All businesses – even those in Arkansas, not just those located in California – should be aware of changes to California’s data privacy law.
In 2020, Californians expanded upon their flagship privacy law by passing the California Privacy Rights Act (“CPRA”), granting new privacy protections to California consumers, and creating new obligations for businesses. The CPRA is set to go into effect on Jan. 1, 2023. Because the law does not limit enforcement to just California businesses, now is the time for Arkansas businesses to ensure they are compliant. To do so, there are three questions businesses should ask:
1. Does this law really apply to my business? If you were subject to the California Consumer Privacy Act (“CCPA”), chances are high that you will remain subject to CPRA. This will require businesses to update your existing compliance structure. If not, businesses may now be due to definition changes. Any for-profit entity doing business in California that collects the personal information of California consumers is a “business” required to comply with the CPRA if the entity:
- Had annual gross revenues exceeding $25 million the preceding year
- Buys, sells, or shares personal information of 100,000 California consumers or households
- Or derives 50% or more of its annual revenue from selling or sharing data
The sharing component is noteworthy. The CCPA did not include data sharing as part of the definition, but the CPRA has added it. Thus, businesses who share personal information of California consumers with third parties but do not receive monetary compensation from third parties for data are now subject to the CPRA if they meet the other definitional requirements.
As an example, if your business discloses California consumer information to a third party for the purposes of delivering targeted advertisements online, you may now be a “business” subject to the requirements of CPRA even though you are not “selling” the information.
2. When was the last time you updated your website privacy policies? If it has been a while, chances are there are some changes you will need to include. If you are brand new to California privacy, you will need to create a new section regarding the rights of California consumers with respect to their personal information. The CPRA provides a format for which to make mandatory disclosures, as well as specific requirements for what to say.
If you already have such a policy because of the CCPA, you will need to update your policy to reflect the additional rights afforded Californians, such as the right to correct inaccuracies, and the right to limit use and disclosure of sensitive personal information.
3. Are you able to deliver on your promises? Your business should be prepared to respond to California consumers who choose to exercise their new rights under the law and provide relevant opt-out methods. For example, if someone requests deletion of their personal information, you will need to have a way to comply and respond within 45 days unless you have deidentified the data.
Your business may need to make technical or operational changes to fulfill such requests. Thorough data mapping is a great first step to ensure that you know what data you have, where you have it, and who can access it, so that you are not scrambling when the requests roll in.
Businesses should keep an eye out for future state regulations pertaining to obtaining consent from their California consumers, the use of automated decision-making technology, and requirements for cybersecurity audits. As the deadline for compliance rapidly approaches, businesses need to be mindful of their newfound obligations for data they hold about California residents, even when they are located far from California.