Legislative Updates

Preparing for CPRA Obligations and Compliance Challenges


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

CPRA Obligations, Data Privacy Compliance

Given the increasingly developing area of privacy regulations, companies need to reconsider everything from collecting data to storage, retention, access, disposal, and more. After the passage of the California Consumer Privacy Act (CCPA) in 2018, this trend of data protection and privacy compliance was continued with the passage of the California Privacy Rights Act (CPRA). Since this is one of the most expansive and strict data privacy laws, businesses should be aware of CPRA obligations and possible compliance challenges to help them approach planning for and complying with this law.

CPRA Basics and Overview

In November 2020, California voters approved the CPRA as an amendment to the CCPA. The CPRA modifies, expands, and clarifies privacy rights for California residents, and in a variety of ways, it takes inspiration from the EU’s GDPR. 

Under the CCPA, the threshold for application are organizations that buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices. Under the CPRA, this has been increased to apply to those that buy, sell, or share the personal information of 100,000 or more California residents or households. 

The CPRA increases consumer rights and places additional obligations on businesses. It also expands the type of data covered through a wider definition of sensitive personal information (PI), including geolocation, race, genetic information, and more. Consequently, businesses need to make it even easier for consumers to access, correct, or delete their data. In addition to this, consumers’ opt-out rights from the CCPA have also been expanded under CPRA. 

Finally, the Act establishes a new enforcement body called the California Privacy Protection Agency. This agency will address policymaking and enforcement of privacy laws previously managed by the California Attorney General.

One of the main compliance challenges for businesses is how they will adapt their existing programs to meet CPRA obligations. The CPRA does not come into effect until January 1, 2023, but in the meantime, the CCPA is still applicable and enforceable.

With the passage of additional privacy legislation, businesses need to revise and update their compliance. Learn more about the main differences between the CCPA and CPRA compared to the GDPR.

CPRA Obligations and Compliance Challenges

Even though drafted with the primary goal of protecting California consumers, the CPRA also extends its protections to California residents in their roles as employees, applicants, independent contractors, and other work-related roles, in other words, HR Individuals. In their capacity as consumers, HR Individuals will enjoy six data rights. These include the rights to know, correct, and delete their personal information held by an employer, or by the employer’s vendor on the employer’s behalf. HR Individuals will also gain the right to opt-out of the sale or sharing of their personal information and to restrict the use of their sensitive personal information. Apart from this, the CPRA provides HR Individuals with the right not to be punished for exercising these rights.

As a result, some of CPRA compliance challenges may be reviewing the existing practices and introducing changes to contracts, privacy notices, individual rights response procedures as well as other privacy operations.

To meet CPRA obligations effectively, employers can make some of the following efforts:

  • Develop and document a retention policy that complies with applicable employer data retention obligations, 
  • Draft an employee privacy policy that complies with new statutory obligations under CPRA,
  • Understand the information that the business collects, the categorization of data, the location of the data, and the steps to access, correct, or delete the data,
  • Reviewing partner contracts to correctly classify service providers and contractors from third parties, and that the contracts include the necessary restrictions depending on the classification,
  • Determine the legal, HR, and technology support responsible for the efforts necessary to build a privacy compliance program and respond to privacy rights requests, and
  • Develop procedures for responding to employee requests.

Proactive Steps to Comply with the CPRA

The impact of California’s privacy laws has already become evident as a number of U.S. states have privacy bills in progress and many of them are based on California privacy acts. Virginia passed the Consumer Data Protection Act that both borrows from and in some ways overspans the CCPA and CPRA. In addition to this, Colorado has become the third state to pass a comprehensive data privacy legislation, the Colorado Privacy Act (CPA). Therefore, with the speed and volume of changes in privacy compliance requirements, businesses need to take proper steps in the process of maintaining customer relationships and data privacy.

CPRA is the most robust consumer privacy law in the U.S. so far and there will probably be additional privacy bills to come. To ensure fulfilling CPRA obligations, organizations will need to become smarter and more transparent about what they collect, on whom, and how they use it. The best way to navigate these tasks is to plan ahead, determine what resources companies need, including types of internal and external support. Given that data governance and security compliance programs require time, attention, and effort from all aspects of a business, it is wise to integrate proper technology and ensure compliance and peace of mind.

Ensure effective compliance with a range of advanced, industry-leading solutions designed to simplify compliance with different privacy laws.
The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.