As the year ends, privacy and legal departments have a final opportunity to audit external facing privacy statements and other website practices to ensure compliance with the California privacy law amendments which come into effect in January 2023.
The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), CA CIV Code §§ 1798.100 et seq., sets forth requirements for businesses that collect personal information of California residents, with heightened requirements for businesses that “sell” or “share” that information. The regulations broadly define “sell” and “share” to include data transfers that do not require a monetary payment, including for example for advertising purposes, cross marketing initiatives, product discounts, and service enhancements.
“Sell” or “Selling” is defined in CA CIV § 1798.140(t)(1) as the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information by any means for monetary remuneration or any other valuable consideration. Leaning into contract principles, the remuneration element can even take the form of a nominal discount on services, service enhancements, and other smidgeons of consideration. This definition of a sell will cover situations where unrelated entities form information partnerships where each entity benefits from the sharing of consumer data. A simple example of this is frequent flyer or credit card award programs. Consumer personal data is shared between entities to run the programs and make a greater number of awards available to their customers. Each entity benefits as they can provide more enticing programs to their customers which drives up business.
Processing by third-party service providers should also be scrutinized under these broad definitions, as state regulators have made clear that they will treat data transfers as “sharing” if a data processing agreement or service provider addendums are not in place.
For those businesses that fall under the scope of the CPRA, there are several areas that need immediate evaluation, including:
- Clear and Conspicuous Opt-Outs: For businesses that sell or share personal information it is critical to provide “clear and conspicuous” links that are “reasonably accessible to consumers” to allow the consumer to exercise their opt-out rights for the sale or sharing of their personal information.
- Can I use a Single Link? In CA CIV § 1798.135(a)(3) the CPRA does, however, permit a “single, clearly labeled” link. This provision does not specify the text of the link, but recently proposed changes to the CPRA regulations require that any alternative opt-out link to be titled “Your Privacy Choices” or “Your California Privacy Choices.” Additionally, the proposed changes to the regulations would require businesses to provide a specific icon along with the link.
Link icon required by CPRA proposed regulatory updates
- Limit Processing of Sensitive Personal Information: Another new requirement is for the link to enable consumers to exercise choice in limiting the use of their sensitive personal information. Sensitive information afforded extra protections includes an individual’s social security, driver’s license, state ID, and passport numbers, financial account information (in combination with information to allow access to an account), geolocation data, contents of communications, genetic data, identifiable biometric data, or information concerning a consumer’s sex life or sexual orientation.
The current CPRA regulations provide specific text for these links, “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information.”
- Presentation of Choice: The CPRA focuses on the methods that are provided for consumers to opt-in or opt-out of the use, selling, or sharing of their personal information, requiring that opt-outs must be easily accessible and fairly presented. Specifically, the CPRA regulations require businesses to (1) use clear, plain language in notifying consumers of their rights, (2) offer easy-to-use methods for consumers to exercise their rights or for businesses to obtain consent from consumers, and (3) make opting out no more difficult than opting in for the sale or sharing of personal information.
For example, an appropriate common method would allow consumers to access opt-in or opt-out rights directly from the first layer of a business’s website, and if using multiple methods, guarding that one choice is not more onerous to exercise than the other. Language or choice frameworks that obfuscate consumer choice must be avoided. Any consent resulting from a user interface that is designed to manipulate, subvert, or impair user choice will be considered a “dark pattern” that will be considered invalid. This applies even if doing so was not the intent of the design. Any knowledge that a user interface has the effect of impairing user autonomy, without effort to remedy it, will be considered a dark pattern by California regulators.
- Global Privacy Controls (“GPC”): In a recent settlement of an enforcement action brought by the California Office of the Attorney General (“OAG”) against beauty retailer Sephora, Inc. the OAG took the position that the CPRA requires businesses to honor GPC signals they receive. User-enabled GPCs must therefore be treated the same as any other consumer’s choice to opt out of the sale of their personal information.
Compliance Checklist: Year-End Website Audit
- The critical point to remember when using a single link is to ensure that it leads consumers to information that explains their rights and makes it clear how to easily exercise them.
- If they do not meet the exception, businesses will need to ensure that the links they provide, their privacy policies, and consumer privacy rights request processes are aligned to meet the requirements of the CPRA.
- Businesses will still be required to include statements in their privacy notices and policies regarding personal information selling or sharing activities even if it is only to state that they do not do so.