Billed as the summer of privacy, Summer 2022 has certainly lived up to the hype.
Between the laws we already had (CPRA in California, VCDPA in Virginia, and CPA in Colorado), the laws we knew were coming (CTDPA in Connecticut and UCPA in Utah), and some surprise legislation (a federal law voted out of committee?!)—we've barely had a chance to take a breath.
But whether we’ve caught our breath or not, the California Privacy Rights Act (CPRA) (along with the VCDPA) goes into effect on January 1, 2023—meaning businesses now have only five months to:
Conduct a baseline review of their privacy practices
Perform a gap analysis against the new requirements
Identify what changes need to be made throughout the organization
Work with their technical teams to implement those changes
To complicate matters, CPRA was written with intentional ambiguity, deferring many of the more nuanced requirements to the newly formed California Privacy Protection Agency (CPPA).
Charged with writing comprehensive regulations, the CPPA was supposed to finalize those regulations by July 1, 2022. But as of publication, we’ve only seen one package of draft regulations, which will very likely change throughout the comment and revision process.
So what’s a privacy professional to do?
Stuck between an impending enforcement deadline and an incomplete, shifting set of regulations, it would be easy to put off thinking about CPRA readiness until Q4, for fear of marching in the wrong direction.
But I believe CPRA and the draft regulations offer enough guidance for privacy programs to get started now.
Teams that wait to spin up readiness workstreams until regulations are finalized will find themselves scrambling to implement numerous, significant changes to their privacy program, many which will require a steep technical lift.
With the enforcement deadline inching closer, I’m proposing five concrete steps businesses can take right now to get prepared.
Create a data map
Creating a data map isn’t a legal requirement under CCPA or CPRA. However, it’s the most important step you can take right now to prepare for any new (or existing) privacy law.
To assess whether a new privacy requirement applies to your organization, you’ll need to conduct a gap analysis against what’s being mandated and your current data processing. And to perform that analysis, you’ll need a comprehensive and accurate baseline understanding of what data you’re actually processing.
At the highest level, a data map should reflect:
The types or categories of personal information (PI) you’re processing,
How and where you are processing the PI, and
Why you are processing that PI
A truly effective data map will include both online and offline data processing. It should also be directly encoded into your organization’s data infrastructure so that you have a ground level view of data processing. This type of automated data map will ensure the map stays current over time, even as your marketing, product, and engineering teams change vendors or subprocessors.
If you choose to build out a data map manually, give yourself plenty of time to complete the process of interviewing each data silo owner in your organization and updating a central spreadsheet or document with your findings.
Be aware, done manually this process may take several months depending on your organization's data footprint. In addition to the resource drag of this approach, a manually updated data map will quickly be rendered stale.
Using an automated data mapping vendor like Transcend can help future proof your program and give a better ROI on the upfront resource investment. The Transcend documentation provides a good summary of the steps involved in setting up a data map
Determine whether you’re “sharing” personal information and implement an opt-out mechanism
You’ll recall that, under CCPA, “sale” is defined as the transfer of personal information to a third party for valuable or monetary consideration and that consumers were granted the right to opt-out of the “sale” of their PI.
CPRA created a new right, which allows consumers to opt-out of the “sharing” of their PI. Under CPRA, “sharing” means the transfer of a consumer’s personal information to a third party for purposes of “cross-context behavioral advertising,” whether or not for monetary or valuable consideration.
To prepare your organization to honor this new right, you’ll need to:
Use your organization’s data map to identify all instances where you transfer PI to third parties.
Analyze each of these transfers to determine if it meets the definition of “sharing.”
If you are sharing data, decide on the opt-out mechanisms your business must support, and
Implement and test those opt-out mechanisms.
Determine whether you’re “sharing” personal information
For this workstream, you’ll need to start by looking at all of the places you may be transmitting data to a third party.
Make sure to account for both online and offline data transmission. And for online sharing, look for both client-side data transmissions (like cookies or other third party scripts running on your site), as well as direct server-side transmissions (like direct integrations from your data warehouse to vendors).
For client-side data transmissions, a consent manager can help you catalog all of the data tracking technologies (aka, cookies), and even flag ones that are most likely to transmit data for purposes of cross-context behavioral advertising. Your data map can help you fill in any gaps for server-side and offline transfers.
Once you’ve cataloged each of these data transfers, you’ll then need to assess whether the transfer is done for the purpose of cross-context behavioral advertising.
Implement a mechanism for opt-out
Now that you’ve identified any data “sharing,” you’ll need to determine the right mechanism for allowing consumers to opt-out. The main opt-out mechanisms are:
Adding a “do not sell or share my personal information” link in the footer of your website (along with a “limit the use of my sensitive personal information” link, which is covered below), or
Responding to an opt-out preference signal sent by a consumer’s browser.
Though CPRA itself made responding to opt-out preference signals optional, the draft regulations from the CPPA clarified that websites must honor universal opt-out preference signals. While the regulations may change before they’re finalized, I fully expect other state laws to make responding to opt-out preference signals mandatory in the coming years.
The draft CPRA regulations do state that, if a business responds to opt-out signals in a “frictionless” manner, they don’t need to provide an opt-out link. “Frictionless” means you can’t:
Charge a fee,
Require any valuable consideration,
Change a consumer’s experience with the product or service offered, or
Display a pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal.
The CPRA regs also clarify that a cookie banner is not an acceptable mechanism for handling opt-outs of data sharing or sales.
If you’re looking to get started now, it may be worth implementing both an opt-out link and the ability to interpret and honor opt-out preference signals.
