Uber CSO Convicted - How to Prepare For The CPRA’s Enforcement

Written By Haley Metteauer

Our previous coverage details the many changes the California Privacy Rights Act of 2020 (CPRA) has undergone since it was first proposed in 2020 as a replacement to the California Consumer Privacy Act of 2018 (CCPA). The CPRA was set to take effect on January 1, 2023, but that has not been the case.

The California Privacy Protection Agency (CPPA) is still taking public comments on the modified text of the CPRA—an outline of which can be found here.[1] Reuters notes that businesses likely won’t receive their full marching orders until the end of January or February 2023, “given the Office of Administrative Law's (OAL) 30-day review period[,]” and the potential for further changes.

Next Steps

Regardless of the enforcement date, your organization can begin preparing for the release of the CPRA now by:

  • Determining if the CPRA applies to your organization;

  • Establishing a means of receiving consumer requests or complaints with regard to their personal information and policies and procedures for carrying out a request to a consumer’s right to access, correct, delete, port, and opt-out of their data being shared;

  • Establishing a written information security plan that will ensure the confidentiality and accessibility of personal data;

  • Updating your consumer-facing applications and websites to include privacy notices and disclosures; and

  • Limiting your organization’s data collection and retention to only that which is necessary.

  • Adopting a policy requiring data minimization and retention principles, which require an organization to only collect a consumer’s personal information or data if it is necessary;

  • Establishing safeguards to protect collected consumer information, and procedures to delete said information once your organization no longer needs it;

  • Reviewing your organization’s security safeguards to ensure your processes for encrypting, authenticating, and controlling consumer information are in accordance with the most recent guidelines, including those provided by the NIST.

[1] https://cppa.ca.gov/meetings/materials/20221021_22_item3_expmodtext.pdf

Haley Metteauer
Previous

How Compliance Officers Can Avoid Personal Liability
Next

NYDFS Proposes Amendments That Expand Board and Management Responsibility For Cyber Breaches