After its passage in 2018, the California Consumer Privacy Act (CCPA) became California’s first comprehensive privacy law and the first state law of its kind in the US. Since it entered force in 2020, businesses operating in California have transformed their privacy-related business operations to comply.
New changes to the law are fast approaching.
Once it enters effect on January 1, 2023, the California Privacy Rights Act (CPRA) will amend consumer rights under the CCPA and establish new requirements for covered organizations. Businesses subject to the CCPA must pay close attention to what’s new under the CPRA and respond with structural updates to their privacy programs.
Privacy rights under the CPRA
The CPRA establishes additional consumer rights for California residents and extends these rights to employees, resulting in new obligations for businesses. As of January 1, 2023, consumers have the following rights:
In addition to these rights, consumers also have the right to opt-out of automated decision-making. While there is no explicit callout at the moment, there is a provision that directs the creation of regulations to ensure that businesses do address this issue. As automated systems continue to rise across industries, this provision is one that can have a significant impact on privacy rights in the future.
These new rights aim to further protect consumer privacy. Organizations must address them by revising their CPRA program strategies and adopting modern privacy tools.
Privacy rights requests under the CPRA
Consumer rights requests, or privacy rights requests, are one area of the law that will see new changes entering force at the start of 2023. A privacy rights request is an inquiry from a consumer to a business that articulates their wish to exercise their privacy rights.
For example, a consumer may wonder what data a company has associated with them and request that personal information be deleted. Since the CPRA now enables new rights to consumers, starting in January, they may also ask to opt out of the sale or sharing of their personal information or limit the use of sensitive data.
The law states that organizations must provide at least two dedicated intake methods for privacy rights request submissions. Teams have 45 days to respond to a privacy rights request, starting the day a request is received, and 15 days to process an opt-out of sale request, regardless of submission method. That translates to anywhere between 2-6 weeks to develop an action plan for each inquiry coming in over the phone, by mail, over email, through a web form, or via a consumer-controlled privacy portal.
Dos and don’ts of privacy rights requests
With January fast approaching, it’s important to start reconfiguring your privacy program as soon as possible. Among the many new considerations to keep in mind, these regulatory changes also present an opportunity to streamline and enhance existing processes.
Consider how these dos and don’ts can play a role in your revised privacy strategy.
Do plan your approach
Rather than retrofit new consumer rights into your existing privacy operation, take this chance to review your intake process from 30,000 feet. Ultimately, you should be striving toward automation to keep workloads manageable.
You may find new opportunities for efficiency and scale by documenting and mapping out repeatable workflows. Keep in mind that edge cases will come up. Having automated processes will free up the necessary team bandwidth to address them in a timely manner.
Do create a standardized request intake workflow
The CPRA stipulates that businesses provide at least two methods to receive consumer rights requests. You’ll need a toll-free phone number, a link on your website, and the ability to process mail.
Standardizing your approach keeps this manageable. For example, it’s better practice to link to a webform instead of a privacy inbox. A webform can collect the necessary verification information and automatically trigger downstream actions when implemented correctly. In contrast, privacy inboxes can easily become inundated with large volumes and create manual work for teams.
As for your call center, make sure the phone representatives collect the appropriate information to process privacy rights requests without the need for follow-up.
Do incorporate consumer validation
Organizations should conduct a reasonable validation process before processing privacy rights requests. Otherwise, you may end up providing personal information to an unauthorized user, which could potentially constitute a breach.
In most instances, you can validate consumers using existing authentication data, such as their account number, address, or date of birth. In more sensitive cases, consider escalating using security questions or document uploads to validate identity.
Do invest in training
Ensure any staff interacting with privacy rights requests has appropriate training. This may extend beyond the privacy team. Consider who monitors company inboxes, such as IT, marketing, or sales, and provide them with workflows to support company-wide compliance.
Don’t force account creation
The CPRA prohibits businesses from requiring account creation for privacy rights submissions.
Don’t let requests slip through the cracks
A major focus of your privacy program should be keeping consumer satisfaction top of mind. While 45 days to respond to privacy requests may sound like a long time, even the best-laid plans have vulnerabilities.
Building in the appropriate preventative controls can eliminate issues before they start and provide consumers with answers sooner.
Don’t request unnecessary personal information
Teams must ensure the intake process doesn’t collect more personal information than is absolutely necessary for request verification. Too many questions that collect unnecessary data may violate collection limitation and data minimization principles of the CPRA.
If you use privacy software to streamline your program, third-party identity validation service integrations may be available that don’t require businesses to collect new personal data.
The case for automation
Automated privacy rights fulfilment leads to valuable outcomes for businesses of all sizes. Mature privacy programs rely on automation to scale their efforts and process colossal numbers of privacy rights requests. And growing companies can use it to protect their teams’ time and energy without compromising their commitment to CPRA compliance.
You can automate some or all of the three steps to processing consumer rights requests.
When all three play a role in one complete automated system, you can gain the greatest efficiencies from the process and maintain the detailed records you need for compliance audits.
Stay up to date on the CPRA
With new California Privacy Protection Agency (CPPA) regulations also on a path to be finalized, make sure you stay informed about any new additions or regulation-focused information to stay compliant. Having regular updates on the law will help your organization deal with new regulations in a timely, efficient manner.
Learn more about staying informed on everything CPRA with OneTrust DataGuidance.
Get to know OneTrust CPRA
OneTrust CPRA provides an integrated suite of solutions specifically designed to support CPRA privacy rights requests. The platform helps users to reduce manual tasks, save time, and accelerate compliance outcomes with helpful features such as:
Discover how OneTrust CPRA can help your business simplify privacy rights request management and keep your compliance program up to date with current requirements.