What Each Small Enterprise Must Know Concerning the California Privateness Regulation Act

From Harry Maugans

In all of the election news, you may have missed an important milestone: the Californians approved the most ambitious privacy policy in the country. The California Privacy Regulation Act (CPRA) heralds a number of new rules that can apply to many small and medium-sized businesses.

Even if your company doesn’t do business in California, it is helpful to understand this privacy statement. Without a national data protection law, the CPRA can become a blueprint for data protection nationwide.

To keep you updated, here are four things companies need to know about CPRA.

1. New consumer rights with regard to data exchange and authorizations

The CPRA replaces the CCPA, California’s existing privacy policy. It adds a major difference to consumer protection: the exchange of data is now regulated alongside the purchase and sale of data for commercial purposes. Companies that frequently exchange customer information without necessarily exchanging money must now comply with the CPRA and allow consumers to opt out of selling and sharing their personal information.

In addition to the right to restrict the use and disclosure of personal data, other consumer rights enshrined in CPRA include:

  • The right to know the categories of sensitive personal information collected
  • The right to know why and for what purposes data is being collected
  • The right to know if personal information is being sold or given away
  • The right to correct inaccurate personal information
  • The right to know how long your company plans to keep each category of personal information
  • The right to access all categories of personal data collected by a company (not just in the last 12 months under applicable law)

Note that this only applies to companies doing business in California, that is, companies that process the personal information of California residents. It also excludes publicly available data that would not be covered by the CPRA.

Do this now: Check all agreements on data exchange with third parties. Make sure your marketing department understands this new requirement. Allocate a budget for privacy compliance compliance.

2. More small businesses are exempt

The CPRA increases the compliance threshold in favor of smaller companies. The CPRA only applies to companies that meet one of the following thresholds:

  • Gross sales of more than $ 25 million in the previous calendar year
  • Buy, sell, share the personal information of 100,000+ households, consumers or devices commercially. That’s more than 50,000 in the original law, which is a massive relief for smaller businesses facing high compliance costs.
  • Earn 50% or more of their annual income selling or sharing personal information

Overall, this is great news for small and medium-sized businesses. many will be exempt. However, it’s easy to slide over the threshold without realizing it. Because of this, it’s important to run quarterly audits of your company’s data repository to make sure you’re still below the threshold.

Do this now: Review your data repository and use of personal information to determine if you are covered by the CPRA. Then, schedule a meeting on your calendar that you want to review with your team on a quarterly basis.

Other items from AllBusiness.com:

3. There is now a legal definition of “sensitive information”.

The CPRA formalizes a legal definition of “sensitive information”. All user data that contains the following is considered sensitive and covered by the CPRA: sexual orientation, religious or philosophical beliefs, union membership, genetic information, biometric data, race / ethnicity, social security number, health records and personal content notices.

Under the CPRA, consumers can restrict the use of data by third parties as defined by “sensitive personal data”. This restriction has specific implications for targeted advertising that is tailored to the consumer based on sensitive information. Once the consumer unsubscribes, you need to stop personalizing the advertising immediately.

Companies may only use personal data in a way that is “reasonably necessary and proportionate to achieve the purposes for which the personal data was collected or processed”. This obligation limits the scope for the use of personal data and gives consumers more control.

Do this now: Review your data path and mark each place where you store potentially sensitive personal information. Make sure to isolate this data and secure it behind a password and firewall.

4. Heavy fines for violations

For the first time America has a data protection authority – the CPRA creates the data protection authority. This means that actual enforcement is behind the law and voluntary compliance is a thing of the past.

Violations now have a cost of $ 2,500 per incident, which is up to $ 7,500 for minor violations. If you accidentally lose data or share / sell data without user permission, you could face hefty fines. For example, let’s say you shared an email list of 1,000 contacts with a partner and thought this was okay. If you haven’t been given permission to use it, this is a violation that could cost you $ 25,000!

You also need to be very careful about using personal information only for the purposes that were originally given to customers. You must inform customers and obtain their consent if you wish to use this information for a purpose that is “inconsistent with the stated purposes for which the personal information was collected”. Otherwise, you may be fined for non-compliance.

Do this now: Update your team through the CPRA so everyone is aware of the requirements. You don’t want to go against the CPRA as it could cost a lot of money. Align the team!

Next steps for your company

The CPRA becomes law January 1, 2023, Enforcement begins six months later. But – and it’s a big deal – CPRA’s right of access applies to any personal information collected on or after access January 1, 2022. While it looks like you have a little bit of time, you only have a year to get your data practices in order!

As you can predict, data protection management is a fairly manual process that requires internal resources. You must allocate sufficient resources to respond to customer inquiries on-site and provide explanations of the “how, why, and what for” of your data collection practices.

Your first step should be to make an honest assessment of your company’s data collection practices. Do you do things in a transparent and traceable manner or do you have no idea where, when, how and for what purpose your organization stores customer data? Take some time to graph the customer data flow in your company and create a detailed data map. This card should then guide you on the path to CPRA compliance.

Unfortunately, new regulations are often the most burdensome for smaller businesses with less free cash flow. With enhanced consumer controls and potential fines, there are additional costs associated with CPRA compliance. Even so, consumers want more control and transparency over data protection. This is a great way to build consumer trust – and well worth the investment in the long run.

CONNECTED: 15 Important Legal Mistakes Made by Startups

About the author

Contribution by: Harry Maugans

Harry Maugans is the CEO of Privacy Bee. Over the past ten years, he has developed data protection-oriented data intelligence products that maintain anonymity and still provide valuable insights. His vision for the future of data protection is a world where consumers have complete visibility and control over their data prints.

Company: Privacy Bee
Website: www.privacybee.com
Connect with me on Facebook, Twitter and LinkedIn.

Comments are closed.