Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now

When the state voters of California approved the California Privacy Rights Act (CPRA) in 2020, most businesses and organizations that catered to residents of California knew they would be required to alter their existing business practices to some degree per the new data processing and data sharing requirements of the CPRA.

On the surface, the CPRA may not seem radically different from the California Consumer Privacy Act (CCPA), which was passed in 2018 and came into effect on January 1st, 2020. However, upon closer inspection, several differences begin to emerge.

One such difference is that while the CCPA allowed consumers to use a "Do Not Sell My Information" option to avoid having their data sold to third parties, the CPRA expands that to "Do Not Sell or Share My Information," which the law requires to be visibly placed on a business's homepage as well as the Privacy Policy page. It may seem like a slight change, but significantly impacts how businesses operate since the free sharing of information between various businesses makes targeted advertising so effective.

Section 13 of the CPRA discusses the methods through which customers can exercise their right to limit the sale or sharing of their personal or sensitive personal information. Additionally, Section 13 also instructs businesses to provide consumers with two “clear and conspicuous” buttons on their homepage that must be titled:

  1. “Do Not Sell or Share My Personal Information.”
  2. "Limit the Use of My Sensitive Personal Information."

Moreover, the business can also use a single, clearly-labeled link on the business's internet homepage allowing a consumer to opt out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information and must also build capabilities to receive and recognize a global opt-out preference signal.

Hence, understanding precisely what this "Do Not Sell or Share My Personal Information" option entails, how the CPRA compare to other regulations in this regard, and how businesses can implement it within their websites or apps can go a long way in aiding their CPRA compliance efforts.

What Does 'Do Not Sell' Mean?

The California Consumer Privacy Act (CCPA) is clear in defining the term, “sale” as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

The CPRA does not change the definition by much except for removing the phrase, “another business.” This deletion owes to the CPRA’s reframing of third-party transfers in general. Additionally, this alteration in definition is crucial to understanding how the CPRA treats exemptions to the aforementioned definition of a sale.

The CPRA takes a great degree of inspiration from the General Data Protection Regulation (GDPR). From introducing consumers' rights based on data subject rights, data retention periods, and creating a dedicated data protection agency, it's easy to see the similarities between the two privacy legislations. However, they do differ in a key area.

The GDPR follows a privacy-by-design opt-in model. This means that all data collection options are disabled by default, and the users must consensually agree to have their personal data collected.

The CPRA, on the other hand, has the opt-out model in place, which has all data collection options enabled automatically, and the onus is on the user themselves to disable whichever forms of data collection they do not consent to. The CCPA follows the same model.

CPRA adds another interesting element which is the “opt-out preference signal” as a method to limit the sale, share, and use of personal information. It is defined as a signal sent by a platform, technology or mechanism on behalf of the consumer communicating their choice to opt out of having their data sold or shared. This section was added owing to the obligation of businesses to comply with any consumer requests submitted through universal opt-out mechanisms.

A business that allows consumers to opt-out of the sale or sharing of their personal information and to limit the use of their sensitive personal information as per CPRA may provide a link to a webpage that enables the consumer to consent to the business ignoring the apt-out preference signal with respect to that business's sale or sharing of the consumer's personal information or the use of the consumer's sensitive personal information for additional purposes. This can be allowed under the following conditions:

  • the consent webpage also allows the consumer or a person authorized by the consumer to revoke such consent as easily as it is affirmatively provided;
  • the link to the webpage does not degrade the consumer's experience on the web page the consumer intends to visit and has a similar look, feel, and size relative to other links on the same webpage;
  • the consent webpage complies with technical specifications set forth in regulations adopted in the CPRA.

Moreover, while there is a prerequisite requirement for businesses to notify the users at the point or before they begin collecting their data, they’re still not required to seek their express permission to do so.

In other words, once they’ve notified the users about their data collection practices, businesses can proceed with data collection on users without needing their permission to do.

This is why the "Do Not Sell or Share My Personal Information" button or link is so important. The CPRA requires all businesses subject to it to have a clearly visible button or link that would allow the user to ensure they can opt-out of having their data sold or shared with any third party.

