In November 2020, California voters approved what is arguably the most comprehensive privacy rights law in the nation. The California Privacy Rights Act does not take effect until January 1, 2023. But its requirements are far-reaching, and California business owners have a lot of work to do to prepare their businesses for compliance with the law before that date. Moreover, violations of the new Act prior to 2023 can cause bad public relations and potential liability in other areas. Business owners should meet with a California lawyer now to determine how the new law will affect their business, what steps must be taken, and the most efficient process for implementing these measures as soon as possible. The sooner these changes are integrated into a company’s practices and culture, the less likely it is the business will face liability under the Act.
Corporate Responsibilities Under the California Privacy Rights Act
The CPRA requires businesses to track an entirely new category of user data: “sensitive personal information.” This includes government-issued identifiers, finance information, biometric data, health status, precise geolocation, contents of emails or texts, and race or ethnic origin. Sensitive personal information is a subcategory of personal information that is protected under existing privacy laws. This means that it, too, must be de-identified or subject to an aggregation exception. The CPRA adds an additional requirement for businesses to implement “reasonable security measures” to protect personal information. What measures are “reasonable” will be determined by the type of information that is collected. Detailed financial or medical records will likely require higher levels of security than basic demographic information. Retention periods must also be updated to meet only what is reasonably necessary to perform the purposes for which the data was collected. This means that sensitive personal information might have a shorter retention policy than more general personal information.
Consumers have the right to restrict the use and disclosure of their sensitive personal information in the same manner as their personal information. The CPRA also adds additional consumer rights: in addition to the right to delete and request access, consumers may also request that a business correct inaccurate personal information. The provisions of old and new privacy laws will be enforced by a new private agency with the power to enforce related regulations.
Call Us Today to Discuss Your CPRA Compliance Practices with a California Business Lawyer
So what can an attorney do to help your business prepare for new regulations? Business owners will need to start by mapping their consumer data to identify all potential sources of sensitive personal information. An attorney can help business owners develop the practices that will identify and protect this data before ultimately destroying it in compliance with data retention rules. These new procedures must be ongoing to address the needs of new data that is collected by your business. They must also be effectively integrated by your employees in every case before the new law takes effect. An experienced California business lawyer can help your business develop a comprehensive data policy that ensures compliance with old and new privacy laws while also reducing your potential for liability. Contact Structure Law Group at (408) 441-7500 or contact us through our website to schedule a consultation.