The California Privacy Rights Act (CPRA) is a new privacy regulation that was passed in November 2020 and will go into effect on January 1, 2023. It builds upon the existing California Consumer Privacy Act (CCPA) and aims to further protect the privacy rights of California residents. If your organization conducts business in California, it is important to ensure that you are ready for the CPRA and are compliant with its requirements.

Here are some steps your organization can take to prepare for the CPRA:

1. Review the CPRA: It is important to first familiarize yourself with the CPRA and understand its requirements. This includes understanding what personal information is covered under the CPRA, how it can be collected, used, and shared, and the rights of California residents with regard to their personal information.
2. Assess your current privacy practices: Once you have a good understanding of the CPRA, you should assess your current privacy practices to determine if they align with the requirements of the regulation. This includes reviewing your privacy policies, consent mechanisms, and data collection and use practices to ensure that they are in line with the CPRA.
3. Update your privacy policies: If your current privacy policies do not align with the CPRA, you will need to update them. This includes updating your policies to reflect the new rights of California residents under the CPRA, such as the right to opt-out of the sale of personal information and the right to request the deletion of personal information.
4. Implement consent mechanisms: Under the CPRA, organizations are required to obtain affirmative consent from California residents before collecting, using, or disclosing their personal information. This means that you will need to implement mechanisms to obtain consent, such as a checkbox or opt-in button, and ensure that you are able to track and document consent.
5. Train your employees: It is important that all employees who handle personal information are aware of the requirements of the CPRA and know how to handle personal information in compliance with the regulation. Consider providing training to your employees on the CPRA and your organization’s privacy practices.
6. Review your vendor contracts: If you work with third-party vendors that handle personal information on your behalf, you will need to ensure that your contracts with these vendors are compliant with the CPRA. This includes reviewing the terms of the contracts and negotiating any necessary changes to ensure that the vendors are able to handle personal information in compliance with the CPRA.
7. Designate a privacy officer: Under the CPRA, organizations are required to designate a privacy officer who is responsible for managing the organization’s compliance with the regulation. Consider appointing a privacy officer or designating an existing employee to this role.

By following these steps, your organization can ensure that it is ready for the CPRA and compliant with its requirements. It is important to remember that the CPRA is a complex and evolving regulation, and we would suggest talking us through your organization’s journey and key problem areas so that we can ensure that your organization is in CPRA ready.