As part of this, there is a requirement for two separate lists of personal information collected and shared broken down by category, including how that information is collected, how it's used, who it's shared with, and why. Further, certain statements are required to be made whether or not information was sold in the preceding 12 months.
Changes from the CPRA
While the CPRA is not yet in effect and will not be until January 1, 2023, enforcement will begin on July 1, 2023 for violations occurring on or after that date. While this is a minor issue, it's also one that is easily and quickly remedied. Moving forward, businesses should establish a strategy and time period every year for annually updating Privacy Policies, including (a) evaluating whether or not the methods of collection have changed; (b) verifying that the reasons for collection as being unchanged; (c) verifying the entities the business shares information with; and (d) specifying why that information is shared. Further, it would make sense for businesses to work closely with attorneys to determine what must be included in these annual re-evaluations.. To that extent, the ounce of prevention to address this isn't a one-time solution, but rather forming a strategy and time frame to handle these items, similar to other corporate formalities.
HOW NEWMEYER DILLION CAN HELP
Newmeyer Dillion can provide advice on existing CCPA compliance policies, help revise CCPA compliance policies to conform to the CPRA, help implement new cybersecurity policies to comply with CPRA, and provide updates to CPRA required notices and privacy policies. California has a history of being at the forefront of policy developments that expand internally and spread to other states, therefore, CPRA may serve as a template for similar laws in other states.