The Road to CPRA Compliance: It’s Time to Start Moving Down It

March 18, 2022

With less than a year to go to 2023, and the changing US privacy obligations that come with it, covered businesses should act now to ensure they are prepared to comply with the new obligations introduced by the California Privacy Rights Act. Here are some of the things your business might consider: 


CPRA Compliance Roadmap & Timeline

Phase I for CPRA Compliance: Now

If you haven’t already, it is time to start working towards best practices for data mapping. Data mapping involves identifying and documenting the lifecycle of personal information from the moment your organization collects it until it is securely destroyed. You must know and document what, where, why, how, and when personal information is collected, used, stored, transmitted, and securely destroyed. You should also ensure that any sensitive personal information you collect is identified and noted and that you’ve updated your data maps to include B2B and employee data which will no longer be excluded come January 2023. 

Reduced Obligations for Some Companies under the CPRA

If your company collects information by searching the internet and/or social media sites or through data aggregation you may actually be able to slim down your data maps and have fewer obligations under CPRA. This is because the definition of publicly available information (PAI) will broaden under CPRA and PAI falls outside the scope of the law. Currently, under the CCPA, publicly available information is narrowly defined as “information that is lawfully made available from federal, state, or local government records.” Under the CPRA, the definition of publicly available information will expand to include “information that a business has a reasonable basis to believe is lawfully made available to the general public” by the consumer, from widely distributed media, or by a person to whom the consumer has disclosed the information so long as the consumer has not restricted the information to a specific audience. 

You should work with your legal counsel from the outset to consider how the CPRA will impact your business and reflect on whether there are alternative methods of collecting data that might reduce your obligations. 

Data Mapping is Key to CPRA Compliance

At this point, it’s also worth considering whether your company needs and uses all the data it’s collecting. If not, we suggest changing your existing processes so that you no longer collect this information. Data minimization is an incredibly effective risk mitigation measure and can help to build consumer trust. Doing so can also help your company minimize the amount of data it needs to map and track and keep costs down as it further prepares for CPRA coming into effect.  

Phase II to CPRA Compliance: As early as possible, but by June at the latest.  

Once you’ve mapped your data flows, you can start to build processes and develop and/or implement software to manage that data in line with the regulatory requirements under the CPRA. The earlier you start with this, the better. In particular, you need to be sure you have the capability to honor the new rights offered to consumers under CPRA (e.g., the right of rectification, the right to opt-out of selling or sharing of personal information for targeted advertising).  

This is also a good time to really take a look at your cybersecurity protections and develop a timeline for future cybersecurity audits, as required by the CPRA. Since you’ll likely need to engage a third-party cybersecurity advisor to perform a technical assessment, it’s best that you start this process as soon as possible. 


Phase III to CPRA: October – December 2022

In the three months prior to the CPRA coming into effect, your employees should receive training on their obligations under the legislation, as well as best practices for data handling and cyber security. New employees should ideally receive this privacy and cybersecurity training during the onboarding process, and then annually or biannually afterwards. Documenting this training is a best practice. 

Hiring a high-quality external training provider can be a good idea – particularly if your company handles sensitive personal information or children’s data. If you aren’t in a position to hire an external training provider, consider at least implementing robust data handling policies internally and strong data handling practices. It’s important to consult with an experienced privacy and data security attorney when developing these processes and policies. 


Build Your CPRA Compliance Roadmap with CGL

If you need assistance developing your company’s roadmap to CPRA compliance, reach out. Our experienced privacy attorneys would be thrilled to help. 


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you