At a glance: CPRA Compliance
As of Jan 1, 2023, the California Privacy Rights Act (CPRA) is in effect and the July 2023 enforcement date is approaching fast—so if it isn’t already, CPRA compliance should be top of mind for affected businesses.
Though CPRA was written with intentional ambiguity, deferring the more nuanced requirements to the California Privacy Protection Agency (CPPA), the final proposed Draft Regulations did clear up many of the lingering questions.
Against the backdrop of increased enforcement across the board—Sephora settled with the California attorney general in 2022 for $1.2M and BetterHelp settled with the FTC for $7.8M in March 2023—it’s become clear that a “good faith” effort is no longer enough.
Below I’ve outlined a nine step CPRA compliance checklist that will help your org navigate CPRA’s many compliance requirements.
Table of contents
9 Step CPRA Compliance Checklist
As a disclaimer before we jump in, I want to note that no CPRA compliance checklist can fully substitute the advice and counsel of your lawyer. I’ve made best efforts to go into as much detail as possible, but as I’m sure you’re aware—the CPRA is a long and sprawling document marked by detailed nuance in some sections and intentional vagueness in others.
Many of the requirements, especially those centered around opt-outs, offer multiple paths for implementation. And, as with most laws, there are exceptions littered throughout.
The steps I’ve outlined below will act as a good foundation for building a strong CPRA compliance stance, but do yourself, your business, and your customers a favor by running your privacy program plan by your legal team.
All of that said, let’s dive in!
1) Create a data map
Creating a data map isn’t a legal requirement under CCPA or CPRA. However, it’s the most important step you can take right now to move the needle on becoming fully compliant.
To assess how your current compliance stance stacks up against what’s actually required, you need to conduct a gap analysis against what’s being mandated and your current data processing. And to perform that analysis, you’ll need a comprehensive and accurate baseline understanding of what data you’re actually processing.
At the highest level, a data map should reflect:
The types or categories of personal information (PI) you’re processing,
How and where you are processing the PI, and
Why you are processing that PI
A truly effective data map will include both online and offline data processing. It should also be directly encoded into your organization’s data infrastructure—giving you a ground level view of data processing. This type of automated data map will ensure the map stays current over time, even as your marketing, product, and engineering teams change vendors or subprocessors.
If you choose to build out a data map manually, give yourself plenty of time to complete the process of interviewing each data silo owner in your organization and updating a central spreadsheet or document with your findings.
Be aware, done manually this process may take several months depending on your organization's data footprint. In addition to the resource drag of this approach, a manually updated data map will quickly be rendered stale.
Using an automated tool like Transcend Data Mapping can help future proof your program and give a better ROI on the upfront resource investment. The Transcend documentation provides a good summary of the steps involved in setting up a data map
2) Determine whether you’re “sharing” personal information and implement an opt-out mechanism
You’ll recall that, under CCPA, “sale” is defined as the transfer of personal information to a third party for valuable or monetary consideration and that consumers were granted the right to opt-out of the “sale” of their PI.
CPRA expanded this right, allowing consumers to opt-out of the “sharing” of their PI. Under CPRA, “sharing” means the transfer of a consumer’s personal information to a third party for purposes of “cross-context behavioral advertising,” whether or not for monetary or valuable consideration.
To prepare your organization to honor this new right, you’ll need to:
Use your organization’s data map to identify all instances where you transfer PI to third parties.
Analyze each of these transfers to determine if it meets the definition of “sharing.”
If you are sharing data, decide on the opt-out mechanisms your business must support, and
Implement and test those opt-out mechanisms.
“Sharing” personal information
For this workstream, you’ll need to start by looking at all of the places you may be transmitting data to a third party.
Make sure to account for both online and offline data transmission. And for online sharing, look for both client-side data transmissions (like cookies or other third party scripts running on your site), as well as direct server-side transmissions (like direct integrations from your data warehouse to vendors).
For client-side data transmissions, a consent manager can help you catalog all of the data tracking technologies (aka, cookies), and even flag ones that are most likely to transmit data for purposes of cross-context behavioral advertising. Your data map can help you fill in any gaps for server-side and offline transfers.
Once you’ve cataloged each of these data transfers, you’ll then need to assess whether the transfer is done for the purpose of cross-context behavioral advertising.
Mechanism for opt-out
Now that you’ve identified any data “sharing,” you’ll need to determine the right mechanism for allowing consumers to opt-out. The main opt-out mechanisms are:
Adding a “do not sell or share my personal information” link in the footer of your website (along with a “limit the use of my sensitive personal information” link, which is covered below), or
Responding to an opt-out preference signal sent by a consumer’s browser.
