A Legal Guide to PRIVACY AND DATA SECURITY 2024

5. Do Not Ignore the California Attorney General . The CCPA has a thirty day cure period. Sephora’s failure to respond to the Attorney General Office notice of noncompliance proved costly. If you receive a notice of non-compliance take timely steps to correct the problem. The thirty day cure period goes away with the CPRA. 6. Operationalize Compliance. Make sure you fully comply with the CCPA and CPRA. Re-evaluate your privacy policies and notices for accuracy. Confirm you have appropriate data rights request processes in place. Review your websites and mobile apps, especially those that contain third-party trackers or other adtech solutions, to make sure they are adequately configured to monitor for and honor user-enabled opt-out preference signals, such as the GPC. California Privacy Rights Act (CPRA) . On November 3, 2020 California voters passed the California Privacy Rights Act (CPRA). The CPRA expanded the CCPA and created a new and well-funded enforcement agency known as the California Privacy Protection Agency (CPPA). The CPRA aligns the CCPA even more closely with the EU General Data Protection Regulation (GDPR), granting new privacy rights to California consumers and imposing new obligations on companies – for example, requiring service providers to assist “businesses” to comply with their CCPA obligations – a requirement for processors under the GDPR. The CCPA employee and “B2B” exemptions were not extended under the CPRA. The threshold for a “business” to be covered increased from 50,000 to 100,000 consumers or households and “devices” was removed from calculation. The CPRA applies to personal information collected on or after January 1, 2022 with most provisions enforceable on January 1, 2023. A new right to correct was added along with restrictions on “sharing” data. The CPRA empowers the CPPA to issue regulations on obligations to submit data privacy impact assessments. While businesses have been preparing for enforcement of the CPRA regulations a California court has delayed enforcement of some of the CPRA rules until March 29, 2024 allowing more time to implement

116

Made with FlippingBook - Online Brochure Maker