Try for Free

Missed the July 1st Deadline for SB 553? Take action now to avoid heavy fines!

CPRA Business Requirements and Best Practices

In this chapter, we will focus on business requirements and best practices for staying in compliance with the CPRA law. We'll look at a few real-world scenarios about employers working hard to meet the CPRA requirements regarding customer personal information.

0

Privacy Policy Requirements

The CPRA requires businesses to include specific items in their privacy policy, including a list of all consumer rights and two or more designated methods for submitting requests allowed to consumers under CPRA. This includes a toll-free phone number or an email address for businesses that solely operate online. It should also include a list of categories of personal information the business collects or has collected in the preceding 12 months, and a list of sources from which consumer data is collected. Plus, the business purpose for collecting, selling, or sharing consumer data and categories of third parties to whom consumer information is sold or shared.

Privacy Policy Requirements

Organizational Methods of Response

An organization must have dedicated methods of delivering responses to individuals after they have made a lawful request regarding their personal data. As a best practice, the organization should train the employees who handle the responses and  include the details of their response methods in their privacy policy. And if your business falls under the scope of CPRA, you are also required to provide a "Do Not Sell My Personal Information (DNSMPI)" link to your customers.

Organizational Methods of Response
Get started today in 5 minutes
Additional CPRA Business Requirements

Let’s about more business requirements that organizations must follow in order to remain in compliance under the CPRA.

1
Must Respond to Consumer Requests

A best practice is for an organization to have a system to respond to consumer requests regarding their personal data. If possible, streamline and/or automate the system as the organization becomes more familiar with their process.

2
Must Provide Employee Training

Businesses must provide CPRA compliance training for members of their organization on an annual basis, such as EasyLlama’s CPRA course.

3
Must explain Rights & Provide Contact Info

Businesses are required to explain the rights consumers have under CPRA. This can be included in the organization's privacy policy. Consumers should have access to the business' contact information in the event they would like to exercise their rights as listed according to CPRA.

Requirements for handling the personal data of minors

Requirements for handling the personal data of minors

California privacy law gives kids the "right to opt in." Meaning, their personal information cannot be sold or shared unless they affirmatively authorize the use of such data. Children ages 13 through 16 years old must authorize the sale or sharing of their personal information. Children under the age of 13 years old must have a parent or guardian authorize the sale or sharing of the minor's personal information. CPRA requires businesses to wait for 12 months to request to resume the selling or sharing of personal data after a minor has chosen to opt out. 

Steps to Prevent a Data Breach

In order to protect personal information, CPRA requires businesses to take steps to prevent a potential data breach. 

Here are some myths to look out for:

  • -

    Each organization should have a breach management procedure in place, and also have an incident response plan in the event of a breach. 

  • -

    It is also up to the organization to notify consumers as soon as possible if a breach does occur.

  • -

    If a data breach involves 500 or more California residents, they must submit a single sample-notification copy to the California Attorney General or the California Privacy Protection Agency.

Image for See why 8,000+ businesses love EasyLlama
See why 8,000+ businesses love EasyLlama

EasyLlama’s extensive CPRA training program for Employers

EasyLlama’s CPRA training course is both engaging and interactive. Through this course, employees will gain knowledge on the rights granted to California customers, the responsibilities of businesses, the potential consequences of not complying with the CPRA, and the best methods for abiding by the law. All organizations that collect personal data from California residents can benefit from this program.

EasyLlama’s extensive CPRA training program for Employers

Helping over 8,000+ organizations create a safer, more inclusive company culture.

logo 1
logo 2
logo 3
logo 4
logo 5
logo 6
logo 7
logo 8
logo 9
logo 10
logo 11
logo 12
logo 13
logo 14
logo 15
logo 16
logo 17
logo 18
logo 19
logo 20
logo 21
logo 22
logo 23
logo 24
logo 25
logo 26
logo 27
Get more from easyLlama
The Most Comprehensive online CPRA Training

Any organization that gathers personal data from California residents can benefit this course. The purpose is to educate employees to understand the regulations that govern how data is gathered, utilized, and shared in order to better advise them in protecting consumer data. The course covers:

Chapter 1: Introduction to CPRA Training
Chapter 2: What is CPRA?
Chapter 3: Consumer Rights
Chapter 4: Business Requirements and Best Practices
Chapter 5: CPRA Exemptions
Chapter 6: Enforcement and Penalties
Chapter 7: What Have We Learned?
Get more from EasyLlama
How the CPRA Protects Consumer Rights
How the CPRA Protects Consumer Rights
Learn more
What is the California Privacy Rights Act?
What is the California Privacy Rights Act?
Learn more
Introduction to California Privacy Rights Act (CPRA) Training
Introduction to California Privacy Rights Act (CPRA) Training
Learn more
Image for Get Started
Image for Get Started
Get started in just 5 minutes
Learn Why 8,000 Businesses Have Trusted Easy Llama To Inspire Their Staff To Have Better Communication And Collaboration.