If your business collects or uses personal information belonging to California residents-including as part of B2B communications-it's important to understand the circumstances in which you may be required to comply with the California Privacy Rights Act (CPRA).
This article explains what CPRA and B2B communications are, whether CPRA applies to B2B communications, and how to comply with CPRA.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What Is CPRA?
- 2. Who Must Comply With CPRA?
- 3. Does CPRA Apply to B2B Communications?
- 4. How to Comply With CPRA
- 4.1. Map Your Data
- 4.2. Maintain a Privacy Policy
- 4.3. Inform Consumers About How You Use Their Data
- 4.4. Give Consumers Data Control Options
- 4.5. Establish a Process for Handling Consumer Requests
- 4.6. Require Third Parties to Comply with CPRA
- 4.7. Limit Data Collection and Retention
- 4.8. Keep Data Safe
- 5. Summary
What Is CPRA?
CPRA is an amendment and expansion of California's main privacy law, the California Consumer Privacy Act (CCPA). The CCPA was designed to protect California residents' personal information.
"Personal information" is any data that can be used to identify an individual, including names, email addresses, personal browsing history, and geolocation information.
The CCPA was passed in 2018 and gave California residents the following rights:
- The right to know what kinds of personal information businesses were collecting
- The right to delete their personal information
- The right to opt out of the sale of their personal information
- The right to be free from discrimination for exercising their privacy rights
CPRA amended CCPA to provide California residents with additional rights, including the rights to correct their data, limit the use of their sensitive personal information (a special category of personal information that includes social security numbers, financial information, and race and ethnicity), and opt out of the sharing of their personal information.
CPRA also sunsetted temporary exemptions for employee and B2B data. Additionally, CPRA requires applicable businesses to limit the collection of personal information to that which is strictly necessary to fulfill their purposes, to explain those purposes, and to let consumers know how they can exercise their privacy rights.
Section 3(B) of CPRA explains that applicable businesses must limit collection of personal information to specific and stated purposes, inform consumers about how they collect and use their personal information, and let them know how they can exercise their privacy rights, among other requirements.
Who Must Comply With CPRA?
CPRA applies to for-profit businesses that collect California residents' personal information or have another entity collect California consumers' personal information on their behalf, decide how and why to process (use) personal information and conduct business in California, and fulfill one of the following thresholds:
- Make at least $25.625 million in gross annual revenue (as of January 1, 2025) for the previous calendar year or
- Buy, sell, or share personal information of at least 100,000 California residents or households or
- Get at least 50% of their annual revenue from selling or sharing California residents' personal data
Section 1798.140 (d) of CPRA defines a business that must comply with the law as one that meets certain criteria, including functioning as a for-profit business that collects California consumers' personal information and fulfilling one of its thresholds.
Does CPRA Apply to B2B Communications?
CPRA does apply to personal information collected as part of B2B communications.
B2B communications in the context of CPRA include communications and transactions between businesses and California residents who are acting (or have acted in) a business role.
Prior to 2023, the privacy rights afforded individuals by the CCPA did not apply to personal information under the following circumstances:
- The personal information consisted of a written or verbal communication or transaction between a business and a consumer
- The consumer was acting in a business capacity (including as an employee, owner, director, officer, or independent contractor)
- The communications or transaction occurred solely within the context of the business conducting due diligence regarding, or as part of providing or receiving a product or service from the consumer's organization (such as running an employee background check or researching a vendor)
However, on January 1, 2023, CPRA went into effect, ending the B2B exemption. Currently, California residents (including those acting in a business capacity) have full privacy rights under the law, including the rights to correct and delete their personal data and limit the use of their sensitive personal information.
Section 1798.145 (n) (1) of the CCPA details the law's temporary B2B exemption, explaining that before CPRA went into effect, the CCPA did not apply to personal information collected in the context of certain business communications or transactions.
How to Comply With CPRA
CPRA requires businesses that meet its criteria and collect or process personal information (including in the context of B2B communications) to honor California residents' privacy rights and handle personal data in accordance with the law.
There are a few important steps you can take to comply with the CPRA, including identifying the personal information you collect and keeping it secure, maintaining a Privacy Policy, and establishing a process for receiving and handling consumer requests regarding their data, among others.
Let's take a look at how you can implement each of these steps.
Map Your Data
In order to keep consumers informed and comply with CPRA and other applicable privacy and data protection laws, you'll need to understand exactly how you use consumers' personal information.
Data mapping consists of identifying the types of personal information you collect, process, and share and determine what laws apply to the data.
Maintain a Privacy Policy
A Privacy Policy is a legal document that explains how you handle personal information and how consumers can exercise their privacy rights. Your Privacy Policy should be clearly written, regularly updated, and easily accessible.
To comply with CPRA, your Privacy Policy should include the following information:
- The types of personal information you have collected over the previous 12 months
- A description of the consumers' privacy rights and two or more methods for exercising those rights
- The sources for the personal information you collect
- Your commercial reason for collecting, selling, or sharing personal information
- The categories of third parties you share personal information with
- A list of the categories of personal information you have sold or shared over the previous 12 months
- A list of personal information you have disclosed to third parties for business purposes over the previous 12 months
If you want to use your Privacy Policy to comply with CPRA's requirement to inform consumers at the point of collection, you will also want to include information about how long you intend to retain the personal information you collect.
Section 1798.130 (5) of CPRA lists the information that businesses need to include in their Privacy Policies, including a description of consumers' rights and how they can exercise them and the business's reason for collecting, selling, or sharing consumers' personal information.
