The California Privacy Rights Act (CPRA): 10 Things Companies Should Do


Several important changes will come into play when the California Privacy Rights Act (CPRA) becomes fully operative on Jan. 1, 2023. Among them:

  • California residents will have new rights with respect to their personal information.
  • Previously exempted business-to-business and employee-related personal information will likely be subject to the law’s requirements
  • Heightened technical standards will be further developed for honoring requests to opt out of online behavioral advertising.

Organizations should evaluate whether and to what extend the CPRA will affect their processes and practices. Even organizations that have implemented a CCPA compliance program will need to consider how to enhance their compliance program to meet CPRA requirements and address the ever-changing privacy regulatory landscape.

Here are 10 steps companies should consider taking to prepare for CPRA:

1. Conduct a gap assessment to determine whether the CPRA applies to your organization or whether any CPRA compliance gaps exist in the current CCPA program.

2. Update the CPRA compliance roadmap to include definitive target dates and begin implementation. Consider leveraging existing efforts to come into compliance with upcoming changes to consumer privacy laws in other states, including Virginia and Colorado.

3. Update senior management on the potential impact on your organization. Work with your CPRA compliance team to ensure regular meetings address CPRA compliance.

4. Determine if software development work is required. Ensure teams update this year's development roadmap.

5. Update your organization’s data maps: Because the CPRA includes a one-year look-back period starting January 1, 2022, make sure data maps include CPRA-specific details, including sensitive personal information designations, data retention periods and information on B2B and employee data.

6. Update customer and vendor contracts to incorporate CPRA-specific language.

7. Identify privacy notices that your organization should update before January 1, 2023.

8. Update your consumer rights response protocol to account for new categories of personal information, including sensitive personal information, and the additional rights granted to consumers (e.g., opt out of selling or sharing personal information for targeted advertising).

9. Review your organization’s security posture. Identify potential enhancements.

10. Make applicable changes to your websites, apps, and related online properties to address new compliance requirements (e.g., update opt-out button to also include opt out of “sharing” personal information).

If you need help with your CPRA-compliance roadmap, see our CPRA FAQ Guide or contact a member of Orrick's Cyber, Privacy and Data Innovation Group. To receive updates on the CPRA, and other global privacy and cybersecurity developments, sign up here.