What is CPRA compliance?
The CPRA (California Privacy Rights Act) is a new law that builds on the CCPA (California Consumer Privacy Act) and strengthens consumer data privacy rights in California.
It expands the scope of personal information covered by the CCPA and creates new rights for Californians, including the right to correct inaccurate personal information, the right to delete personal information, the right to know what personal information businesses collect and how it is used, and the right to opt out of the sale of personal information.
Compliance with the CPRA involves updating privacy policies and practices to meet the new requirements and providing additional transparency and consumer controls.
Learn more about the CPRA’s requirements and how they could affect your organization
What is the difference between the CCPA and CPRA?
The CCPA took effect in 2020 and provides California residents with the right to know what personal information companies are collecting about them, the right to opt out of the sale of their personal information, and the right to request deletion of their data.
The CPRA is an updated version of the CCPA and took effect on January 1, 2023. It provides California residents with additional rights, such as the right to opt out of data sharing and the right to receive equal services and pricing regardless of their data sharing choices. The CPRA also imposes stricter data security standards and more stringent enforcement measures.
Free PDF: CPRA Compliance Checklist
To help organizations comply with the CPRA, we’ve created this simple compliance checklist to help you determine whether the CPRA applies to your organization and, if it does, provide an overview of what you need to do to comply with the law. Download your free copy of the CPRA compliance checklist today.
Download now
Who does the CPRA apply to?
The CPRA applies to any for-profit organization that does business in California and collects or determines the purposes and means of processing consumers’ personal information. In addition, it only applies to businesses that:
- Have an annual gross revenue of more than $25 million;
- Annually buy, sell, or share the personal information of 100,000 or more consumers or households; or
- Derive 50% or more of their annual revenue from selling or sharing consumers’ personal information.
It is important to be aware that the CPRA applies not only to your organization but also to all organizations you do business with, and there are important requirements that you should familiarize yourself with.
Step 1: Obtain board-level support and establish accountability
Organizations require top-level support to comply with the CPRA. It is essential that the board, executive directors, or senior management understand the law and its implications to ensure the compliance project receives the necessary resources for long-term success.
What you should do:
- Advise the board about privacy risks and the benefits of CPRA compliance. Download our free CPRA guide for further support.
- Obtain management support for your CPRA compliance efforts. This will require securing the necessary resource and budget for your CPRA project.
- Assign accountability (key roles and responsibilities) for CPRA compliance.
Step 2: Identify your CPRA compliance gaps by conducting a detailed gap analysis
A CPRA gap analysis will help you identify gaps in your current practices and prioritize areas to comply with the law. It should cover governance, risk management, CPRA project management, information security responsibility, roles and responsibilities, scope of compliance, process analysis, PIMS, ISMS, and consumer rights.
What you should do:
- Review the CPRA to understand its requirements
- Audit your privacy and security programs against the CPRA’s requirements
- Determine which compliance gaps require remediation
Step 3: Create a personal information inventory and map data flows
The CPRA grants California consumers the right to know what personal information is collected, processed, and sold, and its source. Data flow maps enable timely, complete, and compliant responses to data access requests by identifying and documenting data collection points.
Data flow maps can facilitate more robust and accurate privacy notices, resulting in a higher degree of compliance. This is because they can reveal downstream processing activities that may not be obvious to data collectors, but of which data subjects must be informed at the time of collection.
What you should do:
- Assess the categories of personal information your organization holds, where the personal information comes from, and the business or commercial purpose for processing it
- Document how personal information flows to, through, and from your organization
Further support:
Data Flow Mapping Tool
The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organization processes and why, where it is held, and how it is transferred. The tool is a Cloud-based application, licensed for up to five users and accessible via any compatible browser.
Buy now
Step 4: Develop operational policies, procedures, and processes
Once you have identified your compliance gaps and mapped your personal data flows, you should bring the way you process personal information in line with the CPRA’s requirements. This will include reviewing your existing policies, procedures, and contracts, and implementing new ones as necessary. You will also need to update your website to ensure the appropriate messages are visible to consumers.
