220+ jurisdictions around the world. Schedule a consultation and demo with an expert today to see how Virgo can keep your business in compliance.

Get A Demo Today!