Data Privacy Leaders, Are You Prepared for January 2023? The Countdown to CPRA

by Micro Focus Employee in CyberRes

DataGrail released a report recently to provide insights on the changes and new costs the California Privacy Rights Act (CPRA) will bring, entitled “Countdown to CPRA: Making the Most of the Next Few Months.” The report observed that since the California Consumer Privacy Act (CCPA) went into effect on 1 January 2020, millions of California consumers have exercised their CCPA rights. And last year the numbers doubled.

Data Subject RequestPrivacy leaders should plan for even more change. Absent intervention from the California legislature, the nation's first comprehensive data privacy law, the CCPA, as amended by the CPRA, will go into effect 

If you aren’t based in California, you may think that the CPRA won’t matter to you. Not so fast! The scope is any legal, for-profit entity that collects California consumers’ personal information (which is a lot of companies) must follow the law if it meets any of the following:  

  • Has an annual gross revenue of over $25 million in the previous calendar year. 
  • Buys, sells, or shares the personal information of 100,000 or more consumers or households (this is either alone or in combination with another company).
  • Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information. 

Compared to the CCPA, the CPRA aligns more closely with the General Data Protection Regulation (GDPR). It includes employees, contractors and business contacts as “consumers” (data subjects), and grants Californians additional rights to limit how businesses handle and share their data beyond the requests allowed under CCPA. It also introduces European style data minimization and use limitation obligations. 

Unlike CCPA, the CPRA makes privacy requests retroactive with its look-back provision. Think of the look-back provision as a privacy Wayback Machine, meaning a company’s present-day data practices can (and will be) scrutinized tomorrow, and could lead to fines. The look-back provision is a forcing function for businesses to rethink their PII collection and retention practices ahead of the Jan 2023 start date.

 CPRA will force companies to make privacy an interdisciplinary function. You should take steps now to integrate privacy into your overall business. By adopting the GDPR principles, the CPRA tasks organizations with reaching a holistic understanding of their data practices, including retention. 

To learn more:

Join our Voltage Data Privacy and Protection Community. Keep up with the latest Tips & Info about Data Privacy and Protection. We’d love to hear your thoughts on this blog. Log in or register to comment below.


Data Privacy and Protection