Written by Sean Hogle
Since the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, millions of California consumers exercised their rights. This trend continued throughout 2021 and 2022. With the California Privacy Rights Act (CPRA) coming in January 2023, businesses should plan for even more change. There is a lot to unpack, but here is an overview.
- Gives consumers new privacy rights, such as the right to opt-out of sharing personal information and the right to opt-out of certain automated decision-making.
- Abolishes the employee and business-to-business exemptions.
- Establishes new privacy notice obligations, such as identifying the length of time that you retain each category of information.
- Adds data minimization provisions. For example, a business shall not collect personal information or use it for additional purposes incompatible with what it was originally collected for unless the business gives notice to the consumer. Businesses are going to need to assess if the secondary purposes are compatible with the disclosed purpose.
- Limits data retention to no longer than necessary for the disclosed purpose. For example, if you say you need a phone number for one-time password authentication, the statute determines you should discard that personal information as soon as the authentication is complete.
What businesses should do now?
It is vitally important to conduct data inventory and formulate data maps to better understand your data flows to maintain compliance with CPRA.
Businesses should gather all third-party contracts, assess their secondary uses of data to ensure compatibility with original usage, and determine whether an average consumer thinks that was aligned.
They should also assess data retention periods (are we retaining data too long?). Should we make preliminary revisions to our CCPA privacy notice (start redlining it now)?
Opt-outs and disclosure language
If your business shares data with third parties, they must add the third party to the initial notice and disclosure.
Here are three options for presenting opt-outs to consumers:
- Provide the “do not sell or share my personal information” link along with the “limit the use of my sensitive personal information.”
- Provide a single alternative opt-out link titled either “your privacy choices” or “your California privacy choices.”
- Provide a “frictionless” opt-out. A cookie banner alone is not sufficient – they only control collection not necessarily share or sell actions. A cookie banner would have to include one of the above.
The team at Rooney Law has experience helping companies with the complexities of data privacy. If you need help or have any questions, please call us at +1 212 545 8022 or click here to learn more about our capabilities.