Top 10 Action Items for 2022: The California Privacy Rights Act (CPRA)

January.18.2022

The California Privacy Rights Act (CPRA) became law on December 16, 2020, and amended the California Consumer Privacy Act (CCPA).  When the CPRA becomes fully operative on January 1, 2023, these important changes, among others, come into play:

  • California residents will have new rights with respect to their personal information (“PI”).
  • Previously exempted business-to-business (“B2B”) and employee-related PI will likely be subject to the law’s requirements, and (3) heightened technical standards for honoring requests to opt out of online behavioral advertising will be further developed.

With less than a year to go, it is critical for organizations to carefully evaluate whether and to what extent the CPRA may impact their business processes and practices. Even organizations that have implemented a CCPA compliance program will need to consider how to enhance their compliance program to meet CPRA requirements and address the ever-changing privacy regulatory landscape.

Building on last year's CPRA checklist, we've developed an updated list of the 10 essential steps that companies can consider taking now to prepare for the CPRA:

  1. Conduct a gap assessment to determine whether the CPRA applies to your organization or any CPRA compliance gaps in the current CCPA program.
  2. Update the CPRA compliance roadmap with definitive target dates and begin implementation. Consider leveraging any existing efforts by your organization to come into compliance with upcoming changes to consumer privacy laws in other states, including Virginia and Colorado.
  3. Update senior management on the potential impact on your organization, and work with your designated CPRA compliance team to ensure regular meetings are scheduled to address CPRA compliance.
  4. Determine if software development work is required and ensure software development teams update this year's development roadmap.
  5. Because the CPRA includes a one-year look-back period starting January 1, 2022, update your organization’s data maps as soon as possible to include new CPRA-specific details, including sensitive personal information designations, data retention periods, and information regarding B2B and employee data.
  6. Begin updating customer and vendor contracts to incorporate CPRA-specific language.
  7. Identify privacy notices that will need to be updated, and update notices before January 1, 2023.
  8. Update your consumer rights response protocol to account for the new categories of PI, including sensitive PI, and the additional rights granted to consumers (e.g., opt out of selling or sharing PI for targeted advertising) under the CPRA.
  9. Review your organization’s current security posture and identify potential security enhancements to be implemented this year.
  10. Make any applicable changes to your websites, apps, and related online properties to address new compliance requirements (e.g., update opt-out button to also include opt out of “sharing” personal information). 

If you need help with your CPRA-compliance roadmap, see our CPRA FAQ Guide or contact a member of Orrick's Cyber, Privacy and Data Innovation Group. To receive updates on the CPRA, and other global privacy and cybersecurity developments, please sign up here.