The California Privacy Protection Agency (CPPA) has achieved a significant milestone with the approval of its inaugural set of regulations by California’s Office of Administrative Law (OAL) on March 29, 2023. These regulations are poised to bring clarity to various novel concepts introduced under the California Privacy Rights Act (CPRA), a landmark legislation passed as Proposition 24 during the 2020 election. As these regulations go into immediate effect, they usher in a new era of data protection and privacy rights for California consumers.
Notable Changes Introduced
Changes to Personal Data Collection and Use
Under the CPRA, stringent limitations have been imposed on the collection and utilisation of personal information. In alignment with the principle of data minimization, the collection and processing of personal data must adhere to two key criteria:
The purposes for which the personal information was initially collected or processed, in line with consumers’ reasonable expectations.
Another disclosed purpose compatible with the context in which the data was originally collected.
Should a company fail to meet both requirements, they must seek the consumer’s explicit consent before collecting or using personal data for additional, undisclosed purposes. The regulations offer specific guidance on evaluating whether the purposes align with consumers’ reasonable expectations. Factors such as the business’s relationship with its customers, the type and amount of personal information collected, and the methods used for collection must be considered. Additionally, the compatibility test hinges on whether the disclosed purpose aligns with the context of the initial data collection.
The regulations also mandate that companies collect and manage the minimum amount of personal data necessary for their processing purposes. Furthermore, companies are encouraged to implement additional measures, such as encryption or automatic erasure, to address identified consumer risks.
Keeping Consumers Informed
The regulations require companies to provide clear, concise, and easily understandable consumer disclosures and communications. Technical or legal jargon that might confuse consumers is prohibited. The rules also define “Dark Patterns,” wording or interactive features that can deceive customers, and explicitly forbid their use. An interface is classified as a dark pattern if it undermines a user’s decision-making capabilities. Adhering to these guidelines presents a challenge given the extensive and intricate nature of disclosures.
Regarding disclosure requirements and privacy policies, the regulations outline the information that must be included in a privacy policy. This includes comprehensive explanations of the business’s information practices, categories of collected information, information sources, specific collection purposes, and the business’s awareness of individuals whose data is collected. Privacy policies must also provide a breakdown of consumer rights under California privacy laws, instructions on how to exercise these rights, and the date of the latest privacy statement update.
Notification at the point of collection must specify the types of personal information being collected, including sensitive data, the purposes for data usage, and whether the data will be sold or shared. A notable change is that directing users to the entire privacy policy and asking them to search for data collection information is no longer sufficient.
Opt-Out and Use Limitation Rights
The CPRA introduces the right for consumers to request that companies restrict the use and disclosure of their sensitive personal information. Companies must notify customers of this new right and include a “clear and visible” link on their website that reads, “Limit the Use of My Sensitive Personal Information.” However, certain exemptions exist for providing this notice or link.
Additionally, the CPRA Regulations allow for a single Alternative Opt-out Link to replace the separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links, simplifying the process for consumers to exercise their opt-out and limitation rights. Any opt-out requests received by a company must be honored as valid.
Rules Concerning Service Providers and Third Parties
To comply with the CORA’s right to delete personal data, businesses must delete personal data collected by their service providers and inform third parties to do the same, unless this is deemed impossible or excessively burdensome. Businesses are urged to review their contracts with service providers to ensure compliance with the new regulations, assess consumer communications and privacy policies, and specify exceptions in their privacy policies if sensitive personal data falls under them.
Conclusion
The California Privacy Rights Act (CPRA) ushers in a new era of privacy regulation in the United States, bringing about significant changes compared to the previous California Consumer Privacy Act (CCPA). It introduces novel consumer rights, strengthens privacy enforcement mechanisms, and places new obligations on businesses to ensure compliance with the CPRA.
As businesses navigate these complex regulatory changes, seeking guidance from privacy experts becomes essential. Tsaaro Solutions, with its team of skilled privacy professionals, can assist in compliance with privacy laws and regulations, helping organisations protect their sensitive data and uphold consumer privacy rights.
In a world where data privacy is of paramount importance, adhering to the CORA’s regulations is not just a legal requirement but a crucial step towards building trust and safeguarding data in the digital age. Schedule a consultation with our privacy experts at Tsaaro Solutions today and take the first step toward securing your organisation’s data.
Click here for Data Protection & Privacy Services