The California Privacy Rights Act is Here! How to Update your Privacy Policy for the CPRA

Written By Thomas Codevilla

Effective January 1, 2023, the California Privacy Rights Act (CPRA) is the first amendment to the California Consumer Privacy Act of 2018 (CCPA). Though enforcement of the CPRA will not begin until July 1, 2023 by the California Privacy Protection Agency (Agency), the CPRA’s regulations are in the final stages of approval by the Agency and, once finalized, will expand consumers’ privacy rights.

 

Updated Requirements for Privacy Policies

 

Specific to website privacy policies, the CPRA will require businesses to disclose additional information and implement further protections than those currently under the CCPA. For example, the CPRA contains changes to notice at collection of personal information. First, the notice at collection will no longer need to identify information regarding third parties that collect personal information through the business. Second, the Agency modified one of the illustrative examples dealing with analytics providers. The initial language referred to an “analytics business” as a third party, suggesting that it could not be a CCPA service provider. However, the Agency revised the example such that Business G is an ad network instead of an analytics business, suggesting that in some instances an analytics provider can be a service provider, not a third party.

 

Under the CPRA, privacy policies will also now require an explanation of the rights that the CPRA confers on consumers regarding their personal information, such as the right to correct inaccurate personal information that a business maintains about a consumer and the right to opt out of sharing or processing of sensitive personal information. The CPRA will still require businesses to recognize opt-out signals; however, unlike the CCPA, the CPRA will no longer require businesses to display whether they have recognized the signal. In addition, the CPRA will require privacy policies to (i) provide the date the privacy was last updated, (ii) be available in a format that allows a consumer to print it out as a document, and (iii) posted online and accessible through an obvious link that uses the word “privacy.”

 

The CPRA also defines new terms for its privacy policy regulations, such as “Information Practices,” which are online and offline practices regarding the collection, use, disclosure, sale, sharing, and retention of personal information – a definition that the CCPA did not use nor define. The CPRA will require a contact for questions or concerns about the business’s privacy policies and Information Practices using a method reflecting the manner in which the business primarily interacts with the consumer.

 

CPRA Privacy Policy Requirements

 

As a refresher, below are the key points that businesses subject to the CPRA must include in their Privacy Policys:

 

·      A comprehensive description of the business’s online and offline Information Practices, including but not limited to:

-       Identification of the categories of personal information the business has collected about consumers in the preceding 12 months;

-       Identification of the categories of sources from which the personal information is collected;

-       Identification of the specific business or commercial purpose for collecting personal information from consumers;

-       Identification of the categories of personal information, if any, that the business has sold or shared to third parties in the preceding 12 months. If the business has not sold or shared consumers’ personal information in the preceding 12 months, the business must disclose that fact;

-       For each category of personal information identified above, the categories of third parties to whom the information was sold or shared;

-       Identification of the specific business or commercial purpose for selling or sharing consumers’ personal information;

-       A statement regarding whether the business has actual knowledge that it sells or shares the personal information of consumers under 16 years of age;

-       Identification of the categories of personal information, if any, that the business has disclosed for a business purpose to third parties in the preceding 12 months. If the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business must disclose that fact;

-       For each category of personal information identified above, the categories of third parties to whom the information was disclosed; and

-       Identification of the specific business or commercial purpose for disclosing the consumer’s personal information and the right to opt-out of the sale or sharing of their personal information by the business.

·      An explanation of the rights that the CPRA confers on consumers regarding their personal information, such as the right to correct inaccurate personal information that a business maintains about a consumer

·      An explanation of how consumers can exercise their CPRA rights and what consumers can expect from that process, including a contact for questions or concerns about the business’s privacy policies and Information Practices using a method reflecting the manner in which the business primarily interacts with the consumer.

·      Date the Privacy Policy was last updated.

 

If your business is subject to the CPRA, our firm is happy to help – on a fixed fee basis – ensure your privacy policy satisfies the new regulations. Contact codevilla@skandslegal.com for more information.

Thomas Codevilla
Previous

Four considerations when determining how much your accounting practice may be worth
Next

Colorado Privacy Act: The Basics