American Apparel's Privacy Policy contains clauses about the types of information it collects, its reasons for collecting personal information, and the third parties it shares personal information with.
Inform Consumers About How You Use Their Data
Once you have your data map and Privacy Policy, you can use that information to notify consumers about how you intend to use their personal information.
CPRA requires businesses to provide the following information to consumers at the point of collection:
- The types of personal information and sensitive personal information to be collected
- The reasons for collecting or using personal information and sensitive personal information
- Whether the personal information and sensitive personal information are sold or shared
- How long the business intends to retain the personal information and sensitive personal information
Common ways to keep consumers informed include posting a link to your Privacy Policy wherever you collect personal information (such as on checkout and account sign-up pages) or using a consent banner.
A consent banner can take the form of a pop-up box that describes your reasons for collecting and using personal information and gives consumers control over how their data is used. While not specifically required by CPRA, a consent banner can be helpful for websites that use cookies or similar tracking technologies or that use personal information for targeted advertising purposes, as the data processing information can be provided as soon as a user visits the website.
When users go to join a Zoom meeting, they are presented with a link to the company's Privacy Statement.
By clicking on the Privacy Statement link, users can find information about the types of personal information Zoom collects and processes, where it gets information from, and its business and commercial purposes for using personal information.
Users visiting the Bloomberg website are presented with a pop-up box that includes links to its Terms of Service agreement and its Privacy Policy.
Bloomberg's Privacy Policy lists the categories of personal information it collects, including names, email addresses, browsing history, and billing information.
Give Consumers Data Control Options
CPRA requires applicable businesses to give consumers a way to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information.
To comply with this requirement, you can provide a "Do Not Sell or Share My Personal Information" link and a "Limit the Use of My Sensitive Personal Information" link on your website and within your Privacy Policy that enables users to opt out of those data processing activities. Alternatively, you can set up a single clearly labeled link that allows users to both opt out of the sale or sharing of their personal information and limit the use of their sensitive personal information.
You can also set up your website or app so that it detects and honors an opt-out preference signal such as the Global Privacy Control (GPC).
Section 1798.135 (a) of CPRA explains that businesses must provide links to pages where users can exercise choices concerning the sale or sharing of their personal information and how their sensitive personal information is used.
Section 1798.135 (b) of CPRA goes on to explain that businesses can also set up their websites or apps so that they recognize and respond to opt-out preference signals. Businesses can choose to comply with either subdivision (a) or subdivision (b) of this section of the law.
Bloomberg's Privacy Policy contains a section that specifically addresses California consumers, explaining how users can opt out of the sale or sharing of their data.
Establish a Process for Handling Consumer Requests
You will need to have procedures in place that enable consumers to exercise their rights under CPRA, including the rights to access, edit, and delete their personal data. CPRA requires you to respond to consumer requests to disclose, correct, or delete their personal information within 45 days of receiving the request. You may extend this period by an additional 45 days if needed as long as you notify the consumer about the reason for the extension.
Section 1798.130 (2) (A) of CPRA explains that businesses have 45 days to respond to consumer requests to access, edit, or delete their personal information.
You should provide at least two methods for consumers to submit requests concerning their data, including a toll-free phone number. If your business operates exclusively online and you have a direct relationship with the consumer, you can use an email address to receive requests. Businesses with websites can use their Privacy Policy to describe how consumers can use these methods.
American Apparel's Privacy Policy explains that users can exercise their privacy rights by contacting its Privacy Officer.
It includes its Privacy Officer's email and mailing address within its Privacy Policy.
Whatever system you use to receive and process consumer requests, you should make sure to keep accurate records of the requests and how you handle them.
Require Third Parties to Comply with CPRA
If you sell California residents' personal information or share personal information with third parties, you must enter into an agreement with the third parties that they will comply with CPRA. You should regularly review the data collection and retention practices of any third parties you sell data to or share data with or who collect data on your behalf to ensure they're CPRA-compliant.
Section 1798.100 (d) of CPRA explains that businesses must enter into a contract with any third parties they sell California consumers' personal information to or share their personal information with that requires the third parties to comply with the law.
Limit Data Collection and Retention
You should only collect data that is necessary to fulfill the purposes stated in your Privacy Policy. After the data has served its purposes, you should delete the information.
Keep Data Safe
It's essential that you take steps to keep the personal information you collect secure.
Implementing the following security measures can help you keep data safe:
- Using encryption to scramble and prevent unauthorized access to data.
- Maintaining employee training programs so that all staff understand best practices for processing and protecting consumers' personal information.ć
- Requiring multifactor authentication to protect data from phishing and provide an additional layer of protection beyond a password.
- Conducting regular data processing audits to check that data is secure and being processed appropriately.
- Setting up physical security controls, such as security cameras or guards where your servers or computers are located.
Summary
CPRA is an amendment and expansion of CCPA that extended privacy rights, established new requirements for businesses, and ended temporary employee and B2B data exemptions, among other changes.
Businesses that meet the law's criteria and thresholds must comply with CPRA.
As of January 1, 2023, CPRA applies to personal information collected in the context of B2B communications.
There are a few steps you can take to ensure compliance with CPRA, including:
- Mapping your data
- Maintaining a CPRA-compliant Privacy Policy
- Informing consumers about how you intend to use their data
- Providing a way for consumers to opt out of the sale or sharing of their personal information and limit the use of their sensitive personal information
- Creating a process for receiving and dealing with consumers' requests regarding their personal information
- Requiring third parties to comply with CPRA
- Limiting data collection and retention to that which is strictly necessary to fulfill your purposes
- Keeping the personal information you collect secure
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.