Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Published on September 5, 2022 AUTHOR - Privacy Research Team
When the state voters of California approved the California Privacy Rights Act (CPRA) in 2020, most businesses and organizations that catered to residents of California knew they would be required to alter their existing business practices to some degree per the new data processing and data sharing requirements of the CPRA.
On the surface, the CPRA may not seem radically different from the California Consumer Privacy Act (CCPA), which was passed in 2018 and came into effect on January 1st, 2020. However, upon closer inspection, several differences begin to emerge.
Section 13 of the CPRA discusses the methods through which customers can exercise their right to limit the sale or sharing of their personal or sensitive personal information. Additionally, Section 13 also instructs businesses to provide consumers with two “clear and conspicuous” buttons on their homepage that must be titled:
Moreover, the business can also use a single, clearly-labeled link on the business's internet homepage allowing a consumer to opt out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information and must also build capabilities to receive and recognize a global opt-out preference signal.
Hence, understanding precisely what this "Do Not Sell or Share My Personal Information" option entails, how the CPRA compare to other regulations in this regard, and how businesses can implement it within their websites or apps can go a long way in aiding their CPRA compliance efforts.
The California Consumer Privacy Act (CCPA) is clear in defining the term, “sale” as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
The CPRA does not change the definition by much except for removing the phrase, “another business.” This deletion owes to the CPRA’s reframing of third-party transfers in general. Additionally, this alteration in definition is crucial to understanding how the CPRA treats exemptions to the aforementioned definition of a sale.
The CPRA takes a great degree of inspiration from the General Data Protection Regulation (GDPR). From introducing consumers' rights based on data subject rights, data retention periods, and creating a dedicated data protection agency, it's easy to see the similarities between the two privacy legislations. However, they do differ in a key area.
The GDPR follows a privacy-by-design opt-in model. This means that all data collection options are disabled by default, and the users must consensually agree to have their personal data collected.
The CPRA, on the other hand, has the opt-out model in place, which has all data collection options enabled automatically, and the onus is on the user themselves to disable whichever forms of data collection they do not consent to. The CCPA follows the same model.
CPRA adds another interesting element which is the “opt-out preference signal” as a method to limit the sale, share, and use of personal information. It is defined as a signal sent by a platform, technology or mechanism on behalf of the consumer communicating their choice to opt out of having their data sold or shared. This section was added owing to the obligation of businesses to comply with any consumer requests submitted through universal opt-out mechanisms.
A business that allows consumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information as per CPRA may provide a link to a webpage that enables the consumer to consent to the business ignoring the apt-out preference signal with respect to that business's sale or sharing of the consumer's personal information or the use of the consumer's sensitive personal information for additional purposes. This can be allowed under the following conditions:
Moreover, while there is a prerequisite requirement for businesses to notify the users at the point or before they begin collecting their data, they’re still not required to seek their express permission to do so.
In other words, once they’ve notified the users about their data collection practices, businesses can proceed with data collection on users without needing their permission to do.
This is why the "Do Not Sell or Share My Personal Information" button or link is so important. The CPRA requires all businesses subject to it to have a clearly visible button or link that would allow the user to ensure they can opt-out of having their data sold or shared with any third party.
The CPRA also lays down the requirement of the “ Limit the Use of My Sensitive Personal Information” option. it is vital to understand the information is meant to protect i.e., sensitive personal information. This is one of the major aspects of the CPRA. The CPRA introduces a sub-category of personal information labeled "sensitive personal information". Per its own definition, sensitive personal information is any form of data that can be used to identify a user personally. These include the following types of data:
Due to purpose limitations, businesses need separate and explicit consent from users when collecting any of the data mentioned above.
As mentioned before, a key part of understanding the CPRA’s definitions of terms is via the CCPA’s existing definitions. This principle extends to any and all exemptions as well.
The CCPA § 1798.140(t)(2)(A) provides an exemption for the aforementioned definition of a sale when a consumer “uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title.”
Furthermore, it states, “intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.”
Per the CCPA, a third party is defined as a negative entity or person apart from the business that initially collects the personal information from the consumer or a service provider.
The CPRA amends the CCPA’s exemption in the following critical ways:
The CPRA maintains the exemption provided by the CCPA that exempts transfers where the business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting persons that the consumer has opted out of the sale. Moreover, CPRA expands it to include transfers of an identifier for purposes of alerting persons to a consumer’s request to limit the use of their sensitive personal information
Notably, the CPRA requires notice to consumers if the party receiving the information “materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection.” Similar language can be found in CCPA. The CPRA further provides that this exemption does not authorize a business to make “material, retroactive changes to their privacy policies” or other changes that would violate the Unfair and Deceptive Practices Act.
Before any business goes on about how they need to redesign and rethink their data collection and consent management practices, it would be well-advised to ascertain whether they need to comply with the CPRA at all.
While the CPRA may be strict in some areas, it is comparatively lenient in some. Those that need to comply with it belong to the latter category. The CPRA states that businesses that fulfill either one of the following criteria must comply with it:
There are multiple other ways CPRA compliance will require organizations and businesses to re-evaluate and redesign how they operate. That is a lot easier said than done, considering just how vital these practices are to these businesses' success.
But when CPRA comes into effect, businesses will find themselves out of options. Hence, it would not be wrong to say that compliance is not a matter of choice. It is highly advisable that businesses begin carrying out internal audits and evaluate which areas they need to work on to be CPRA compliant.
This is where Securiti can help.
Securiti is a global leader in data privacy management solutions thanks to its PrivacyOps framework that can help any business achieve compliance at the click of a single button. Its products have helped several businesses achieve CPRA compliance.
Request a demo today and see how Securiti's tools can help your business be CPRA compliant as well.