'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on July 26, 2021 AUTHOR - PRIVACY RESEARCH TEAM
The CPRA is built on the data privacy management principles introduced by the CCPA in 2018. However, one of the major criticisms of the CCPA was that the expression ‘sale of personal data’ was never clear on whether it included sharing personal information between businesses and third parties for non-monetary consideration. The CPRA clarified this by explicitly providing a new term, ‘sharing of personal information.’
The CPRA defines data sharing as any disclosure of personal information (renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means) to third parties for cross-contextual behavioral advertising. Cross-contextual behavioral advertising is when a consumer is profiled and targeted based on personal information gained from his/her activity across various distinctly-branded businesses, websites, applications, or services. The purpose of sharing personal information can be for monetary benefits to the organization or any other enhanced personalization of services for the consumer.
The CPRA defines a “third party” as an entity with which the consumer is not intentionally interacting and to whom the consumer’s personal information is either sold or shared. Third parties are different from service providers and contractors, with whom businesses do not share or sell consumer personal information. They disclose consumer personal information for business or commercial purposes. Service providers and contractors have greater limitations on using, processing, and disclosing personal information than third parties.
It is easy to understand the data sharing concept by breaking it down into two key factors. For data to be “shared” under the CPRA, an organization must have:
The CPRA lists certain actions which are not considered the ‘sharing of a consumer’s personal information by a business with a third party.’ Those actions are:
Suppose consumers do not opt-out of sharing their personal information with external entities for cross-context behavioral advertising. In that case, the organization can share all the collected personal information with third parties for monetary or non-monetary consideration.
Broadly speaking, consumer personal information includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Organizations also track and record consumer activity on their website. This includes tracking web page visits, product pages, time spent on each page, clicks on product links/descriptions, cart additions, checkouts, etc. This data is used to re-target visitors with ads to increase site traffic and conversions. The CPRA (similar to the CCPA) also considers this data as personal information.
The CPRA also introduces the new Sensitive Personal Information (SPI) category and provides that businesses may only use consumers’ SPI for limited business purposes. Consumers retain the power to restrict businesses from any other uses.
Some of the limited business purposes for which businesses can use consumer SPI include short-term use of the SPI, such as for non-personalized advertising to the consumer during the current interaction of the consumer - not utilizing profiling or sharing of the SPI with third parties.
For any further use, the consumer must be notified by the business and given a chance to opt out of the use of their SPI for that purpose.
Under the CPRA, SPI includes the following information:
It is important to note that SPI collected or processed without the purpose of inferring characteristics about a consumer is not subject to these restrictions.
According to the CPRA, businesses must sign agreements with third parties if they share consumer personal information with them. The agreements should explicitly:
The CPRA imposes additional obligations on the organization, collecting personal information (even if personal information is collected by service providers or contractors on the organization’s behalf) and sharing it with third parties.
Businesses that share consumers’ personal information with third parties are required to notify consumers at or before every collection point. The notification must include the following:
Organizations can notify consumers via display banners on their websites. These banners must have Opt-out links that are clearly visible and readable. The banners must also be placed in a prominent position on the landing page.
The CPRA mandates that businesses disclose within their privacy notice the following information about their personal information sharing activities:
Organizations that engage in sharing personal information must provide consumers with an option to opt out of sharing their personal information. The CPRA clarifies that any personal information that is disclosed for targeted advertising must have an option to opt out.
Additionally, organizations must update the “Do Not Sell My Personal Information” links to read “Do Not Sell or Share My Personal Information” and prominently display it on the website home page.
Businesses must wait at least twelve months before re-asking opted-out consumers for consent to share their personal information with third parties.
The CPRA mandates that businesses may not knowingly share children’s personal information without first gaining affirmative opt-in consent from the parents/guardians if they are below 13 years of age or directly from the child if they are aged between 13 and 15 years. Any business which ignores a consumer’s age shall be considered to be in actual knowledge.
Consumers cannot be discriminated against if they choose to opt out of sharing their personal information. Businesses are barred from retaliating against consumers or employees who choose to exercise their rights under the CPRA in any of the following manners:
The CPRA mandates that organizations must notify third parties, with whom they share consumer personal information, about any data deletion requests of their personal information.
Third parties with whom businesses have shared personal information must not further sell or share consumer personal information unless the concerned consumer has been informed, via an explicit notice, and provided a right to opt-out of the further sharing of their personal information.