With the passing, in November 2020, of the California Privacy Rights Act, came a range of new obligations for businesses operating in the State. They must now move swift to make sure that every member of staff is conscious of their obligations in order to avoid large scale financial penalties being sanctioned against their company.
In order to assist you in coming to terms with the new rules we have put together a short article detailing the main things that you need to be aware of moving forward. To read more about the introduction of the new data privacy legislation you can read the news story from last November here.
1. Sensitive Personal Information Obligations
The CPRA states that consumers have the power to request a business to not share sensitive personal information. Further to this, there a now a range of rules in relation to ‘sensitive personal information’. This is defined as specific identification numbers including:
- Social Security details
- Account credentials
- Identity card or passport numbers
- Communications content in emails and text messages (if a business is not the recipient of the communication)
- Driver’s license data
- Credit card information
- Geolocation information
- Data elements that fall in line with the European Union’s GDPR provisions including religious and philosophical beliefs; union membership details; health, genetic, and biometric data; and details linked to sexual habits or sexual orientation.
2. The Creation of the California Privacy Protection Agency (CPPA)
This body has been established in order to police data privacy in the jurisdiction. It will be comprised of by a five-person board. The member of this board will be appointed by the California State Assembly, Senate, and Attorney General. The remaining two members of the board will be nominated by the Governor of California. Among its duties it will be responsible for conducting investigations and subsequent hearings, into breaches of the CPRA. Additionally is will also apply necessary penalties arising from these breaches and assist companies in their attempts to become CCPA compliant.
3. Additional CPRA Data Breach Requirements
It is considered that a breach of the CPRA has taken place when unauthorized access is granted to information which is non-encrypted/non-redacted information, password details or log-in information. In this wevent the CPRA will permit those impacts to seek compensation via the judiciary.
4. Data Collected for Advertising Controlled by Consumers
The vast majority of companies now rely on cross-context behavioral advertising to profile specific consumers for advertising purposes. There is a legal right, in the CPRA, for consumers to opt out of this gathering or personal data. Due to this businesses must also change the way that they allow consumers to opt out of this activity.
5. Data & Consumer Rights
In relation to the data that businesses choose to use, the CPRA now empowers consumers with a number of rights. These include:
- The right of correction which allows individuals to seeks the amendment of incorrect inaccurate personal information held by a business
- The extension of the right to deletion to ensure businesses complete deletion requests and maintain a confidential record of deletion requests for future reference.
- Along with the right to a copy of the data a business has collected in relation to about them during the year before the request was submitted consumers can now seek a copy of data collected in relation to them before this time if the business still has it available
There is a lot to take into account in order to avoid a breach of the new rules. it is most important that all staff members are aware of the obligations under the CPRA in order to avoid a breach occurring due to a lack of knowledge of the obligations that your company must meet.