CPRA Preparations: What to Prioritize


For a while it seemed as if the California Privacy Rights Act (CPRA) was an obligation that loomed somewhere out there on the horizon, but those days are over. The law will go into effect on January 1, 2023 and be enforceable on July 1, 2023, but neither of those are the most important milestone for this new, wide-ranging state privacy law. That date is January 1, 2022, which is obviously right around the corner.

Why is this the most important date regarding the new law? Because that’s the “look-back” period that applies to the personal, and now “sensitive”, data your organization collects and manages. In other words, on January 1st next year the information you collect from California residents at that time will eventually need to be available for Californian’s consumer requests. You’ll have to figure out where it’s being stored, how to access it, and how to provide it to them, which is not a trivial task.

Therefore, knowing what personal and sensitive information your organization is collecting next month, how it’s being categorized, and where it’s being stored, is critical to your ability to comply with the law, and to maintaining trust with your customers. But not to fear! If you’re not quite ready you’re not alone, and there are some practical steps you can take now to prepare for the upcoming compliance deadline.


Data Mapping

Many, if not most, organizations are currently storing their personal and sensitive information in a variety of locations and keeping track of those stores and data flows in spreadsheets or other static documents. The time has come for updated systems, and the good news is there are many comprehensive technical solutions now available to radically increase the efficiency of your data governance activities. These systems help you keep track of where your data is being stored so you can find it when needed, and provide records for regulatory authorities should they be requested.


Establishing and Strengthening Relationships


Privacy is a team sport. And for those of you focused on privacy you know that you literally can’t do your job without the help and support from the folks in the IT, legal, and marketing departments, at a minimum, and often many other areas of your business. Someone once said “the time to meet and get to know a coworker is not when you have to ask them for something”. So true. Think about who you need to partner with to understand and manage the data flows within your organization, and reach out to them proactively, or strengthen existing relationships. Going even further, ask these critical teammates what you and your team can do to help them with their priorities! The return on this investment will likely be invaluable. It will also set the stage for your privacy training efforts, which will be critical as you mature your privacy program.

Preparing for Consumer Access Request

Depending on the business you are in, consumer access requests will likely start rolling in soon after the CPRA takes effect, and one of the challenges you’ll face is estimating the volume of those requests. If they trickle in, you may be able to handle them individually, but if you have a large consumer presence the volume could be more than a “one off” approach can handle. If this is the situation you find yourself in, a technical tool allowing for automation and tracking will be necessary, and for some organizations preparing for and setting up these systems proactively will be a good strategic move. This investment in tools and staff training makes sense for many companies now, especially with more and more U.S. states passing privacy laws that include consumer rights similar to the CPRA, Virginia and Colorado being the most recent examples.

So, while the requirements of the CPRA will certainly take time and attention from the privacy team, adopting a strategic, prioritized approach will help you get to your compliance goals. And there are technical tools and expert advice available out there to help you get the job done.

Good luck and let us know if we can help!

For more information, contact Eric Dieterich, Managing Director at: eric.dieterich@levelupconsult.comReference information regarding the CPRA can be found here.