February 6, 2024•15 min read
As a disclaimer before we jump in, I want to note that no CPRA compliance checklist can fully substitute the advice and counsel of your lawyer. I’ve made best efforts to go into as much detail as possible, but as I’m sure you’re aware—the CPRA is a long and sprawling document marked by detailed nuance in some sections and intentional vagueness in others.
Many of the requirements, especially those centered around opt-outs, offer multiple paths for implementation. And, as with most laws, there are exceptions littered throughout.
The steps I’ve outlined below will act as a good foundation for building a strong CPRA compliance stance, but do yourself, your business, and your customers a favor by running your privacy program plan by your legal team.
All of that said, let’s dive in!
Though creating a data inventory isn’t a legal requirement under CCPA or CPRA, it is the most important step you can take right now to move the needle on becoming fully compliant.
To assess how your current compliance stance stacks up against what’s actually required, you need to conduct a gap analysis against what’s being mandated and your current data processing. And to perform that analysis, you’ll need a comprehensive and accurate baseline understanding of what data you’re actually processing.
At the highest level, a data map should reflect:
A truly effective data map will include both online and offline data processing. It should also be directly encoded into your organization’s data infrastructure—giving you a ground level view of data processing. This type of automated data mapping will ensure the map stays current over time, even as your marketing, product, and engineering teams change vendors or subprocessors.
If you choose to build out a data map manually, give yourself plenty of time to complete the process of interviewing each data silo owner in your organization and updating a central spreadsheet or document with your findings.
Be aware, done manually this process may take several months depending on your organization's data footprint. In addition to the resource drag of this approach, a manually updated data map will quickly be rendered stale.
Using an automated tool like Transcend Data Inventory, Silo Discovery, Structured Discovery, and Unstructured Discovery can help future proof your program and give a better ROI on the upfront resource investment.
You’ll recall that, under CCPA, “sale” is defined as the transfer of personal information to a third party for valuable or monetary consideration and that consumers were granted the right to opt-out of the “sale” of their PI.
CPRA expanded this right, allowing consumers to opt-out of the “sharing” of their PI. Under CPRA, “sharing” means the transfer of a consumer’s personal information to a third party for purposes of “cross-context behavioral advertising,” whether or not for monetary or valuable consideration.
To prepare your organization to honor this new right, you’ll need to:
For this workstream, you’ll need to start by looking at all of the places you may be transmitting data to a third party.
Make sure to account for both online and offline data transmission. And for online sharing, look for both client-side data transmissions (like cookies or other third party scripts running on your site), as well as direct server-side transmissions (like direct integrations from your data warehouse to vendors).
For client-side data transmissions, a consent manager can help you catalog all of the data tracking technologies (aka, cookies), and even flag ones that are most likely to transmit data for purposes of cross-context behavioral advertising. Your data map can help you fill in any gaps for server-side and offline transfers.
Once you’ve cataloged each of these data transfers, you’ll then need to assess whether the transfer is done for the purpose of cross-context behavioral advertising.
Now that you’ve identified any data “sharing,” you’ll need to determine the right mechanism for allowing consumers to opt-out. The main opt-out mechanisms are:
Though CPRA itself made responding to opt-out preference signals optional, the draft regulations clarified that websites must honor universal opt-out preference signals.
The draft CPRA regulations do state that, if a business responds to opt-out signals in a “frictionless” manner, they don’t need to provide an opt-out link. “Frictionless” means you can’t:
The CPRA regs also clarify that a cookie banner is not an acceptable mechanism for handling opt-outs of data sharing or sales.
With the complexity of this requirement, it may be worth implementing both an opt-out link and the ability to interpret and honor opt-out preference signals. Check out our full guide to learn more about CPRA Do Not Sell or Share or learn how to implement compliant opt-out using Transcend.
CPRA also included the right for consumers to limit a business's use of their sensitive personal information (SPI). A subcategory of personal information, SPI includes:
The draft regulations outline the procedures for responding to limitation requests. To prepare to honor this new right, you’ll need to:
You guessed it—to review your data processing activities to determine if you process any SPI, the first step is to grab your data map!
You’ll need it to help identify if you are processing any SPI at all, as well as the specific purposes for which you are processing SPI. You’ll then need to assess which (if any) of those processing purposes may require you to implement a mechanism to allow consumers to limit that processing.
The draft regulations lay out seven purposes for which a business may use SPI without having to implement an opt-out mechanism:
If your use of SPI falls outside any of these seven exceptions, you’ll need to provide at least two methods for consumers to submit a request to limit, which can include providing a footer link to a web form, or accepting opt-outs via a toll free telephone number.
Take note—one of the methods must reflect how you “primarily interact with the consumer.” So for businesses that primarily interact with consumers online, providing a “Limit the Use of My Sensitive Personal Information” link to an interactive form would work.
No, “Dark Patterns” isn’t a Stranger Things spin-off. Under CPRA, dark patterns are defined as:
“a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation."
While the name makes them sound ominous or overtly deceiving, the truth is that they are widespread and you probably have some dark patterns in your business right now.
