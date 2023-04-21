Three Key Business Practices Will Assist Organizations in Complying With New California Privacy Rights Act, Says Info-Tech Research Group

The new California Privacy Rights Act (CPRA) demands that businesses processing consumer data comply with stricter, more well-defined regulations to avoid potential fines and lawsuits.

TORONTO, April 21, 2023 /PRNewswire/ - California is leading the United States in privacy legislation. The state passed landmark legislation to protect consumer privacy with the California Consumer Privacy Act (CPPA) in 2018, and now it is expanding on these consumer rights with the CPRA. Additional compliance areas in the new legislation bring the state closer to being on par with the highest global standard, the European Union's General Data Protection Regulation (GDPR). To support organizational leaders in their efforts to ensure their businesses are CPRA-compliant without disrupting operations, Info-Tech Research Group has released its timely blueprint Comply With the California Privacy Rights Act.

"The challenge for businesses is to find a non-disruptive way to adopt privacy practices into their operations and goals," says Alan Tang, principal research director of Security & Privacy at Info-Tech Research Group. "Regardless of which jurisdiction an organization operates within, complying with the provisions of the CPRA is critical and non-negotiable. Leaders must be prepared to build better business practices that will support their organizations in staying compliant."

This new act is of particular interest in the digital marketing space, as most businesses rely on personal data from social media analytics to promote their campaigns and must consider privacy in all planning and design discussions for marketing and advertising initiatives. Digital marketing under the CPRA will require a complete reevaluation of business marketing strategy.

There are also three new CPRA requirements that stand out to significantly impact the marketing and digital advertising industry. The new requirements are below:

Do not share or sell – Businesses must provide the option to consumers to opt out of the sharing and selling of their personal data. Opt-out – Organizations must also provide the option for consumers to opt out of cross-contextual behavioral advertising and opt out of both the sale and sharing of their personal information. Right to correct – Fulfilling consumers' right to correct any inaccurate personal information in an organization's repository is now an organizational responsibility.

In response to these legislative changes, Info-Tech's new industry resource suggests three key practices that organizational leaders should strive to master both to remain compliant with CPRA regulations and to maintain regular, non-disruptive business functions. These practices are as follows:

Know what data is collected and where it is stored – Businesses will be required to reasonably limit the collection of personal information to what is necessary for the purpose of conducting business. Retention of personal information will also be limited to the least amount of time necessary, and said data must be stored securely. Proactively respond to and track verifiable consumer requests – Consumers' rights to access and control their data is a key part of the CPRA. Organizations must disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from a consumer. This type of request was previously known as a data subject access request (DSAR). Conduct risk assessments regularly – The CPRA requires risk assessments to be conducted on a regular basis. Businesses are mandated to implement reasonable security procedures and practices appropriate to the kind of personal information they collect.

The blueprint reminds organizations that privacy programs can be compliant one day but quickly fall out of compliance the next amid constantly evolving requirements. Keeping up with new and amended regulations can be daunting, and "checkbox compliance" no longer works in this dynamic environment. A privacy program that is proactive and able to measure success as regulations continue to evolve is crucial to overall organizational compliance.

To access the complete research for guidance on ensuring an organization is CPRA-compliant, organizational leaders can download Comply With the California Privacy Rights Act.

