Preparing Your Business’s Privacy Policy for the California Privacy Rights Act
The Digital Age has brought more data collection than ever thought possible. Despite this increase in consumer data collection, Congress has yet to pass any federal regulation governing collection. As a result, many state legislatures across the country are scrambling to enact legislation that will protect its citizens’ data privacy. Though Indiana has yet to pass its own comprehensive privacy legislation, the legislation of other jurisdictions has extensive implications for Indiana business owners as they become subject to contrasting data privacy laws of other states.
Business owners in all states should be aware of laws and initiatives as they develop to ensure they are in compliance and to avoid fines or lawsuits. California has proven to hold businesses to the strictest standard in the United States in protecting their citizens’ data privacy with the introduction of the California Consumer Protection Act (CCPA) in 2018, and the California Privacy Rights Act (CPRA), which will take effect January 1, 2023.
Businesses without a California presence may believe a law passed in California does not affect their operations, but the California laws regulate all entities that serve or employ residents of California and collect revenue from selling personal data, even if the business exists outside the state. Therefore, if your business serves even one California resident, it is subject to the requirements set in the forthcoming CPRA.
To ensure compliance with new laws such as the CPRA and to protect your business from data breaches, lawsuits, or fines, it is imperative to have an updated privacy policy that meets the standards set forth in the CPRA. A solid externally-facing privacy policy describes the information a business collects and explains how the information is collected in a way that is easy for consumers to understand. It should also ensure that consumers are aware of their rights under applicable law, and provide a designated person whom consumers may contact to opt-out of data collection, access the data collected, or to ask general questions related to the privacy policy.
A privacy policy will protect not only your consumers, but also your business. In the unfortunate event of a data breach, a properly implemented and updated privacy policy can shield your business from liability or otherwise mitigate exposure.
The CCPA and CPRA define numerous rights for California residents, including specific rights regarding access and restricting use of data collected. The CCPA, a revolutionary advancement in data privacy laws, defines personal information broadly to give citizens sweeping protection from data collection. Under the CCPA, personal information includes common identifications such as address and full name, but goes further to include email addresses, credit card transactions, IP addresses, household information, and biometric data.
The CPRA takes this legislation a few steps further. The CPRA builds on the foundation of the CCPA, expanding its scope to include more businesses and defining a new category of information: “sensitive personal information.” This category includes social security numbers, sexual health or orientation status, biometric data, and geolocation data. Finally, the CPRA bolsters existing rights under the CCPA and adds new consumer rights such as the right to opt out of automated decision making and the right to not only access, but also correct data.
An effective privacy policy should reach the standard of the CPRA even if the business currently does not serve any California residents. Early compliance guards against liability if your company does serve a California customer, prepares for new laws passed by states that your company currently serves, and will make your company ready for potential overarching federal data privacy regulation.
If your business is looking to update its privacy policy to ensure compliance with new data privacy laws please contact a member of the Cybersecurity team at Barrett McNagny.