We are officially six months away from the California Privacy Rights Act (“CPRA”) taking effect and amending the California Consumer Privacy Act (“CCPA”).  Even for companies that have grown comfortable with requirements under the CCPA, the CPRA changes require planning and preparation.  With CPRA taking effect on January 1, 2023, here are six tips to begin that preparation:

  1. Brace for B2B and HR Data Protections: That’s right.  On January 1, 2023, personal information deriving from human resources and business-to-business relationships is now covered. The CCPA exempted employee and B2B communications from having the same personal data rights granted to California consumers, but that expires at the start of 2023 and the effective date of CPRA.  If you did not incorporate HR and B2B data into your CCPA compliance program, you still have time to do so while also layering the new CPRA requirements on top of existing obligations.
  2. Update Your Opt-Out Functions: Not only can consumers opt out of sales of their personal information, but soon they can opt-out of sharing of personal information.  The revised definition of “sharing” includes communication of “personal information to a third party for cross-contextual behavioral advertising.”  This means that if you (whether directly or through a third party) target advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across the business or other services, you must provide the consumer with the ability to opt-out of that sharing.
  3. Be Sensitive to “Sensitive Personal Information”: In addition to greater opt-out rights, consumers can also seek limitations on the use and disclosure of “sensitive personal information” which is necessary to perform the services or provide the goods reasonably expected by an average consumer.  “Sensitive Personal Information” is broadly defined, and includes Social Security numbers, driver’s license numbers, precise geolocation, health and sexual orientation, contents of email and text messaging, racial or ethnic origin, religious/philosophical beliefs, union membership, and account (including financial) log-in information.
  4. Yes, Update Your Privacy Policy AGAIN: Yes, I know.  You finally published your privacy policy exactly the way you wanted.  But now you need to add more information to address the additional CPRA requirements that build on CCPA’s required disclosures.  Specifically, privacy policies should now include:
    • Categories of personal information shared
    • Categories of sources from which personal information is collected
    • Business or commercial purposes for collecting, selling, or sharing personal information
    • Categories of third parties to whom covered business discloses personal information
    • Length of time the business intends to retain each category of personal information
  5. Be Sure You’re Not Discriminating: You already know that CCPA prohibits businesses from discriminating against a consumer for exercising their data subject rights (e.g., you cannot deny goods or services to the consumer or charge different prices). But the CPRA adds an additional example constituting discrimination: retaliating against an employee, an applicant for employment, or an independent contractor.  Take a moment to make sure your internal policies are designed to avoid any inadvertent acts of discrimination.
  6. Review Your Agreements: Under CPRA, you may be a covered business, a service provider, a third party, or a contractor.  Covered businesses should already be keeping an eye on provisions in agreements with service providers, but now third parties and contractors need to have CPRA language included in their agreements.  Among other requirements, third parties and contractors must certify their understanding of restrictions listed under CPRA, and covered businesses should expressly prohibit third parties and contractors from a number of activities such as retaining, using, or disclosing personal information for any purpose except performing the services specified in the agreement or consistent with the direct business relationship.

For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.  Furthermore, both our blog and mobile app can provide you additional access to helpful CCPA and CPRA materials, including this set of checklists.