HOW TO PREPARE FOR THE CALIFORNIA PRIVACY RIGHTS ACT
Employment and Labor Update
Most businesses are aware that consumer privacy is a very high priority for lawmakers across the U.S. California was the first state to venture into the consumer privacy fray in passing the California Consumer Privacy Act (CCPA), which was amended by the passage of the California Privacy Rights Act (CPRA). Other states, such as Colorado and Virginia, have also passed consumer privacy laws. Among the more daunting requirements of the CCPA is that a subject business must disclose the categories and specific pieces of personal information it has collected, including the sources and purposes for collecting the information, and the types of third parties with which the business shares the personal information that it has collected about the consumer, including employees.
Passage of the CPRA delayed many of the CCPA mandates until Jan. 1, 2023, a welcome, although somewhat misleading reprieve for many businesses that have employees or customers in California. Complying with the CPRA (and other state’s laws) will take significant planning and attention, so affected businesses would be wise not to delay preparation for these requirements. Starting on January 1, 2023, a business must be able to provide consumer information looking back 12 months, in other words for 2022.
To add to this urgency, a business will have only 45 days after it receives a request to provide the information to the consumer. Therefore, businesses that are subject to the CPRA must not delay in planning their processes to limit disruption. It is far better to prepare a game plan now than to put it off until later in the year when everyone is scrambling.
Understanding how data flows through your company and how the types of data you handle flows to other parts of the business, and third parties, is critical in order to comply with these privacy laws. An initial step for any business is to begin a data mapping exercise to identify the types, sources and uses of consumer information that is collected. There are third-party vendors that can help with this project.
If you have questions about compliance with the new privacy laws, or other privacy and data security matters, please do not hesitate to contact Fennemore’s Privacy and Data Security Group.