End-of-Year Website Audit Recommended to Ensure CPRA Compliance

​As the year ends, privacy and legal departments can audit external-facing privacy statements and other website practices to ensure compliance with the California privacy law amendments, which take effect in January 2023.

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), sets forth requirements for businesses that collect personal information of California residents, with heightened requirements for businesses that sell or share that information. The regulations broadly define "sell" and "share" to include data transfers that do not require a monetary payment, including for advertising purposes, cross-marketing initiatives, product discounts and service enhancements.

 "Selling" is defined as the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information by any means for monetary remuneration or any other valuable consideration. Leaning into contract principles, the remuneration element can even take the form of a nominal discount on services, service enhancements and other smidgeons of consideration.

This definition of a sell will cover situations where unrelated entities form information partnerships where each entity benefits from the sharing of consumer data. A simple example of this is frequent-flyer or credit card award programs. Consumer personal data is shared between entities to run the programs and make a greater number of awards available to their customers. Each entity benefits, as they can provide more enticing programs to their customers, which drives up business.

Processing by third-party service providers should also be scrutinized under these broad definitions, as state regulators have made clear that they will treat data transfers as "sharing" if a data-processing agreement or service provider addendums are not in place.

Important Details

For businesses that fall under the scope of the CPRA, there are several areas that need immediate evaluation, including:

• Clear and Conspicuous Opt-Outs: For businesses that sell or share personal information, it is critical to provide "clear and conspicuous" links that are "reasonably accessible to consumers" to allow the consumer to exercise their opt-out rights for the sale or sharing of their personal information. The CPRA does, however, permit a "single, clearly labeled" link. This provision does not specify the text of the link, but recently proposed changes to the CPRA regulations require that any alternative opt-out link to be titled "Your Privacy Choices" or "Your California Privacy Choices." Additionally, the proposed changes to the regulations would require businesses to provide a specific icon along with the link.
• Limit Processing of Sensitive Personal Information: Another new requirement is for the link to enable consumers to exercise choice in limiting the use of their sensitive personal information. Sensitive information afforded extra protections includes an individual's social security, driver's license, state ID, or passport numbers; financial account information (in combination with information to allow access to an account); geolocation data; contents of communications; genetic data; identifiable biometric data; or information concerning a consumer's sex life or sexual orientation. The current CPRA regulations provide specific text for these links: "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information."
• Presentation of Choice: The CPRA focuses on the methods that are provided for consumers to opt-in or opt-out of the use, selling, or sharing of their personal information, requiring that opt-outs must be easily accessible and fairly presented. Specifically, the CPRA regulations require businesses to (1) use clear, plain language in notifying consumers of their rights, (2) offer easy-to-use methods for consumers to exercise their rights or for businesses to obtain consent from consumers, and (3) make opting out no more difficult than opting in for the sale or sharing of personal information. Language or choice frameworks that obfuscate consumer choice must be avoided. Any consent resulting from a user interface that is designed to manipulate, subvert, or impair user choice will be considered a "dark pattern" that will be considered invalid.  This applies even if doing so was not the intent of the design. Any knowledge that a user interface has the effect of impairing user autonomy, without effort to remedy it, will be considered a dark pattern by California regulators.
• Global Privacy Controls (GPC): In a recent settlement of an enforcement action brought by the California Office of the Attorney General (OAG) against beauty retailer Sephora, the OAG took the position that the CPRA requires businesses to honor GPC signals they receive. User-enabled GPCs must therefore be treated the same as any other consumer's choice to opt out of the sale of their personal information.

Year-End Website Audit

An audit can review your compliance with the new law. The critical point to remember when using a single link is to ensure that it leads consumers to information that explains their rights and makes it clear how to easily exercise them. If they do not meet the exception, businesses will need to ensure that the links they provide, their privacy policies, and consumer privacy rights request processes are aligned to meet the requirements of the CPRA.

Businesses will still be required to include statements in their privacy notices and policies regarding personal information selling or sharing activities, even if it is only to state that they do not do so.

John F. Howard is an attorney with Clark Hill in Scottsdale, Ariz. Myriah V. Jaworski is an attorney with Clark Hill in San Diego, Calif. Ilya Smith is an attorney with Clark Hill in Chicago. © 2022. All rights reserved. Reprinted with permission.