Fresh Wave of California Privacy Rules Means Business Prep Now
Privacy Partner Ashley Shively was quoted in a Bloomberg Law article discussing California’s latest privacy law. The California Privacy Rights Act (CPRA) will require companies to establish data retention schedules, renegotiate agreements with third-party vendors, and create new procedures for managing sensitive personal information. While companies can and should get started on compliance now, the new privacy agency established under the CPRA hasn’t yet begun to issue regulations that will sway certain business and legal decisions necessary to comply with the new law.
Companies need to conduct or refresh their data maps to understand where data is moving and how, said Ms. Shively. “To the extent that your mapping in 2019 and 2020 wasn’t comprehensive, you’re going to need that information come 2023, so starting that map and getting your arms around that now is important,” she said. In-house counsel also should spend time this year better understanding what data is shared with third-party vendors, Ms. Shively said. They should categorize vendors in terms of risk to prioritize time and resources, she said.