Determine whether you’re processing sensitive personal information and implement a limitation mechanism
CPRA also included the right for consumers to limit a businesses use of their sensitive personal information (SPI). A subcategory of PI, SPI includes:
The contents of private communications (unless the company is the intended recipient)
Genetics, biometrics, and health information
The draft regulations outline the procedures for responding to limitation requests. To prepare to honor this new right, you’ll need to:
Review your data processing activities to determine if you process any SPI,
If you process SPI, catalog how and why you are using SPI,
Evaluate what SPI processing is subject to the limitation right (i.e., do any of the exceptions in the draft regulations apply?)
Implement an SPI limitation mechanism
You guessed it—to review your data processing activities to determine if you process any SPI, the first step is to grab your data map!
You’ll need it to help identify if you are processing any SPI at all, as well as the specific purposes for which you are processing SPI. You’ll then need to assess which (if any) of those processing purposes may require you to implement a mechanism to allow consumers to limit that processing.
The draft regulations lay out seven purposes for which a business may use SPI without having to implement an opt-out mechanism:
“to perform the services or provide the goods reasonably expected by an average consumer,”
“to detect security incident…”
“to resist malicious deceptive or fraudulent actions directed at the business…”
“ to ensure physical safety of natural persons,”
“for short-term, transient use, including nonpersonalized advertising…”
“to perform services on behalf of the business, such as maintaining or servicing accounts or providing customer service…” and
“to verify or maintain the quality or safety of a service or device.” (see the full list at § 7027(l) of the regs).
If your use of SPI falls outside any of these seven exceptions, you’ll need to provide at least two methods for consumers to submit a request to limit, which can include providing a footer link to a web form, or accepting opt-outs via a toll free telephone number.
Take note—one of the methods must reflect how you “primarily interact with the consumer.” So for businesses that primarily interact with consumers online, providing a “Limit the Use of My Sensitive Personal Information” link to an interactive form would work.
Clean up your dark patterns
No, “Dark Patterns” isn’t a Stranger Things spin-off. Under CPRA, dark patterns are defined as:
“a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation."
While the name makes them sound ominous or overtly deceiving, the truth is that they are widespread and you probably have some dark patterns in your business right now.
The draft CPRA regulations gave us our first glimpse at how the CPPA wants businesses to evaluate dark patterns. To avoid dark patterns, the regulations state that we’ll need to:
Use methods and language that are easy for consumers to read and understand;
Provide symmetry in choice (e.g. “rejecting all” shouldn’t be more difficult than “accepting all”);
Avoid confusing language or interactive elements (e.g., confusing toggle buttons);
Avoid manipulative language or choice architecture, like copy that guilts or shames the consumer into making a particular choice (e.g., “No, I like paying full price”); and
Use easy-to-execute methods.
Under the draft regulations, consent obtained through an interface that employs dark patterns is void. The regulations also require businesses to avoid dark patterns in interfaces that allow consumers to exercise their CCPA/CPRA rights.
For this workstream, you’ll need to work with your frontend UI and UX teams to:
Identify where you are collecting consumer consent.
Identify where you have implemented a mechanism to allow a user to exercise a data right (like opting out of sharing/selling, or limiting use of SPI)
For each consent and opt-out workflow, evaluate the interface for dark patterns using the regulatory guidance.
In evaluating interfaces for dark patterns, some of the analysis is quantitative (symmetry in choice and avoiding copy that guilts or shames), while some remains more qualitative, like assessing whether the interface or language used is easy to read and understand, and easy to execute.
Public comments at the CPPA’s June 8, 2022 public hearing called for the CPPA to revise this guidance in favor of an objective standard, such as “design practices that amount to consumer fraud.” For now though, the best way for businesses to evaluate these interfaces may be as simple as asking non-privacy professionals to review the workflows and provide feedback.
Review your data processing agreements
New requirements for contracts with service providers, contractors, and third parties are one of the most extensive additions in the CPRA draft regulations. Most SaaS vendors in a modern tech stack are likely operating as service providers, so from a contracting perspective these changes will require a significant lift.
If you are a service provider for a business, or if you use service providers to process PI, it’s likely you’ll need to update both your inbound and outbound data processing agreements to bring them into CPRA compliance.
Revised agreements will need to include a provision requiring that service providers, contractors, or third parties notify the business within five days if they are unable to comply with their obligations under CPRA.
And these contracts will also need to provide a granular description of the business purposes and services for which PI is being processed. The draft regulations expressly prohibit data processing agreements from including a merely generic reference to performance of the contract. This means that each of your data processing agreements with your service providers may end up looking a little bit different.
For this workstream, you’ll need to:
Identify all your customers where you may operate as a service provider, contractor, or third party.
Identify all vendors you use that process PI, and evaluate whether they qualify as service providers, contractors, or third parties. In particular, note that vendors that engage in cross-context behavior advertising do not qualify as service providers, and must follow the rules for “third parties.”
For every inbound and outbound service provider relationship identified, review your data processing agreements to ensure they meet the specific and extensive requirements of CPRA.
Developing a plan to update these agreements at scale will prove a time consuming process, so working towards the required changes now will give organizations a leg up in meeting their compliance obligations by the January 1, 2023 deadline.
The top has not stopped spinning on CPRA rulemaking.
We know CPPA will be issuing additional regulations covering subjects not tackled in their initial draft regulations (most notably, requirements around using PI for automated decision-making, as well as performing annual impact assessments and audits for high-risk processing).
We also know that as the initial draft regulations go through the comment and finalizing process, the CPPA is likely to update or refine specific requirements.
But with the roadmap of CPRA text and initial draft regulations in hand, privacy savvy organizations will have more than enough guidance to jumpstart readiness activities now—giving themselves a significant tactical advantage to achieve compliance by the new year.
If your organization has been impacted by the California Privacy Rights Act or other consumer privacy laws, Transcend can help you ensure compliance.
Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or discover data silos and auto-generate reports with Data Mapping.