What you should do:
- Implement a process to delete consumer data to comply with the CPRA’s right to be forgotten.
- Ensure your personal information protection policies and privacy notices are in line with the CPRA. Provide required CPRA notices including opt-out and opt-in rights.
- If you sell or share personal information, ensure your website contains a “Do Not Sell or Share My Personal Information” option that allows consumers to opt out of the sale or sharing of their personal Information.
- Ensure your privacy policy includes a link to the “Do Not Sell My Personal Information” page.
- Provide a link titled “Limit the Use of My Sensitive Personal Information,” which enables a consumer to limit the use or disclosure of their sensitive personal information to only those authorized uses.
- Review employee, customer, and supplier contracts, and update them if necessary to cover personal information processing.
- Plan how to recognize, verify, and respond to verifiable consumer requests to access or delete personal information.
Further support:
GDPR Toolkit
The EU’s GDPR (General Data Protection Regulation) and the CPRA share many requirements, and many processes designed for GDPR compliance are applicable to the CPRA. Our GDPR Toolkit contains more than 80 document templates – including policies, procedures, and checklists – designed to aid GDPR compliance, which you can adapt to streamline your CPRA compliance program.
Buy now
Step 5: Implement processes and technical measures to secure personal information
Implementing appropriate measures to secure the personal information your organization processes is paramount to your compliance.
What you should do:
- Have an information security policy in place
- Implement basic technical controls, such as those specified by established cybersecurity frameworks like the NIST CSF (Cybersecurity Framework), the 20 CIS Controls™, or the information security standard ISO/IEC 27001:2013
- Use encryption and/or deidentification where appropriate
- Create and maintain a robust incident response plan, and ensure policies and procedures are in place to detect, report, and investigate breaches of personal information
Further information:
ISO 27001 implementation
Implementing an ISMS in accordance with global best practice as outlined by ISO 27001 and its control framework ISO 27002 can provide significant benefits in protecting your data and minimizing your risk of a data breach. We offer a wide range of solutions to help you, including free guides and books, training courses, documentation templates, software, and consultancy.
Learn more
Step 6: Ensure employees are trained and competent
You need to ensure that your employees who are responsible for handling consumer inquiries regarding their privacy rights are informed of the CPRA requirements and know how to maintain good data hygiene.
What you should do:
- Ensure internal communications with stakeholders and staff are effective
- Train your employees to understand the importance of personal information protection, basic CPRA principles, and the procedures you have implemented to ensure compliance
How we can help:
California Privacy Rights Act (CPRA) Foundation Training Course
Delivered by an experienced privacy consultant, this one-day, online training course will give you a clear understanding of the main elements of the CPRA. It is suitable for anyone involved in information management, data protection compliance, or data privacy compliance, or as part of implementation programs for organizations located or doing business in the state of California. Participants who pass the included exam are awarded the California Consumer Privacy Act Foundation (CPRA F) qualification by IBITGQ.
Buy now
Step 7: Monitor and audit compliance
Complying with the CPRA is an ongoing process, not a one-off project. Periodic internal audits will ensure your activities remain up to date and that you will not fall out of compliance. An audit should review relevant policies to ensure that they are current, compliant, and accessible.
What you should do:
- Schedule regular audits of personal information processing activities and security controls
- Keep records of personal information processing up to date
Further support:
Compliance with the CPRA can be complex and unfamiliar to many organizations. Relying on the audit experience of trained privacy and cybersecurity professionals can minimize your organization’s risk of non-compliance and ensure that you are ready to respond to consumer requests promptly and in accordance with the law.
Contact us now to find out how we can help you improve your CPRA compliance.
Contact us
Speak to an expert
If you’re looking for help with your CCPA compliance project, get in touch with our experts. They can advise you on which of our products and services are best suited to your needs.