The CPRA is largely seen as an enhancement of the existing CCPA, with several new amendments and additions to expand on key provisions. Some of the most notable include the introduction of definitions for consent and sensitive personal information as well as consent for minors. It also institutes some new obligations for businesses to follow and adapts the existing enforcement system.
While it is a fresh piece of legislation, the CPRA generally remains quite comparable to other data privacy regulations around the world. Notable examples would be the EU’s GDPR or Brazil’s LGPD, which define consent similarly to the new legislation’s concept:
‘Consent means any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.’
What the above definition is meant to highlight is the need for informed, specific, freely given and unambiguous consent from the consumer in order for data processing to be legal. This is of course only applicable to the conditions that require consent under the new CPRA law, which we’ll outline further below.
There are a few different ways that website operators can go about implementing an opt-out framework, but regardless of which they choose, the CPRA requires the following conditions to be met.
A Clear Means of Opting Out
Organizations can combine these two links into one if it offers both functionalities and clearly indicates so.
Opt-Out Must Be Free of Charge
Opt-Out Must Be Easy to Use
In other words, if a website visitor can submit a request without having to create an account or login, they should be able to opt out in the same way.
Sensitive Personal Information Must Be Protected
The final requirement that businesses need to be aware of when it comes to the CPRA and cookies is the need to protect sensitive personal information. This includes things like a person’s race, ethnicity, religion, and health data.
Website operators who collect this type of information will need to take extra care to ensure that it is properly safeguarded and only used in accordance with the user’s wishes.
Consumers have the right to opt-out of the use of their personal information in automated decision-making processes like consumer profiling, which is defined in the CPRA as: ‘certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movement’.
The CPRA requires opt-in consent for the use of third-party cookies relating to the sale and /or sharing of personal information of minors under the age of 16. This means that if your website is aimed at children or adolescents, you’ll need to get explicit consent from a parent or guardian before you’re able to sell or share their personal information with third parties. If they are over 13 years of age, this consent can be given by the child themselves.
How Can I Keep My Website Compliant With the CPRA?
In light of the upcoming changes coming to California’s stance on consumer privacy, it’s important for businesses to start taking steps towards compliance with the CPRA. Here are a few things you can do to get started:
2. Review your current cookies
Review the cookies that you currently use on your website and assess whether or not they will still be permissible under the new law. If not, consider alternatives that will be compliant.
3. Implement a CMP
Implement a system for obtaining explicit consent from users before selling or sharing their personal information with third parties. This can be done through a pop-up or banner on your website. Start you free trial Here
4. Check your website audience
If you operate a website aimed at children or adolescents, put in place a system for obtaining parental or guardian consent before selling or sharing their personal information with third parties.
5. Categorize personal information
Categorize the personal information that you collect on your website visitors and ensure that it is properly safeguarded.
6. Keep track
Keep track of things like consent expiration dates and user preferences so that you can easily comply with opt-out requests.
7. Review your website regularly
Review your website regularly to ensure that it is still compliant with the ever-changing landscape of data privacy laws.
The California Privacy Rights Act is set to come into effect on January 1, 2023 and will have a significant impact on the way businesses collect and use personal information. By taking these steps, you can help to ensure that your website is compliant with the CPRA and other data privacy laws that are sure to follow it in the years to come.