5 Steps to Meet CPRA Data Retention Requirements

The California Privacy Rights Act (CPRA) is legislation that aims to safeguard California residents’ digital privacy. It acts as an amendment or upgrade to the previous California Consumers Privacy Act (CCPA).

The main difference between GDPR and CCPA is that the GDPR covers all “data subjects” regardless of location or citizenship, whereas the CCPA only protects California residents.

Moreover, the CPRA only affects for-profit entities that meet one of these three criteria:

1. Buy, sell, or share the data of at least 100,000 consumers or households (previously, the CCPA’s limit was 50,000 customers)
2. Generated $25 million in gross sales by January 1 of the previous year
3. At least 50% or more of their total revenue comes from selling personal information

Numbered List

Since the CPRA will go into effect on January 1, 2023, organizations should start preparing to meet its requirements or otherwise face penalties.

How the CPRA Redefines Data Sharing

Data sharing is any release of information (whether oral, written, electronic, or other form) to third parties.

According to the CPRA, data sharing includes cross-contextual behavioral advertising, which refers to targeting consumers based on their activity across multiple businesses, websites, apps, or services to generate revenue or tailor services to meet customer needs.

Under the CPRA, third parties are defined as entities that:

• A customer does not have intentional interactions with
• Are not service providers or contractors of the business

Bulleted List

For any data to be considered as “shared,” the organization should have:

• Shared personal information with any third-party company that is not a service provider or a contractor
• Used information from other sources to deliver targeted ads to the consumer

Bulleted List

CPRA Data Retention Requirements

When the CPRA takes effect, businesses subject to the legislation will be required to:

1. Identify how long they plan to keep Californians’ personal data and update notices to reflect that
2. Set up rules and procedures to ensure personal information is stored only as long as necessary to achieve the goals for which it was collected

Numbered List

Become Compliant With CPRA Data Retention Requirements

Step 1: Assess if Your Company Meets the New Criteria

The CPRA raised the CCPA’s threshold number of customers or households to 100,000 from 50,000. Furthermore, it is now only applicable to any personal information that may be purchased, sold, or shared.

This implies that even if a business receives personal information from Californian citizens but only trades (buys or sells) or shares such information among less than 100,000 customers, it may be excluded from CPRA.

Step 2: Check if Your Company Collects Sensitive Personal Information

“Sensitive personal information” is a regulated dataset under the CPRA that encompasses personal information, such as the consumer’s:

• Social Security or other state identification number
• Account log-in details or financial details including bank account, debit or credit card number with any mandated access information like security code, password, or credentials
• Geolocation
• Race or ethnicity, religious and philosophical beliefs, or union membership
• Mail, email, or text message contents to anyone other than the intended receiver
• Genetic data

Bulleted List

If your organization collects sensitive personal information, you should start to categorize the information collected and track how it’s used and whom it’s shared with.

Step 3: Update Your Service Provider Agreements

As a business, you must ensure that your stakeholders, including third parties, service providers, or contractors, handle any shared personal information in compliance with the CPRA.

Even if companies update their vendor agreements to guarantee CCPA compliance, they may have to update them again to incorporate the following provisions, stating that the service provider cannot:

• Share or sell the personal information
• Use, maintain, or disclose information “outside of a direct business relationship” with the business
• Combine the data with personal information received on behalf of another entity, with some exceptions

Bulleted List

Step 4: Amend Your Data Retention Policy

Create an effective e-commerce policy by updating it in compliance with the CPRA.

You must inform customers how long you plan to keep each type of personal and sensitive information and the criteria you used to decide that duration.

Note that once the CPRA becomes effective, businesses holding data for an extended period will risk noncompliance.

Step 5: Analyze How the Privacy Laws Will Impact Your Business

The CPRA grants customers a plethora of additional rights. Therefore, your business should be prepared with data privacy consent management processes to address them.

These rights include:

• Right to Correction If a business holds erroneous personal information about a customer, the customer can request that the information be corrected.
• Right to Opt Out of Automated Decision-Making Technology Consumers can opt out of automated decision-making technologies, including profiling.
• Right to Access Information About Automated Decision-Making Consumers have the right to request access to helpful information about the logic behind decision-making processes and the probable outcome based on those processes.
• Right to Restrict Sensitive PI Consumers can restrict the use and disclosure of their sensitive personal information for “secondary” purposes, including to third parties.

Bulleted List

What Happens if You Don’t Comply With CPRA?

Just as most businesses have to be GDPR compliant to safeguard user privacy, you must also comply with CPRA or risk sanctions. Noncompliance penalties can be as high as $2,500 per violation and $7,500 for every intentional violation of sensitive personal information of anyone under the age of 16.