What Is It?

The California Privacy Rights Act (CPRA), effective Jan. 1, 2023, will amend the privacy requirements established in the California Consumer Protection Act (CCPA). These amendments remove some data exemptions and add consumer rights and business obligations for data collected on, or after, Jan. 1, 2022.

What Is New?

As of Sept. 1, 2022, the legislative deadline for amendments to the CPRA has passed, resulting in the finalization of the new requirements, which go into effect early next year.

Who Should Prepare?

These new requirements will apply to for-profit businesses that do business in California and have annual gross revenue in excess of $25,000,000, collect or process data from at least 100,000 consumers per year, or derive at least 50% of their revenue from selling or sharing consumers’ data.

Summary of Major Changes

Employee and Business-to-Business (B2B) Data Is Now in Scope

  • The CPRA will impose the full suite of business obligations on employers and allow California employees, contractors, and applicants to fully exercise their consumer rights in relation to data held by these employers.
  • B2B personal data will now be treated the same as consumer data unless the data was collected in the context of due diligence or the provision and receipt of products or services to another organization.
  • Under these changes, California residents will be able to request a copy of Human Resource records maintained by their former employer, including performance reviews, data gathered from workplace monitoring, and termination decisions.

Annual Cybersecurity Audits and Regular Risk Assessments Will Be Required for Some Businesses

  • Businesses that process data that presents a significant risk to consumers’ privacy must perform annual cybersecurity audits and regular risk assessments.
  • “Significant risk” is determined based on the size and complexity of the business and the nature and scope of the processing activities. These attributes have yet to be defined by CPPA.

Collecting or Processing ‘Sensitive Personal Information’ Will Require Additional Considerations for Some Businesses

  • CPRA introduces the term “sensitive personal information,” which includes data that is likely, if improperly accessed, to cause severe harm to the consumer, such as Social Security numbers and financial account numbers.
  • Businesses that collect and process sensitive personal data to infer characteristics about a consumer must limit their use to a set one of the specific, permissible purposes defined by CPRA.
  • Businesses will need to develop processes to ensure collection and processing are limited to defined purposes and potentially set up a mechanism for consumers to restrict the collection and processing of their sensitive personal data.

What Should You Do Next?

Prioritize efforts to prepare for employees, contractors, applicants, and consumers to begin exercising their expanded consumer rights. Although typical enforcement may lag behind when regulations change, businesses should be prepared to meet the full scope of these new requirements by Jan. 1, 2023.

Consequently, businesses should immediately:

  • Kick-start your data inventory of California personal data.
  • Identify any selling or sharing of personal data you handle.
  • Identify and prepare to limit the use and disclosure of any sensitive personal information.
  • Update privacy policies and notices to reflect new rights and requirements.

We Can Help

CrossCountry Consulting’s robust privacy and data protection team is actively involved in the industry, holds leadership roles within IAPP, and is passionate about data protection and the evolution of the field.

We would love to discuss your organization’s data privacy needs and challenges. Contact CrossCountry today with questions or to discuss how we can best partner to achieve your goals.