SPONSORED: What Arkansas Businesses Need to Know About California Consumer Privacy Law | Business news from Arkansas

We could not ship the item.

All businesses—including those in Arkansas, not just those based in California—should be aware of the changes in California privacy law.

In 2020, Californians expanded their flagship privacy law by passing the California Privacy Rights Act (“CPRA”), granting new privacy rules to California consumers and creating new obligations for businesses. The CPRA is scheduled to come into force on January 1, 2023. Because the law doesn’t limit enforcement to just California businesses, now is the time for Arkansas businesses to ensure they are compliant. To do this, companies should ask themselves three questions:

1. Does this law really apply to my company? If you were subject to the California Consumer Privacy Act (“CCPA”), chances are you continue to be subject to the CPRA. To do this, companies need to update their existing compliance structure. If not, companies could now be affected due to definition changes. Any for-profit company that does business in California and collects personal information from California consumers is a “company” that is required to comply with the CPRA if the company:

  • Had annual gross sales of over $25 million last year
  • buys, sells, or shares personal information of 100,000 California consumers or households
  • Or derives at least 50% of its annual revenue from selling or sharing data

The sharing component is remarkable. The CCPA did not include data sharing as part of the definition, but the CPRA did add it. As such, companies that share personal information of California consumers with third parties but do not receive financial compensation from third parties for data are now subject to the CPRA if they meet the other definition requirements.

For example, if your business shares California consumer information with third parties to provide targeted online advertising, you can now be a “business” subject to CPRA requirements, even though you are not “selling” the information.

If your website uses cookies to collect Covered Personal Information from California consumers and your business meets the other definition requirements, you may have obligations under the CPRA that depend on your use of that information. Data analytics can help you determine if your web traffic is from California and if so, how much.

2. When was the last time you updated your website’s privacy policy? If it’s been a while, there are probably some changes you need to incorporate. If you’re brand new to California privacy, you need to create a new section about the rights of California consumers regarding their personal information. The CPRA provides a format for mandatory disclosures, as well as specific requirements for what to say.

If you already have such a policy under the CCPA, you must update your policy to reflect the additional rights afforded to Californians, such as

3. Can you keep your promises? Your business should be prepared to respond to California consumers who choose to exercise their new legal rights and provide appropriate opt-out methods. For example, if someone requests that their personal data be erased, you must be able to comply and respond within 45 days unless you have anonymized the data.

Your organization may need to make technical or operational changes to meet such requirements. Thorough data mapping is a good first step in making sure you know what data you have, where you have it, and who can access it so you don’t get confused when the requests come in.

Future Developments

Businesses should keep an eye on future government regulations regarding obtaining consent from their California consumers, use of automated decision-making technologies, and cybersecurity audit requirements. As the compliance deadline rapidly approaches, organizations must consider their newfound obligations for data they hold about California residents, even if they are far from California.

Elizabeth Esparza is an attorney at Mitchell Williams Selig Gates & Woodyard PLLC. She advises business clients on data protection and cyber security issues as well as litigation matters.