The draft CPRA regulations gave us our first glimpse at how the CPPA wants businesses to evaluate dark patterns. To avoid dark patterns, the regulations state that we’ll need to:
Under the draft regulations, consent obtained through an interface that employs dark patterns is void. The regulations also require businesses to avoid dark patterns in interfaces that allow consumers to exercise their CCPA/CPRA rights.
For this workstream, you’ll need to work with your frontend UI and UX teams to:
In evaluating interfaces for dark patterns, some of the analysis is quantitative (symmetry in choice and avoiding copy that guilts or shames), while some remains more qualitative, like assessing whether the interface or language used is easy to read and understand, and easy to execute.
Public comments at the CPPA’s June 8, 2022 public hearing called for the CPPA to revise this guidance in favor of an objective standard, such as “design practices that amount to consumer fraud.” For now though, the best way for businesses to evaluate these interfaces may be as simple as asking non-privacy professionals to review the workflows and provide feedback.
Additional Resource: CPRA vs CCPA: Unpacking the Differences [Updated 2024]
New requirements for contracts with service providers, contractors, and third parties are one of the most extensive additions in the CPRA draft regulations. Most SaaS vendors in a modern tech stack are likely operating as service providers, so from a contracting perspective these changes will require a significant lift.
If you are a service provider for a business, or if you use service providers to process PI, it’s likely you’ll need to update both your inbound and outbound data processing agreements to bring them into CPRA compliance.
Revised agreements will need to include a provision requiring that service providers, contractors, or third parties notify the business within five days if they are unable to comply with their obligations under CPRA.
And these contracts will also need to provide a granular description of the business purposes and services for which PI is being processed. The draft regulations expressly prohibit data processing agreements from including a merely generic reference to performance of the contract. This means that each of your data processing agreements with your service providers may end up looking a little bit different.
For this workstream, you’ll need to:
Developing a plan to update these agreements at scale will prove a time consuming process, so working towards the required changes now will give organizations a leg up in meeting their compliance obligations by the July 1, 2023 CPRA enforcement deadline.
As you’re likely aware, the right to know did already exist under CCPA—giving consumers the right to request information about the personal data a business collected or sold. CPRA expanded this right to include the data a business shares.
If you’ve already built a strong CCPA compliance program, that means you’re in a decent spot to address the expansion of this right. You’ve built the necessary mechanisms to field consumer requests, identify personal data throughout your tech stack, and return it to the consumer.
The potential difficulty here is expanding the identification piece to the data you’re sharing with third parties, service providers, contractors, and others.
The other thing to consider here is the right to correct. This net new right means that consumers may ask a company to correct inaccuracies within their personal data. Similar to fulfilling other consumer rights under CPRA, this workstream has two parts: a way to reliably find and correct consumers’ data at scale and a way to field and track requests.
Not to beleaguer the point, but a comprehensive data map will go a long way in helping you comply with both of these requirements—giving you a clear inventory of the consumer data your company holds, including what data is being sold and shared.
Though CPRA didn’t significantly amend the requirements around privacy policies, certain changes in CPRA’s general requirements do mean you’ll need to make a few revisions.
Most significantly, you should be updating your privacy policies to include:
One thing to note on that last piece is that data retention notifications are a requirement of a compliant notice at collection—not a privacy policy. However, as many organizations choose to publish their notice at collection within their privacy policy, it’s still something to keep in mind.
In certain scenarios, businesses under CPRA have the obligation to perform risk assessments for their data processing activities. The goal here is not necessarily to halt those activities, but rather to weigh the advantages against the potential risk to the consumer.
According to CPRA, any organization that processes personal information in a way that presents “significant risk” to a consumer’s privacy or security must perform both a data protection impact assessment and an independent cybersecurity audit.
Risk assessments must be submitted to the California Privacy Protection Agency on a regular basis, and must include:
The independent cybersecurity audit must be completed on an annual basis and include details about the audit’s scope, as well as the “size and complexity of the business and the nature and scope of processing activities.”
A hallmark of the General Data Protection Regulation, data minimization was never specifically required under CCPA. This changed under CPRA—with two key pieces of text speaking directly to the idea that businesses must minimize the data they collect and only keep that data as long as necessary.
In terms of data minimization, CPRA states:
"A business's collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes”
It also states:
“a business shall not retain a consumer's personal information or sensitive personal information [...] for longer than is reasonably necessary”
Companies should scrutinize the data they collect and the purpose of collection, in order to eliminate any unnecessary data processing. They should also implement measures to delete this data from their systems once it is no longer required for the intended purpose.
Though the top seems to have stopped spinning on CPRA rulemaking—the CPPA submitted the final proposed Draft Regulations for approval—it’s important to remember that these laws are always open to further amendments.
And though there are still some portions of the law that are somewhat vague and/or waiting for an enforcement precedent, privacy savvy organizations will have more than enough guidance to jumpstart readiness activities now. And, those who start now will give themselves a significant tactical advantage to achieve compliance by the July 2023 enforcement date.
Has your organization been impacted by the California Privacy Rights Act or other consumer privacy laws? Transcend, an all-in-one platform for modern privacy and data governance, can help you ensure compliance.
Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for state privacy laws coming online in 2024.
From Consent Management, to automated DSR Fulfillment, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.