What Can I Do To Stay Privacy Act Compliant Under CPRA?
Part 3 of 3 in the Privacy Act Series. Go back to Part 1 or Part 2?
We know – Consumer Privacy Act information is a lot to absorb. Without translating the pages and pages of text from the CPRA itself, and all of the peripherals involved, I will attempt to break it down for you in a few (ok, ten) key points. If you are just plain too busy, or this type of thing makes your brain hurt, my team is ready to help.
- Know your obligation to the CPRA in terms of what personal information is being collected on consumers and know whether their information is being sold and to whom.
- Make it clear and simple for your customers to opt out of their information being sold, as well as obtain a copy of their personal information.
- Ensure your customers receive equal service and price regardless of whether they exercise their CPRA rights.
- Map your consumer data. If you are obligated under CPRA, start by mapping your personal customer information under your control. Take note of:
- How you collect personal information
- The type of personal information you collect or keep
- Where and how you store your data
- Whether you share data with other entities
- Is shared data part of a sale, a provided service, or used for another purpose?
Consumers exercising CPRA have the right to request their information, and businesses will need to comply with such consumer requests. Personal information that is held by a third party on behalf of your business is subject to regulations, so in addition to conducting your own data mapping, it is important to be sure all of your third-party vendors do the same and share the results with you.
- Keep your privacy disclosures updated. The CPRA allows consumers the right to know what personal information is being collected about them. Businesses must provide a privacy disclosure at or before the point of data collection, and this disclosure must make consumers aware of the categories of personal information which will be collected, as well as the purposes the information will be used, as well as any third-party information for usage.
As part of regulatory compliance, privacy disclosures must be updated annually.
- Make a privacy link readily available on your homepage. The CPRA calls for a clear and conspicuous privacy link on the homepage of any obligated entity’s business website. It must be titled “Do Not Sell My Information,” and linked to an opt-out page allowing consumers to opt-out of having their personal information sold.
- Develop a process for handling Consumer Privacy Act requests. Businesses must be ready to respond to consumer requests about their personal information allowed under the CPRA . These requests must be processed free of charge and within 45 days of the request. Customers may make CPRA requests for the following:
- Copy of their personal information contained in your database
- Request their personal information be deleted from your database
- Know the categories of their personal information which are being sold
- Request to opt-out of the sale of personal information for those over 16 years old
- Request to opt-in for the sale of personal information for those between the age of 13 and 16
- Obtain consent from a guardian to sell personal information from a consumer under 13 years old
It is important that your business pay close attention to the noted age requirements. The law states that “a business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.” Age information could prove to be a risk area in CPRA compliance.
- Identify necessary data collection system privacy changes, and implement them.
Data collection systems will need to be updated, and this can prove quite the undertaking for business owners. Prioritizing changes and procedural updates within your change management process is key, and no one needs to be late to this party. Sound daunting? Our team can help you get started AND see you through the entire process.
- Train your employees on Consumer Privacy Act best practices.
Educated employees can put you way ahead of the curve All employees, especially those in customer-facing roles, must be educated on the following:
- Physical location does not determine CPRA coverage
- For this CPRA purposes, a consumer is a resident of California
- Where to direct consumer requests regarding personal information
- Whether your organization has chosen to apply this law company-wide or only to California consumers
- Strengthen your data security for CPRA and the protection of your customers.
Because the CPRA allows consumers to seek damages for breached personal information due to violations on the part of the business, financial consequences can be mighty harsh. Obligated businesses should make a point to review and update their information security and privacy policies at a minimum of annually, while continuously monitoring their data security firewalls to ensure risk is mitigated to the greatest extent possible.
If you are just plain too busy, or this type of thing makes your brain hurt, CommonPlaces is ready to help.