CPRA Regulations are Immediately Enforceable: What You Need to Know

A California Appellate court recently ruled that the regulations of the CPRA, which were slated to go into effect on March 29, 2024, are now fully enforceable.

 

The CPRA amends and expands the existing California Consumer Privacy Act (CCPA) adopted on March 23, 2023. At the time, the courts determined that enforcement of the CPRA would begin on March 29, 2024.

 

On February 9th, 2024, a California Appellate court reversed the trial court’s ruling which delayed CPRA enforcement. This decision declared that this data privacy legislation is in immediate effect, and that any business that is obligated to comply with CPRA requirements do so immediately.

What does the CPRA do?

The CPRA grants consumers the right to know, access, correct, limit, delete, and obtain any Personal Information a business may have at any time. It also provides anti-discrimination protections to consumers.

 

The CPRA does not restrict a business’s ability to collect, store, sell, or share a consumer’s Personal Information. It does create obligations on how businesses handle data and how they must disclose data handling practices.

 

It also requires businesses to provide users with opt-out methods when it comes to the processing, selling, or sharing of personal information.

 

This is especially important for businesses with websites, because data collected by third party applications like Google Analytics, cookies, or similar tracking technologies is considered Personal Information.

 

Businesses must comply with user preference management by honoring Global Privacy Control (GPC) requests. GPCs are browser settings that communicate a user’s privacy preferences by sending a signal to each website a user visits.

 

Businesses can honor GPC requests by installing a Consent Management Platform (CMP) that automatically communicates a user’s preferences. It meets other requirements and performs other vital functions, but we’ll go into that more later.

Is my business required to comply with the CPRA?

Any for-profit organization located in or that “does business” in the state of California is required to adhere to the CPRA if it:

Made over $25 million in global gross revenue in the previous calendar year.
– OR –
Has 50% or more annual revenue which comes from selling or sharing consumers’ personal information.
– OR –
Buys, sells, or shares personal information of at least 100,000 California residents with third parties.

What do I do if my organization meets one of the CPRA compliance thresholds?

While it is advisable for every organization to evaluate its data collection and retention practices and to adhere to the stipulations of the CPRA, businesses that meet a threshold requirement must comply or risk fines and other consequences.

 

    1. Review and assess your website’s privacy policy, cookie policy, and notice at collection statements. If these documents do not exist, create them. Be sure all CPRA content requirements are met.
      • It is not necessary to write these documents from scratch or have an Attorney create them for you. CPRA compliant templates and generators are readily accessible throughout the internet. Tenrec recommends this Privacy Policy generator, and this Cookie Policy generator.
      • The Privacy Policy and Cookie Policies should be on their own pages and should be linked to each other where applicable.

       

    2. Install and implement a Consent Management Platform (CMP) that gives users the ability to set their data collection preferences or opt-out of collection entirely.
      • Most CMPs will also create a Cookie Banner and Preference Management Center, which are also required by the CPRA.
      • There are a number of certified Google CMP Partners, but we like OneTrust and TrustArc.
      • Another important note is that businesses must provide clear and conspicuous links on the website’s homepage that directs users to a page where they can opt out of the selling or sharing of their data. It is best practice to also add this link and links to your Privacy and Cookie Policies near this link to the footer of your site.
      • There are a few more intricate details of what those links require, so be sure to do your research in order to be CPRA compliant.

       

    3. Finally, abide by and act on the data collection policies you’ve outlined on your website, and handle user requests as required by law.
      • Your policy documents MUST show dates indicating when they were created and/or last reviewed. The date(s) must be within the last calendar year. Make a habit of reviewing and refreshing these documents every year.
      • Save and archive the old versions of your privacy policy and cookie notice.

     

    Other data privacy legislation

    Colorado, Connecticut, Utah, and Virginia all have active data privacy legislation. While California’s CPRA is the most comprehensive and robust law, each state’s requirements differ.

  1. As of March 2024, there are six states with data privacy laws taking effect in the coming years. Those states are:
    • Delaware: 1/1/2025
    • Florida: 7/1/2024
    • Iowa: 1/1/2025
    • Indiana: 1/1/2026
    • Tennessee: 7/1/2025
    • Montana: 10/1/2024
    • New Jersey: 1/1/2025
    • Texas: 7/1/2024
    • Oregon: 7/1/2024

     

    Other states, like New York, are also beginning to work on similar legislation. We expect to see even more states (than are listed above) enacting similar laws in the next few years.

    How Tenrec can help

    Tenrec helps businesses succeed by making their websites and online applications look and perform better. As part of that promise, we keep our clients apprised of changes to the data-privacy where they do business. We also assist our clients in maintaining their privacy policies, website terms and conditions, cookie preference manager and other related functions.