California Privacy Rights Act (CPRA) Compliance Checklist

Organizations require top-level support to comply with the CPRA. It is essential that the board, executive directors, or senior management understand the law and its implications to ensure the compliance project receives the necessary resources for long-term success.

What you should do:

• Advise the board about privacy risks and the benefits of CPRA compliance. Download our free CPRA guide for further support.
• Obtain management support for your CPRA compliance efforts. This will require securing the necessary resource and budget for your CPRA project.
• Assign accountability (key roles and responsibilities) for CPRA compliance.

Further information:

The California Privacy Rights Act (CPRA) – An implementation and compliance guide

This book is the ideal resource for organizations that want to understand privacy regulations in California and how to comply with them. It provides the reader with a comprehensive understanding of the CPRA and explains how businesses can implement strategies to comply.

Buy now

A CPRA gap analysis will help you identify gaps in your current practices and prioritize areas to comply with the law. It should cover governance, risk management, CPRA project management, information security responsibility, roles and responsibilities, scope of compliance, process analysis, PIMS, ISMS, and consumer rights.

What you should do:

• Review the CPRA to understand its requirements
• Audit your privacy and security programs against the CPRA’s requirements
• Determine which compliance gaps require remediation

Further information:

California Privacy Rights Act (CPRA) Gap Analysis

This service assesses your organization’s current level of compliance with the CPRA and helps identify and prioritize the key work areas that your organization must address to be compliant.

Inquire about this service

The CPRA grants California consumers the right to know what personal information is collected, processed, and sold, and its source. Data flow maps enable timely, complete, and compliant responses to data access requests by identifying and documenting data collection points.

Data flow maps can facilitate more robust and accurate privacy notices, resulting in a higher degree of compliance. This is because they can reveal downstream processing activities that may not be obvious to data collectors, but of which data subjects must be informed at the time of collection.

What you should do:

• Assess the categories of personal information your organization holds, where the personal information comes from, and the business or commercial purpose for processing it
• Document how personal information flows to, through, and from your organization

Further support:

Data Flow Mapping Tool

The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organization processes and why, where it is held, and how it is transferred. The tool is a Cloud-based application, licensed for up to five users and accessible via any compatible browser.

Buy now

Once you have identified your compliance gaps and mapped your personal data flows, you should bring the way you process personal information in line with the CPRA’s requirements. This will include reviewing your existing policies, procedures, and contracts, and implementing new ones as necessary. You will also need to update your website to ensure the appropriate messages are visible to consumers.

What you should do:

• Implement a process to delete consumer data to comply with the CPRA’s right to be forgotten.
• Ensure your personal information protection policies and privacy notices are in line with the CPRA. Provide required CPRA notices including opt-out and opt-in rights.
• If you sell or share personal information, ensure your website contains a “Do Not Sell or Share My Personal Information” option that allows consumers to opt out of the sale or sharing of their personal Information.
• Ensure your privacy policy includes a link to the “Do Not Sell My Personal Information” page.
• Provide a link titled “Limit the Use of My Sensitive Personal Information,” which enables a consumer to limit the use or disclosure of their sensitive personal information to only those authorized uses.
• Review employee, customer, and supplier contracts, and update them if necessary to cover personal information processing.
• Plan how to recognize, verify, and respond to verifiable consumer requests to access or delete personal information.

Further support:

GDPR Toolkit

The EU’s GDPR (General Data Protection Regulation) and the CPRA share many requirements, and many processes designed for GDPR compliance are applicable to the CPRA. Our GDPR Toolkit contains more than 80 document templates – including policies, procedures, and checklists – designed to aid GDPR compliance, which you can adapt to streamline your CPRA compliance program.

Buy now

Implementing appropriate measures to secure the personal information your organization processes is paramount to your compliance.

What you should do:

• Have an information security policy in place
• Implement basic technical controls, such as those specified by established cybersecurity frameworks like the NIST CSF (Cybersecurity Framework), the 20 CIS Controls™, or the information security standard ISO/IEC 27001:2013
• Use encryption and/or deidentification where appropriate
• Create and maintain a robust incident response plan, and ensure policies and procedures are in place to detect, report, and investigate breaches of personal information

Further information:

ISO 27001 implementation

Implementing an ISMS in accordance with global best practice as outlined by ISO 27001 and its control framework ISO 27002 can provide significant benefits in protecting your data and minimizing your risk of a data breach. We offer a wide range of solutions to help you, including free guides and books, training courses, documentation templates, software, and consultancy.

Learn more

You need to ensure that your employees who are responsible for handling consumer inquiries regarding their privacy rights are informed of the CPRA requirements and know how to maintain good data hygiene.

What you should do:

• Ensure internal communications with stakeholders and staff are effective
• Train your employees to understand the importance of personal information protection, basic CPRA principles, and the procedures you have implemented to ensure compliance

How we can help:

California Privacy Rights Act (CPRA) Foundation Training Course

Delivered by an experienced privacy consultant, this one-day, online training course will give you a clear understanding of the main elements of the CPRA. It is suitable for anyone involved in information management, data protection compliance, or data privacy compliance, or as part of implementation programs for organizations located or doing business in the state of California. Participants who pass the included exam are awarded the California Consumer Privacy Act Foundation (CPRA F) qualification by IBITGQ.

Buy now

Complying with the CPRA is an ongoing process, not a one-off project. Periodic internal audits will ensure your activities remain up to date and that you will not fall out of compliance. An audit should review relevant policies to ensure that they are current, compliant, and accessible.

What you should do:

• Schedule regular audits of personal information processing activities and security controls
• Keep records of personal information processing up to date

Further support:

Compliance with the CPRA can be complex and unfamiliar to many organizations. Relying on the audit experience of trained privacy and cybersecurity professionals can minimize your organization’s risk of non-compliance and ensure that you are ready to respond to consumer requests promptly and in accordance with the law.

Contact us now to find out how we can help you improve your CPRA compliance.