By Harry Maugans
In the crush of all the election news, you may have missed a major milestone: Californians approved the nation’s most ambitious privacy regulations. The California Privacy Regulation Act, or the CPRA, ushers in a raft of new rules that may apply to many small and medium-sized businesses.
Even if your company doesn’t do business in California, it’s helpful to understand these privacy regulations. Without a national privacy law, the CPRA may become the blueprint for privacy nationwide.
To get you up to speed, here are four things that businesses need to know about the CPRA.
1. New consumer rights around data sharing and permissions
The CPRA replaces the CCPA, California’s existing privacy regulations. It expands consumer protections with one key distinction: data sharing is now regulated alongside the buying and selling data for commercial purposes. Businesses that frequently share customer data without necessarily exchanging money will now have to comply with the CPRA and allow consumers to opt out of both the selling and sharing of their personal data.
In addition to the right to limit use and sharing of personal data, other consumer rights enshrined under CPRA include:
- The right to know the categories of sensitive personal information collected
- The right to know for why and for what purposes data is being collected
- The right to know if personal information is sold or shared
- The right to correct inaccurate personal information
- The right to know how long your company plans to keep each category of personal information
- The right to access all categories of personal information collected by a company (not just over the previous 12 months, per existing law)
Note that this applies only to businesses that do business in California, meaning those companies that handle personal information from California residents. It also exempts any data that are publicly available, which wouldn’t be regulated under the CPRA.
Do this right now: Review all data sharing agreements with third parties. Make sure that your marketing department understands this new requirement. Allocate budget to privacy compliance.
2. More small businesses are exempt
The CPRA raises the threshold of compliance in favor of smaller companies. The CPRA applies only to businesses that meet one of the following thresholds:
- More than $25 million in gross revenue in the previous calendar year
- Buy, sell, share commercially the personal information of more than 100,000 households, consumers, or devices. That’s up from 50,000 in the original law, which is a massive relief for smaller companies facing hefty compliance costs.
- Earn 50% or more of their annual income from selling or sharing personal information
Overall, this is excellent news for small to medium-sized businesses; many will be exempt. However, it’s easy to slip over the threshold without realizing it. That’s why it’s crucial to do quarterly audits of your organization’s data repository to ensure you are still under the threshold.
Do this right now: Review your data repository and usage of personal information to see if you’re regulated under the CPRA. Then, set a meeting on your calendar to review quarterly with your team.
Other Articles From AllBusiness.com:
3. There’s now a legal definition of “sensitive information”
The CPRA formalizes a legal definition of “sensitive information.” Any user data that includes the following would be considered sensitive and covered under the CPRA: sexual orientation, religious or philosophical beliefs, union membership, genetic information, biometric data, race/ethnicity, Social Security number, health records, and the contents of personal messages.
Under the CPRA, consumers can limit a third party’s usage of any data under the “sensitive personal information” definition. This limitation has specific implications for targeted advertising that’s personalized to the consumer based on sensitive information. Once the consumer opts out, you must immediately stop personalizing the advertising.
Businesses must also only use personal information in a way that is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” This obligation limits latitude around using personal data and gives more control to consumers.
Do this right now: Audit your data trail and tag every location where you store potentially sensitive personal information. Make sure to isolate that data and secure it behind a password and firewall.
4. Steep fines for violations
For the first time, America has a privacy enforcement agency—the CPRA creates the Privacy Protection Agency. This puts actual enforcement behind the law, making voluntary compliance a thing of the past.
Violations now have a cost: $2,500 per occurrence, which ramps up to $7,500 for violations involving minors. If you were to accidentally leak data or share/sell data without user permission, you could rack up large fines. Let’s say you shared a 1,000-contact email list with a partner, thinking that it was okay. Well, if you haven’t gotten user permission, it’s a violation that could cost you $25,000!
You’ll also need to be very careful only to use personal information for the purposes disclosed initially to customers. You’ll need to inform customers and get their consent if you plan to use that data for a purpose that’s “incompatible with the disclosed purposes for which the personal information was collected.” Otherwise, you may be fined for non-compliance.
Do this right now: Update your team about the CPRA, so everyone knows its requirements. You don’t want to run afoul of the CPRA, as it’s something that could cost you a lot of money. Get the team aligned!
Next steps for your business
The CPRA becomes law on January 1, 2023, with enforcement beginning six months later. But—and it’s a big one—CPRA’s right of access applies to any personal information collected on or after January 1, 2022. So, while it might seem like you have a little bit of time, you only have a year to get your data practices in order!
As you can foresee, privacy management is a pretty manual process that requires internal resources. You’ll need to allocate sufficient resources to field consumer inquiries and provide explanations around the “how, why, and what for” of your data collection practices.
Your first step should be to take an honest assessment of your organization’s data collection practices. Are you doing things in a transparent and traceable way, or do you have no clue where, when, how, and for what purpose your organization stores customer data? Take some time to chart customer data flow throughout your organization to build a detailed data map. This map should then guide you as you begin down the path to CPRA compliance.
Unfortunately, new regulations are often most onerous on smaller enterprises with less free cash flow. And, with expanded consumer controls and potential fines, there are added costs related to CPRA compliance. Even so, consumers want more controls and transparency around data privacy. It’s a great way to build trust with consumers—and worth the investment over the long term.
Originally published at All Business Technology