What is Sensitive Personal Information?

The CPRA also lays down the requirement of the “ Limit the Use of My Sensitive Personal Information” option. it is vital to understand the information is meant to protect i.e., sensitive personal information. This is one of the major aspects of the CPRA. The CPRA introduces a sub-category of personal information labeled "sensitive personal information". Per its own definition, sensitive personal information is any form of data that can be used to identify a user personally. These include the following types of data:

  • Social Security Number;
  • Driver's license;
  • State identification card;
  • Passport Number;
  • Financial account information and log-in credentials;
  • Debit Card or Credit Card number along with access codes;
  • Precise geolocation data;
  • Religious or philosophical beliefs;
  • Ethnic origin;
  • Contents of communication;
  • Genetic data;
  • Biometric information for identification;
  • Health information;
  • Information about sex or sexual orientation.

Due to purpose limitations, businesses need separate and explicit consent from users when collecting any of the data mentioned above.

Exemptions

As mentioned before, a key part of understanding the CPRA’s definitions of terms is via the CCPA’s existing definitions. This principle extends to any and all exemptions as well.

The CCPA § 1798.140(t)(2)(A) provides an exemption for the aforementioned definition of a sale when a consumer “uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title.”

Furthermore, it states, “intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.”

Per the CCPA, a third party is defined as a negative entity or person apart from the business that initially collects the personal information from the consumer or a service provider.

The CPRA amends the CCPA’s exemption in the following critical ways:

  • The CPRA removes the phrase, “provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title.” from the main definition.
  • The CPRA updates the definition of “an intentional interaction” that can be found in § 1798.140(s). This definition further expands the definition to include visiting the person’s website or purchasing a good or service from the person.”
  • The CPRA modifies the definition of the term, “third party” to include any
    1. the “business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer’s current interaction with the business under this title”;
    2. a service provider to the business;
    3. a contractor.

The CPRA maintains the exemption provided by the CCPA that exempts transfers where the business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting persons that the consumer has opted out of the sale. Moreover, CPRA expands it to include transfers of an identifier for purposes of alerting persons to a consumer’s request to limit the use of their sensitive personal information

Notably, the CPRA requires notice to consumers if the party receiving the information “materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection.” Similar language can be found in CCPA. The CPRA further provides that this exemption does not authorize a business to make “material, retroactive changes to their privacy policies” or other changes that would violate the Unfair and Deceptive Practices Act.

Does My Business Need To Comply?

Before any business goes on about how they need to redesign and rethink their data collection and consent management practices, it would be well-advised to ascertain whether they need to comply with the CPRA at all.

While the CPRA may be strict in some areas, it is comparatively lenient in some. Those that need to comply with it belong to the latter category. The CPRA states that businesses that fulfill either one of the following criteria must comply with it:

  • Businesses catering to at least 100,000 households or consumers;
  • Have an annual gross revenue of at least $25 million;
  • Generate at least 50% of their annual gross revenue from selling/sharing user data.

How Securiti Can Help

There are multiple other ways CPRA compliance will require organizations and businesses to re-evaluate and redesign how they operate. That is a lot easier said than done, considering just how vital these practices are to these businesses' success.

But when CPRA comes into effect, businesses will find themselves out of options. Hence, it would not be wrong to say that compliance is not a matter of choice. It is highly advisable that businesses begin carrying out internal audits and evaluate which areas they need to work on to be CPRA compliant.

This is where Securiti can help.

Securiti is a global leader in data privacy management solutions thanks to its PrivacyOps framework that can help any business achieve compliance at the click of a single button. Its products have helped several businesses achieve CPRA compliance.

Request a demo today and see how Securiti's tools can help your business be CPRA compliant as well.

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Related Content

Solutions

Systems

Newsletter

Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 ISO certification RSAC Leader Forrester Badge IAPP Innovation award 2020 Sinet Innovator Award Gartner Cool Vendor Award

Securiti PrivacyOps Named a Leader in The Forrester WaveTM

View