Though CPRA itself made responding to opt-out preference signals optional, the draft regulations clarified that websites must honor universal opt-out preference signals.
The draft CPRA regulations do state that, if a business responds to opt-out signals in a “frictionless” manner, they don’t need to provide an opt-out link. “Frictionless” means you can’t:
Charge a fee,
Require any valuable consideration,
Change a consumer’s experience with the product or service offered, or
Display a pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal.
The CPRA regs also clarify that a cookie banner is not an acceptable mechanism for handling opt-outs of data sharing or sales.
With the complexity of this requirement, it may be worth implementing both an opt-out link and the ability to interpret and honor opt-out preference signals. Check out our full guide to learn more about CPRA Do Not Sell or Share or learn how to implement compliant opt-out using Transcend.
3) Determine whether you’re processing sensitive personal information and implement a limitation mechanism
CPRA also included the right for consumers to limit a business's use of their sensitive personal information (SPI). A subcategory of personal information, SPI includes:
The contents of private communications (unless the company is the intended recipient)
Genetics, biometrics, and health information
The draft regulations outline the procedures for responding to limitation requests. To prepare to honor this new right, you’ll need to:
Review your data processing activities to determine if you process any SPI,
If you process SPI, catalog how and why you are using SPI,
Evaluate what SPI processing is subject to the limitation right (i.e., do any of the exceptions in the draft regulations apply?)
Implement an SPI limitation mechanism
You guessed it—to review your data processing activities to determine if you process any SPI, the first step is to grab your data map!
You’ll need it to help identify if you are processing any SPI at all, as well as the specific purposes for which you are processing SPI. You’ll then need to assess which (if any) of those processing purposes may require you to implement a mechanism to allow consumers to limit that processing.
The draft regulations lay out seven purposes for which a business may use SPI without having to implement an opt-out mechanism:
“to perform the services or provide the goods reasonably expected by an average consumer,”
“to detect security incident…”
“to resist malicious deceptive or fraudulent actions directed at the business…”
“ to ensure physical safety of natural persons,”
“for short-term, transient use, including nonpersonalized advertising…”
“to perform services on behalf of the business, such as maintaining or servicing accounts or providing customer service…” and
“to verify or maintain the quality or safety of a service or device.” (see the full list at § 7027(l) of the regs).
If your use of SPI falls outside any of these seven exceptions, you’ll need to provide at least two methods for consumers to submit a request to limit, which can include providing a footer link to a web form, or accepting opt-outs via a toll free telephone number.
Take note—one of the methods must reflect how you “primarily interact with the consumer.” So for businesses that primarily interact with consumers online, providing a “Limit the Use of My Sensitive Personal Information” link to an interactive form would work.
4) Clean up your dark patterns
No, “Dark Patterns” isn’t a Stranger Things spin-off. Under CPRA, dark patterns are defined as:
“a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation."
While the name makes them sound ominous or overtly deceiving, the truth is that they are widespread and you probably have some dark patterns in your business right now.
Use methods and language that are easy for consumers to read and understand;
Provide symmetry in choice (e.g. “rejecting all” shouldn’t be more difficult than “accepting all”);
Avoid confusing language or interactive elements (e.g., confusing toggle buttons);
Avoid manipulative language or choice architecture, like copy that guilts or shames the consumer into making a particular choice (e.g., “No, I like paying full price”); and
Use easy-to-execute methods.
Under the draft regulations, consent obtained through an interface that employs dark patterns is void. The regulations also require businesses to avoid dark patterns in interfaces that allow consumers to exercise their CCPA/CPRA rights.
For this workstream, you’ll need to work with your frontend UI and UX teams to:
Identify where you're collecting consumer consent.
Identify where you've implemented a mechanism to allow a user to exercise a data right (like opting out of sharing/selling, or limiting use of SPI)
For each consent and opt-out workflow, evaluate the interface for dark patterns using the regulatory guidance.
In evaluating interfaces for dark patterns, some of the analysis is quantitative (symmetry in choice and avoiding copy that guilts or shames), while some remains more qualitative, like assessing whether the interface or language used is easy to read and understand, and easy to execute.
Public comments at the CPPA’s June 8, 2022 public hearing called for the CPPA to revise this guidance in favor of an objective standard, such as “design practices that amount to consumer fraud.” For now though, the best way for businesses to evaluate these interfaces may be as simple as asking non-privacy professionals to review the workflows and provide feedback.
