Now that we’ve reached 2023, it’s time to reexamine privacy policies to comply with California’s new California Privacy Rights Act.
To recap, in 2018, California enacted the California Consumer Privacy Act (CCPA). The CCPA became effective in 2020. Many of our clients changed their privacy policies and programs to comply with the CCPA, which established new disclosure and process requirements. In the November 2020 election, however, California’s voters enacted a new privacy law by ballot initiative – the California Privacy Rights Act (CPRA). As of January 1, 2023, the CPRA became effective. It supplements and amends the CPRA.
If you established a privacy policy to comply with the CCPA, the CPRA requires additional changes to your policy. More generally, any business doing business in California is covered by CCPA/CPRA if
- It had annual gross revenues in excess of $25 million in the previous calendar year,
- It processes personal information of 100,000 or more California residents or households, or
- Derives 50% or more of its annual revenues from selling or sharing (for targeted advertising purposes) the personal information of California residents.
The CPRA is effective today. However, California will not enforce the new law right away. Enforcement is expected to begin mid-year. Consequently, businesses will have a limited window of time to implement the CPRA before enforcement begins. Accordingly, businesses should now make sure they are in compliance with the new law before California begins to enforce the CPRA.
Here are some of the areas where covered businesses will need to make changes to comply with the CPRA:
- Changes to privacy policies with new required disclosures
- Changes to service provider contracts to protect California residents’ personal information
- Changes to information on their websites
- Ensuring their security programs reasonably protect the security of California residents’ personal information
- Changes to make sure Californians with disabilities can exercise their individual privacy rights
- Changes to processes to respond to requests to exercise individual rights
- Accommodating a new category of “sensitive personal information”
- Managing targeted advertisements based on user behavior
- New commitments for businesses relying on deidentified information derived from personal information
- New rules regarding precise geolocation
- New rules regarding representatives of Californians acting on their behalf for purposes of verifying their identities to exercise individual rights
Final CPRA regulations are expected later this year. These regulations will provide additional guidance and will impose additional requirements. As a result, we expect the need for additional modifications to privacy policies later this year.
Stephen Wu has practiced data protection law since 1997, has written or co-written seven books on data protection legal topics, and heads Silicon Valley Law Group’s data protection practice. He assists with developing data privacy and security policies and programs. He served as Co-Chair of the Information Security Committee of the American Bar Association Science & Technology Law Section from 2001 to 2004, and later served as Section Chair. For data protection assistance to comply with new California privacy requirements, please contact Stephen Wu by completing the web form here.