On February 9, 2024, California’s Third District Court of Appeal ruled the CCPA may begin to enforce its voluminous set of regulations. If you aren’t compliant, the CCPA suggests you review your policies and take steps now to avoid getting a call from one of their agents.
California’s CCPA and CPRA do not simply cover customers’ privacy rights; companies doing business overseas must also comply with GDPR rules. With enforcement now open, you do not want to wait until you get audited by a privacy compliance watchdog, or worse yet, as part of the discovery process during a lawsuit.
The CPRA California legislature enforces very stringent privacy guidelines. If you operate a business in California or handle data from California residents, it’s imperative you stay in compliance with these regulations to safeguard your customer data, not only for legal compliance but also for promoting customer trust and sustaining successful long-term relationships.
At STAUFFER, we work with organisations to bring them to compliance with the tangled web of laws regulating how they handle and store their customers’ private data. One of the most important first steps is explaining the differences between the CPRA and the CCPA, California’s additional privacy laws, and the penalties/consequences being enforced.
The California Privacy Rights Act (CPRA) was adopted by the state of California in November 2020 and is a significant piece of legislation. The CPRA builds upon the existing California Consumer Privacy Act (CCPA) and further strengthens privacy rights for California residents by introducing new requirements and obligations for businesses operating in California. Non-compliance can lead to hefty fines and penalties.
The CCPA requires business privacy policies to include information on consumers’ privacy rights and how to exercise them:
The CPRA created two additional rights, further protecting Californians:
The expanded definition of personal information includes categories such as precise geolocation data, sensitive personal information, and certain inferred data types. This means your business must update your privacy policies to reflect these expanded definitions and inform your users of the types of data you collect and how it is used.
The first and most notable fine for violating CCPA was a $1.2 million penalty against the beauty company Sephora. Sephora was found to have unlawfully sold customers’ personal data to third-party trackers without their consent.
This fine could have been avoided. Better safeguards and prioritising customers’ data privacy and security would have kept them in the clear. Organisations can learn from Sephora’s missteps and use the CPRA to their advantage. By embracing California’s new privacy protections, your organisation can build trust with your customers while ensuring compliance with privacy regulations.
Right now, the California attorney general has focused on lower profile consumer-facing brands that interact with a lot of personal information, and not just Big Tech. This could mean trouble for organisations of any size or shape. No one is immune from these privacy protection laws, and taking action toward safeguarding your consumer data should be one of your highest priorities.
We help numerous companies comply with the specific standards California requires for their customers. This includes giving your customers the right to opt out of exploitive data storage and to access enhanced transparency about your business’s information practices, among other steps.
For example, your company could have ten or more vendors, databases, analytics platforms, and data brokers with whom you must do business. This tangential information needs to be stored and transported safely. In these cases, implementing user data management solutions like tokenizing your user data to obfuscate it so these third-party systems can no longer tie it back to your customers.
When done correctly, tokenizing data allows the tokenized ID to be disassociated from the user’s profile when a deletion request is processed. This effectively leaves the data on the other systems useless, aligning with newer CPRA user rights requirements.
While complex, these privacy laws protect your consumers’ personal information and empower companies and customers with greater control and transparency. It is crucial to comply with these laws and remain vigilant to ensure your businesses respect individuals’ privacy rights and safeguard their data from misuse or exploitation. With established efforts to uphold privacy laws, we can assist you in creating a safer and more secure environment for your customers.
If you’re an online business with any measurable contact with consumers in California, you must comply with CCPA and CPRA. Start by reviewing and updating your existing privacy policies, assessing data collection and processing practices, enhancing security measures, and seeking legal counsel for specific concerns.
Remember, the CPRA imposes additional obligations on businesses and expands the rights of consumers. Taking proactive steps to comply with the CPRA can help you avoid potential penalties or, worse, debilitating business cyber attacks.
As a California-based business, STAUFFER offers assistance in taking proactive steps to help your company implement systems and procedures that keep you in compliance with CCPA and CCPR. A data privacy compliance audit will ensure your business remains free from financial liabilities tied to these newer privacy laws and demonstrates a commitment to protecting your valuable customer data.