IDC Names Securiti a Worldwide Leader in Data Privacy
ViewListen to the content
The California Privacy Rights Act (CPRA) of 2020 which goes into effect on January 1, 2023, is expected to replace the California Consumer Privacy Act (CCPA) of 2018. The CPRA, like the CCPA, is based on the opt-out cookie consent framework which means no data subject's consent is required for the use of cookies provided that data subjects are given the right to opt-out.
The CPRA defines consent similar to the GDPR:
Consent means any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.
This definition indicates that the CPRA highlights the need for specific, informed, freely given, and unambiguous consent and it requires businesses to incorporate improved consent standards on their websites and mobile applications. However, consent is required only under certain circumstances. This article explores the right to opt-out under the CPRA and the circumstances where consent is required.
Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.
For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.
No, the CPRA does not require businesses to obtain consent for using cookies. Like the CCPA, the CPRA adopts an opt-out consent mechanism in this regard.
The CPRA is based on the opt-out consent framework which means that the use of cookies is allowed provided website users are given the right to opt-out. The right to opt-out is one of the data subjects' rights that can be exercised by the data subject by making a data subjects' right request to the organization.
Consumers have the right to opt-out of sale or sharing personal information including opting out in the context of cross-context behavioral advertising and the right to limit the use or disclosure of sensitive personal information. Sharing refers to sharing, renting, releasing, disclosing, disseminating, making available, transferring, or communicating (orally, in writing, by electronic or other means) the consumer's personal information to a third party for cross-context behavioral advertising purposes.
To ensure compliance, businesses are required to do the following:
The cookie consent banner under the CPRA can be represented in 12 months. This means businesses must wait for at least 12 months before requesting the consumer to authorize the sale or sharing of personal information and disclose sensitive personal information.
Although the CPRA does not require opt-in consent from consumers, businesses must not load any non-essential cookies without notifying consumers via cookie banner providing them an option to opt-out and letting them acknowledge the banner/notification.
In addition to the above, consumers have the right to opt-out relating to the use of their personal information in automated decision-making including consumer profiling. The CPRA defines profiling as “any form of automated processing of personal information … to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movement”.
Yes, the CPRA requires opt-in consent for the use of cookies if it relates to the sale and sharing of personal information of minors. A minor is someone who is less than 16 years of age and where a business has actual knowledge that the consumer is less than 16 years of age, it must not sell or share the consumer's personal information without taking explicit opt-in consent. This means businesses must obtain opt-in consent from consumers where the consumer is at least 13 years of age and less than 16 years of age. Businesses must obtain consent from parents or guardians of consumers where the consumer is less than 13 years of age.
The CPRA clearly explains what constitutes consent and what doesn't constitute consent. As mentioned earlier, consent means any freely given, specific, informed, and unambiguous indication of a consumer's wishes.
Under the CPRA, specific actions cannot be considered as consent, such as:
The CPRA defines a dark pattern as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice. This means where opt-in consent is required, the use of dark patterns such as pre-ticked checkboxes, cookie walls, and passive agreements are all strictly prohibited.
The CPRA is an improvement of the existing CCPA. With several additions made to the CPRA, such as introducing the definition of consent and sensitive personal information, consent for minors, and multiple other obligations for businesses, the CPRA takes the privacy of Californians to another level. Learn more about CPRA vs. CCPA.
In light of the above, we recommend including the following details in a CPRA compliant cookie policy:
Securiti ensures CPRA compliance with a modern PrivacyOps platform powered by AI Automation. The world-class tools support enterprises in their journey toward compliance with the CPRA through automation, enhanced data visibility, and identity linking. Get in touch to learn more.
Securiti's Cookie Consent Banner Solution enables companies to build cookie consent banners in accordance with the applicable legal requirements when collecting personal data for non-essential purposes on digital properties.
Ask for a DEMO today to understand how Securiti can help you comply with the applicable legal requirements of global data privacy laws and regulations with ease.
Get all the latest information, law updates and more delivered to your inbox
August 13, 2023
The global hunger for data collection is increasing exponentially. With businesses starting to collect more and more personal data, a rapid emergence in data...
August 10, 2023
When browsing the web, there's a high chance that you've come across a popup notification telling you that the website uses cookies. Many times,...
August 9, 2023
For years, advertising cookies have played a tremendous role in digital marketing. Some may argue that the rise of digital marketing is no small...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128