5) Review your data processing agreements
New requirements for contracts with service providers, contractors, and third parties are one of the most extensive additions in the CPRA draft regulations. Most SaaS vendors in a modern tech stack are likely operating as service providers, so from a contracting perspective these changes will require a significant lift.
If you are a service provider for a business, or if you use service providers to process PI, it’s likely you’ll need to update both your inbound and outbound data processing agreements to bring them into CPRA compliance.
Revised agreements will need to include a provision requiring that service providers, contractors, or third parties notify the business within five days if they are unable to comply with their obligations under CPRA.
And these contracts will also need to provide a granular description of the business purposes and services for which PI is being processed. The draft regulations expressly prohibit data processing agreements from including a merely generic reference to performance of the contract. This means that each of your data processing agreements with your service providers may end up looking a little bit different.
For this workstream, you’ll need to:
Identify all your customers where you may operate as a service provider, contractor, or third party.
Identify all vendors you use that process PI, and evaluate whether they qualify as service providers, contractors, or third parties. In particular, note that vendors that engage in cross-context behavior advertising do not qualify as service providers, and must follow the rules for “third parties.”
For every inbound and outbound service provider relationship identified, review your data processing agreements to ensure they meet the specific and extensive requirements of CPRA.
Developing a plan to update these agreements at scale will prove a time consuming process, so working towards the required changes now will give organizations a leg up in meeting their compliance obligations by the July 1, 2023 CPRA enforcement deadline.
6) Develop a way to address the right to know and correct
As you’re likely aware, the right to know did already exist under CCPA—giving consumers the right to request information about the personal data a business collected or sold. CPRA expanded this right to include the data a business shares.
If you’ve already built a strong CCPA compliance program, that means you’re in a decent spot to address the expansion of this right. You’ve built the necessary mechanisms to field consumer requests, identify personal data throughout your tech stack, and return it to the consumer.
The potential difficulty here is expanding the identification piece to the data you’re sharing with third parties, service providers, contractors, and others.
The other thing to consider here is the right to correct. This net new right means that consumers may ask a company to correct inaccuracies within their personal data. Similar to fulfilling other consumer rights under CPRA, this workstream has two parts: a way to reliably find and correct consumers’ data at scale and a way to field and track requests.
Not to beleaguer the point, but a comprehensive data map will go a long way in helping you comply with both of these requirements—giving you a clear inventory of the consumer data your company holds, including what data is being sold and shared.
7) Revise privacy policies
Though CPRA didn’t significantly amend the requirements around privacy policies, certain changes in CPRA’s general requirements do mean you’ll need to make a few revisions.
Most significantly, you should be updating your privacy policies to include:
A statement about whether or not the business discloses or uses sensitive personal information for any other reason than a valid “business purpose”
Information about new consumer rights under CPRA, specifically:
Right to correct
Right to limit processing of sensitive personal information
Right to data portability
A data retention notification
8) Conduct risk assessments
In certain scenarios, businesses under CPRA have the obligation to perform risk assessments for their data processing activities. The goal here is not necessarily to halt those activities, but rather to weigh the advantages against the potential risk to the consumer.
According to CPRA, any organization that processes personal information in a way that presents “significant risk” to a consumer’s privacy or security must perform both a data protection impact assessment and an independent cybersecurity audit.
Risk assessments must be submitted to the California Privacy Protection Agency on a regular basis, and must include:
A statement on whether your org processes sensitive personal information
An analysis of the risks and benefits
The independent cybersecurity audit must be completed on an annual basis and include details about the audit’s scope, as well as the “size and complexity of the business and the nature and scope of processing activities.”
9) Ensure data minimization and retention
A hallmark of the General Data Protection Regulation, data minimization was never specifically required under CCPA. This changed under CPRA—with two key pieces of text speaking directly to the idea that businesses must minimize the data they collect and only keep that data as long as necessary.
In terms of data minimization, CPRA states:
"A business's collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes”
It also states:
“a business shall not retain a consumer's personal information or sensitive personal information [...] for longer than is reasonably necessary”
Companies should scrutinize the data they collect and the purpose of collection, in order to eliminate any unnecessary data processing. They should also implement measures to delete this data from their systems once it is no longer required for the intended purpose.
Though the top seems to have stopped spinning on CPRA rulemaking—the CPPA submitted the final proposed Draft Regulations for approval—it’s important to remember that these laws are always open to further amendments.
And though there are still some portions of the law that are somewhat vague and/or waiting for an enforcement precedent, privacy savvy organizations will have more than enough guidance to jumpstart readiness activities now. And, those who start now will give themselves a significant tactical advantage to achieve compliance by the July 2023 enforcement date.
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.