Skip to content.
Call NAVEX

CPRA Compliance

What is the CPRA?

The California Privacy Rights Act (CPRA) amends and expands upon California’s existing California Consumer Privacy Act (CCPA). It is a state law that gives California residents the right to know what personal information companies collect about them, why it is collected, and what is done with it. The law also gives residents the right to ask companies to delete or correct their personal information, as well as the right to opt out of selling their personal information.

Binary code as flooring with miniature people walking on it

NAVEX One®

Challenges Managing CPRA Compliance

The California Privacy Rights Act (CPRA) expands upon a host of requirements for companies doing business in the Golden State, even if they’re not based in California. The act is intended to give California residents more control over how companies collect and use their personally identifiable information (PII) by granting them rights to view and control the PII that companies collect about them, similar to the goal of GDPR in the E.U. Companies subject to the CPRA must comply with the data privacy law by creating mechanisms that allow California residents to exercise those rights.

Woman working on laptop

Under the CPRA, California consumers may request to:

  • Learn what personal information is being collected, how it is used and disclosed
     
  • Have their personal information deleted and/or corrected
     
  • Restrict companies from selling or sharing (for cross-context behavioral advertising purposes) their personal information

Risks from regulatory non-compliance and litigation can be severe. The CPRA establishes the first state enforcement agency dedicated to privacy. The CPRA allows the state to seek civil monetary penalties for each infraction, and consumers can file their own civil litigation seeking damages arising from personal information breaches. Compliance requires organizations to have effective risk management practices.

Unfortunately, there is still a lot of uncertainty around how to systematize and comply with the CPRA in a way that aligns with the organization’s other compliance efforts.

Woman working on laptop

What You Need to Meet CPRA Compliance

Clear Policies

Development and disclosure of privacy policies to align with CPRA compliance.

Training

Employees must be trained on the company’s responsibilities under the data privacy law on how to handle consumer inquiries.

Intake Systems

Mechanisms to allow consumers to submit data subject requests.

Data Map

The company should identify PII it collects about California residents, how that data is processed, and where the data resides.

Breach Response Plan

Protocol to disclose a breach once discovered, or to investigate allegations of a breach brought to the company’s attention.

Steps You Can Take to Ensure CPRA Compliance

Step 1

Understand what data you have, why it is collected, how it is used, and how it travels through your organization. Assess for risk to that data and develop and implement plans to protect it.

Step 2

Make sure your policies and procedure management program remains in alignment with California’s data privacy law as it evolves.

Step 3

Offer multiple methods for consumers to submit data subject requests, including a toll-free telephone number and a streamlined information-gathering process. The CPRA requires a minimum of two opt-out methods for the majority of companies.

Step 4

Perform a risk assessment on third parties you share data with and service providers that handle PII on your company’s behalf. Confirm that your policies and procedures for working with those third parties and service providers address CPRA compliance issues.