Preparing Your Business’s Privacy Policy for the California Privacy Rights Act

The Digital Age has brought more data collection than ever thought possible. Despite this increase in consumer data collection, Congress has yet to pass any federal regulation governing collection. As a result, many state legislatures across the country are scrambling to enact legislation that will protect its citizens’ data privacy. Though Indiana has yet to pass its own comprehensive privacy legislation, the legislation of other jurisdictions has extensive implications for Indiana business owners as they become subject to contrasting data privacy laws of other states.

Business owners in all states should be aware of laws and initiatives as they develop to ensure they are in compliance and to avoid fines or lawsuits. California has proven to hold businesses to the strictest standard in the United States in protecting their citizens’ data privacy with the introduction of the California Consumer Protection Act (CCPA) in 2018, and the California Privacy Rights Act (CPRA), which will take effect January 1, 2023.

Businesses without a California presence may believe a law passed in California does not affect their operations, but the California laws regulate all entities that serve or employ residents of California and collect revenue from selling personal data, even if the business exists outside the state. Therefore, if your business serves even one California resident, it is subject to the requirements set in the forthcoming CPRA.

To ensure compliance with new laws such as the CPRA and to protect your business from data breaches, lawsuits, or fines, it is imperative to have an updated privacy policy that meets the standards set forth in the CPRA. A solid externally-facing privacy policy describes the information a business collects and explains how the information is collected in a way that is easy for consumers to understand. It should also ensure that consumers are aware of their rights under applicable law, and provide a designated person whom consumers may contact to opt-out of data collection, access the data collected, or to ask general questions related to the privacy policy.

A privacy policy will protect not only your consumers, but also your business. In the unfortunate event of a data breach, a properly implemented and updated privacy policy can shield your business from liability or otherwise mitigate exposure.

The CCPA and CPRA define numerous rights for California residents, including specific rights regarding access and restricting use of data collected. The CCPA, a revolutionary advancement in data privacy laws, defines personal information broadly to give citizens sweeping protection from data collection. Under the CCPA, personal information includes common identifications such as address and full name, but goes further to include email addresses, credit card transactions, IP addresses, household information, and biometric data.

The CPRA takes this legislation a few steps further. The CPRA builds on the foundation of the CCPA, expanding its scope to include more businesses and defining a new category of information: “sensitive personal information.” This category includes social security numbers, sexual health or orientation status, biometric data, and geolocation data. Finally, the CPRA bolsters existing rights under the CCPA and adds new consumer rights such as the right to opt out of automated decision making and the right to not only access, but also correct data.

An effective privacy policy should reach the standard of the CPRA even if the business currently does not serve any California residents. Early compliance guards against liability if your company does serve a California customer, prepares for new laws passed by states that your company currently serves, and will make your company ready for potential overarching federal data privacy regulation.

If your business is looking to update its privacy policy to ensure compliance with new data privacy laws please contact a member of the Cybersecurity team at Barrett McNagny.

Barrett McNagny LLP

Legal Disclaimer

The information contained in the Barrett McNagny LLP website is for informational purposes only and should not be considered legal advice on any subject matter. Furthermore, the information contained on our website may not reflect the most current legal developments. You should not act upon this information without consulting legal counsel.

Your transmission and receipt of information on the Barrett McNagny LLP website, or sending an e-mail to one of our attorneys or staff, will not create an attorney-client relationship between you and Barrett McNagny LLP. If you need legal advice and want to establish an attorney-client relationship with Barrett McNagny LLP, please contact one of our attorneys by telephone, email, or other means of communication, and allow the attorney to confirm that the firm does not represent other persons or entities involved in the matter and that the firm is willing to accept representation. Until such confirmation is provided by one of our attorneys, you should not transmit information to us that you consider confidential. If you do provide information to us, and no attorney-client relationship is established, the information will not be considered confidential or privileged, and our receipt of such information will not preclude us from representing another client in a matter adverse to you.

Any links to other websites are not intended to be referrals or endorsements of those sites.

Privacy Policy

Terms of Use

ADA Compliance

Transparency Cover Rule: Machine-Readable Files

Contact Us
My name is
and I am a(n)
seeking legal counsel in the area of 
me at
as soon as you can.

Thank you for contacting us!

A representative will be in touch with you shortly.

An attorney-client relationship will NOT be formed merely by sending an email to Barrett McNagny, LLP or to any of its attorneys. Please do not send any information specific to your legal needs until you obtain approval from a Barrett McNagny, LLP attorney, as the content of such email will not be considered confidential or privileged. By sending us an email, you confirm your understanding of this notification. If you agree, you may use the e-mail links on this page to contact an attorney.