In November 2020, California voters approved what is arguably the most comprehensive privacy rights law in the nation. The California Privacy Rights Act does not take effect until January 1, 2023. But its requirements are far-reaching, and California business owners have a lot of work to do to prepare their businesses for compliance with the law before that date. Moreover, violations of the new Act prior to 2023 can cause bad public relations and potential liability in other areas. Business owners should meet with a California lawyer now to determine how the new law will affect their business, what steps must be taken, and the most efficient process for implementing these measures as soon as possible. The sooner these changes are integrated into a company’s practices and culture, the less likely it is the business will face liability under the Act.
Corporate Responsibilities Under the California Privacy Rights Act
The CPRA requires businesses to track an entirely new category of user data: “sensitive personal information.” This includes government-issued identifiers, finance information, biometric data, health status, precise geolocation, contents of emails or texts, and race or ethnic origin. Sensitive personal information is a subcategory of personal information that is protected under existing privacy laws. This means that it, too, must be de-identified or subject to an aggregation exception. The CPRA adds an additional requirement for businesses to implement “reasonable security measures” to protect personal information. What measures are “reasonable” will be determined by the type of information that is collected. Detailed financial or medical records will likely require higher levels of security than basic demographic information. Retention periods must also be updated to meet only what is reasonably necessary to perform the purposes for which the data was collected. This means that sensitive personal information might have a shorter retention policy than more general personal information.