The California Privacy Rights Act (“CPRA”) was approved by CA voters on November 3rd and this law is changing the game for a lot of small businesses and tech startups across the U.S.
In a nutshell, this law greatly amends and expands the California Consumer Privacy Act. Some of the new changes include the following:
A new category of “Sensitive Personal Information” and controls of how data in this category can be used
Consumers now can request businesses to correct information the business may have on them that is inaccurate
Enhanced protection for children's data
Updates to data breach liability
The creation of a new data protection agency to enforce the law.
Compliance with privacy regulations can often be tricky and business owners sometimes falsely believe that the law does affect them or that they covered by simplifying being compliant with GDPR (NOT TRUE!). Now most small business owners or startup founders don’t have a team of lawyers and policy specialists to tell them what do to so here are some tips
Audit your data and any controls you may have
The first thing you can do is to find out all the different types of data you are collecting. Many small business owners may think that they are not collecting any data when in reality they are collecting numerous pieces of data about their customers. Credit card information, email addresses, and phone numbers are common types of data that a business owner would have about their customers. How long are you keeping this information and how is it stored? Did you get permission to use that data in the manner you are using it? These are the types of questions that you will have to ask yourself when you are auditing your data. Remember this, how well you control your customers' data is highly important, and it's a key factor in the eyes of a regulator.
Review Vendor Contracts
Are you currently using a vendor to help you with processing payments, sales, or marketing? Maybe you are using a CRM tool like Salesforce. Either way, if you have another service or person interacting with your customers' data then you need to make sure that they are also taking care of your customers' data. This is where having good contracts crucial. You need to make sure that your contracts have provisions requiring proper security and privacy controls and procedures. However, nowadays most vendors tend to include these terms because of GDPR requirements, but if your vendor is unable to provide these controls then it's time to find a new vendor.
Have A Good Privacy Policy And Review It Annually.
A privacy policy is basically a formal notice to your customers that lets them know what types of data you are collecting, how you are collecting it, and also lets them know what you will do with it. In 2020 if you don't have a privacy policy for your website, you are just asking for trouble. CPRA, GDPR, and most privacy regulations all require you to have a privacy policy in some form. For everyone who currently has a privacy policy, be sure that you are reviewing it annually. Privacy regulations are consistently changing and those changes may require you to update your policy. Now if you are one of the few business owners in the world who still doesn't have a privacy policy, don't lose all hope yet. The Better Business Bureau and the FTC both have tons of information to help us business owners navigate. Additionally, the International Association of Privacy Professionals (IAPP) is another great resource to find an abundance of privacy tips. If you end up needing more help, then try looking into the next point below.
Look Into Privacy Vendors & Services
Even for the most seasoned privacy professional, doing everything on their own can be hard. Finding privacy consultants and services like OneTrust are literally a blessing for businesses that can't afford to have a privacy team on staff. If you are completely lost or unsure about what to do, a service like OneTrust can help you do all the steps mentioned above and more.
Contact Your Lawyer
Even though this is the last tip, it should really be the first thing you do. Your lawyer is the best person to tell you how exactly the CPRA will impact your business and the obligations you will have under it. A good lawyer can also help you with all the tips mentioned above. They can also help create the appropriate policies and procedures to ensure that your business stays compliant with privacy regulations for years to come.
Photo by Dan Nelson on Unsplash
Comentários