Contact us Today!

New Obligations Imposed on Businesses under the California Privacy Rights Act

Businesses under the California Privacy Rights Act

On November 3, 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA).

The CPRA, which will become operative on January 1, 2023, will incorporate and significantly amend the existing California Consumer Privacy Act and expand privacy rights of California consumers as well as compliance obligations of covered businesses and their processors on par with the European Union’s General Data Protection Regulation.  Among the new obligations imposed on covered businesses are:

      (1) limitation on the use and retention of personal information collected by businesses;
      (2) implementation of reasonable security procedures and practices;
      (3) compliance with new consumer rights; and
      (4) performance of cybersecurity audits and risk assessments.


Limitation on the Use and Retention of Personal Information Collected by Businesses

The CPRA will require that business’s collection, use, retention, and sharing of consumers’ personal information be reasonably necessary and proportionate to achieve a disclosed purpose for which personal information is collected or processed.  A business will be prohibited to collect additional information or use collected information for additional purposes that are incompatible with the disclosed purposes.  Furthermore, businesses will not be able to retain consumers’ personal information or sensitive personal information for longer than is reasonably necessary for the disclosed purpose.  A length of time that the business intends to retain each category of collected information, or the criteria used to determine such period, will need to be disclosed to the consumers.

These new requirements are consistent with the Fair Information Practice Principles and would be familiar to companies that are already complying with the GDPR.   For other companies, compliance with the purpose limitation and data retention obligations would require assessment and likely calibration of their data management practices and processes and development of new accountability mechanisms.


Obligation to Implement Reasonable Security Procedures and Practices

All businesses that collect consumers’ personal information will be required to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure.  Under the CCPA, this obligation exists only in connection with preventing certain breaches of personal information.


Obligation to Comply with New Consumer Rights

The CPRA both modifies the existing consumer rights under the CCPA and grants new rights to the consumers. Most significantly, the CPRA permits consumers to:

      (1) prevent businesses from “sharing” personal information for cross-context behavioral advertising;
      (2) limit businesses’ use of “sensitive personal information”;
      (3) correct inaccurate personal information; and
      (4) obtain access and opt-out rights with respect to businesses’ use of automated decision-making, including profiling.

Businesses will be required to comply with these consumer rights in accordance with the requirements of the CPRA and future regulations.  For example, the CPRA prescribes several methods by which businesses would be required to enable consumers stop sharing their personal information and limit the use and disclosure of sensitive personal information.  One of the methods would be to provide separate links on a company’s homepage titled “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information.”  The other method would be to utilize a single link which would easily allow consumers to limit the use of their sensitive personal information and to opt-out of the sale and sharing of their personal information.  The third method would be for businesses to comply with the automatic opt-out preference signals.


Obligation to Perform Cybersecurity Audits and Risk Assessments

The CPRA will require businesses whose processing of personal information presents significant risk to the consumers’ privacy or security to perform annual cybersecurity audits and submit regular risk assessment reports to the California Privacy Protection Agency weighing the benefits of processing to the business, consumers, and public against the potential risks to the consumer rights. Where such risks outweigh the benefits, the CPRA will require businesses to restrict the processing or discontinue it altogether.


Incorporate Personal Information Collected in the Context of Employment and Business-to-Business Interactions into the CPRA Compliance Framework

Under the so-called “employee exemption,” the CCPA currently exempts from all provisions of the Act, except the private right of action and notice at collection, information collected from a person by a business in the course of the person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.  The exemption applies only to the extent that the information is collected and used by the business solely within the context of the person’s role (or former role) as a job applicant to, an employee of, an owner of, director of, officer of, medical staff member of, or contractor of that business.

By the same token, the “business-to-business exemption,” provides that with the exception of the right to opt-out, non-discrimination, and the private right of action, the CCPA does not apply to personal information reflecting business-to-business communications and transactions within the context of business conducting due diligence or where a product or service is provided or received.

As of January 1, 2023, both exemptions will end, and the personal information collected in the context of employment and business-to-business interactions will become subject to all the CPRA provisions, along with the customer information.  As part of the CPRA implementation process, companies will need to incorporate that information as part of their compliance framework.

With the approval of the CPRA, covered businesses need to promptly start reviewing their privacy and data management systems, programs, and practices to assess their compatibility with the Act’s legal requirements and to map out a path to compliance with the new consumer rights.  Furthermore, even though businesses will have more than two years to prepare for their new obligations under the CPRA, they still have to comply with the existing CCPA requirements in the interim period.


Access Clarip’s Privacy Whitepapers Today


For assistance with Consumer Deletion Requests, call Clarip today at 1-888-252-5653 or contact us.

Privacy News
Clarip Blog

What Your Company Needs to Know About Regulations of Biometric Data
Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
Responding to Personal Data Deletion Requests Under the California Consumer Privacy Act
Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
Verifiable Data Subject Requests under the GDPR and the CCPA
Other Resources

California Consumer Privacy Act
CCPA Summary
CCPA Privacy Software
CCPA Webinar
SB-1121 Amendments

GDPR Compliance
Consent Management Software
GDPR Data Mapping Software
DSAR Portal