This third installment in our ongoing series about changes to the California Consumer Privacy Act (CCPA) focuses on the new consumer opt-out rights and business disclosure obligations created by the California Privacy Rights Act (CPRA), which was approved by voters last November. Part I of this series looked at the CPRA's definition and treatment of "sensitive personal information." Part II discussed covered "businesses" and exemptions.
The CPRA Expands Consumer Opt-Out Rights Beyond Sale of Information
The CPRA includes critical updates to the CCPA by providing customers rights to: 1) opt out of the sharing of personal information under certain circumstances; 2) limit the use of sensitive personal information; and 3) opt out of the use of automated decision-making technology in connection with personal information. These key developments require businesses to both disclose the new and expanded rights, and to provide mechanisms through which they can be exercised. Similar to the CCPA, the CPRA points to forthcoming regulations that will interpret the technical requirements and specifications by which these rights may be facilitated.
The CPRA Obligates Businesses to Include Additional Disclosures in Point of Collection Notices
Businesses will be required to expand their respective point of collection notices to account for the new consumer rights created under the CPRA. This includes accounting for a consumer's: a) right to correct inaccurate personal information; b) right to opt out of sharing personal information for cross-contextual advertising; c) right to know how long their data will be retained; d) right to restrict use of sensitive personal information; and e) right to opt out of the use of personal information for automated decision-making. The forthcoming CPRA regulations are expected to shed more detail on the parameters of these rights and the policies and procedures required to ensure they can be exercised.
Businesses must disclose data retention periods. The disclosures must include the length of time businesses intend to retain each category of personal information collected or, if not possible, "the criteria used to determine such period," among other information. Pursuant to the CPRA, personal and sensitive information may only be retained "as necessary" and "proportionate" to the purpose for which it was collected. This puts the onus on businesses to ensure they have necessity-driven data retention policies and procedures.
Financial incentives for use of services or products. Businesses must detail financial incentives offered for the retention, use, sale, or sharing of the consumer's personal information for the use of a service or product.
Disclosures regarding the use of sensitive personal information. A business must disclose the a) types of sensitive personal information it collects; b) types of sensitive personal information it shares; c) sources from which it collects sensitive personal information; and d) sources with whom it shares sensitive personal information. When a business wishes to use or share the information in a manner that differs from the reason for which it was originally collected, the business must provide notice of the new use or disclosure, unless the CPRA otherwise does not require supplemental notice. A business must clearly and conspicuously display a "Limit the Use of My Sensitive Personal Information" link on its homepage to enable consumers to exercise their rights to limit the use and disclosure of sensitive personal information.
Disclosures regarding sharing personal information for cross-contextual behavioral advertising. Cross-contextual behavioral advertising occurs when personal information about a consumer is used for targeted marketing or advertising regardless of whether the information is exchanged for valuable consideration. If a business discloses personal information for purposes of cross-contextual behavioral advertising, it must clearly and conspicuously display a "Do Not Sell or Share My Personal Information" link on its homepage.
A business may combine the "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links into a single, clearly-labeled link on its homepage if the link "easily allows" consumers to a) opt out of the sale or sharing of their personal information, and b) limit the use or disclosure of their sensitive personal information. The CPRA also allows businesses to use opt-out preference signals sent with the consumer's consent by a platform, technology, or mechanism that accomplishes one or both of the forgoing requirements. The forthcoming CPRA regulations are expected to provide greater detail on the preference signal specifications.
What Businesses Should Do in Anticipation of the CPRA
The CPRA becomes effective on January 1, 2023. Until then, businesses should continue to ensure their privacy practices comply with the CCPA. This has the benefit of allowing businesses to comply with the law "as is" while setting a foundation for the changes imposed by the CPRA. With that in mind, businesses should also monitor the legislative and regulatory developments expected in the coming months and years before the CPRA goes into effect. For instance, principle rulemaking authority will transfer from the California Attorney General to the California Privacy Protection Agency (CPPA). Furthermore, many of the CPRA's requirements leave room for interpretation by the CPRA-specific regulations, which are expected to be proposed in the coming year. If the CCPA's evolution is any indicator, we expect an active legislative and regulatory leadup to 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.