Preparing for CPRA Compliance in 2024: What to Focus On
At a glance
With the California Privacy Protection Agency able to begin CPRA enforcement immediately (following a surprise overturn of 2023's enforcement delay), Transcend’s General Counsel & Head of Privacy, Brandon Wiebe shares his expert insight on how businesses can prepare, covering:
How CPRA amended the California Consumer Privacy Act (CCPA)
The role of the California Privacy Protection Agency, including their latest round of rulemaking and what enforcement might look like
How the CPRA’s ‘Do Not Share’ mandate raised the bar on the technical aspects of compliance
3 steps that will help companies prepare for CPRA
If you want to take a deeper dive on CPRA compliance, be sure to watch this virtual session featuring Brandon and Transcend CEO Ben Brook.
How did CPRA expand the consumer rights provided by CCPA?
CPRA was a law passed by ballot initiative in November of 2020, and it effectively amends the California Consumer Privacy Act (CCPA)—the current California privacy law on the books.
CCPA created six specific consumer rights:
The right to know what personal information a business is collecting
The right to delete that personal information
The right to opt out of the sale of personal information (which has a very specific definition under CCPA)
The right to opt into the sale of personal information if you’re under 16
The right to non-discriminatory treatment when excercising any of these CCPA rights
The right to initiate a private cause of action (which is limited to data breaches)
CPRA created two additional rights and expanded one:
The right to correct inaccurate personal information
The right to limit the use and disclosure of sensitive personal information, which is a new sub category of personal information.
The right to opt out of the sale of personal information was expanded by adding a new concept, called data sharing.
In addition to these new rights, CPRA also established a privacy enforcement agency in California. It took the regulatory and enforcement power that, under CCPA, sat with the Attorney General and moved it over to the California Privacy Protection Agency, the CPPA. And it charged this new agency with the power to draft regulations and authorize a number of provisions under CPRA.
In terms of the draft CPRA regulations from the CPPA—what do businesses need to pay attention to?
At a high level, if I was a privacy professional working on getting ready for compliance for January first I would focus on...
Operationalizing opt-out mechanisms for the sharing of data
This addresses the new expanded right around the right to opt out of sharing, as well as operationalizing limitations on the processing of sensitive personal information. The draft regulatory package that came out recently goes into some detail around what sort of opt-out mechanisms are acceptable and how businesses can start putting those together.
CPRA and these draft regulations in particular focus on dark patterns—laying out guidelines on what they consider to be dark patterns and how businesses can go about identifying and eliminating those.
They also lay out the consequences if you do use dark patterns to try and obtain consent, or in your interface where consumers are trying to exercise one of their privacy rights. And there are some significant consequences for that. But we’ll cover dark patterns in a little more detail below.
What is a data map and why is it so important for CPRA compliance?
A data map is simply a set of documentation that shows you the types or categories of personal information that you’re processing, how and where you’re processing that personal information, and why you’re processing it.
A data map can take many forms. It can be a spreadsheet that you manually update or it can be automated and tied directly into your tech stack, which allows the documentation to be dynamically updated as your teams add new vendors or change the type of data processing that’s happening.
Though it’s been used in the past for other privacy law requirements—like under GDPR, where you use a data map to create a record of processing—the data map itself is not actually a regulatory requirement of CPRA.
The reason data mapping is so important, and why I believe it's step one of any data privacy compliance program, is that you’ll need to perform a gap analysis between your current processing activities and any law or regulation that’s out there.
And to perform an effective gap analysis you need to have a complete and accurate picture of the processing that’s happening at your company.
One of the biggest roadblocks I’ve seen to actually kicking off the compliance process is that privacy practitioners go to webinars, read up on the regulation, and understand the law really really well. But, when we take all that information back to our organizations we don’t really know what to do with it, how to apply that to the actual processing that’s occurring—because we don’t have a complete picture of what’s going on.
So, if you’re going to build a compliance program you’re confident meets the requirements of a particular law, you have to start with a complete baseline truth of what’s actually happening in your business from a data perspective.
How to create an accurate data map
Scanning technologies are the key. This needs to be the foundation of every company's privacy infrastructure.
The status quo right now is to hire a contractor to come and interview every data owner in the organization. That’s based on human testimony and creates a fuzzy picture at best. It takes months to complete and then falls out of date immediately because these tech stacks and data storage schemas change almost daily.
It’s actually much easier just to scan for your data, rather than have people try to describe it to you. First, it's accurate—so you get base truth on what data you have, right down to the field level. And second, it’s up-to-date—so scanning gives you a near real time view of all the data in your business.
Having a specific, accurate, and up-to-date data map will set you up for success in every subsequent privacy project. As Brandon said, it’s really step one for everything else, whether that’s creating a record of processing activities, setting retention policies, handling privacy requests, or handling Do Not Share requirements.
Transcend Data Mapping is a scanning technology—it catalogs all the different data silos and internal schema, and then classifies all the data within. It builds you a complete global picture of all that information, which will then flow into every other area of governance.
With Transcend, we’re giving you smart suggestions about how to update your deletion workflow or to change your Do Not Share consent governance rule. If we detect a new ad network, of course we want to change the governance rules associated with that—so having those live scans is really just critical.
How to prepare for Do Not Share
The Do Not Share requirement is an expansion of the right to opt out of the sale of personal information. Under CCPA, a sale of personal information was the exchange of personal information for monetary or other valuable consideration, which was a little confusing in terms of practical application.
There were instances where maybe you were sharing information with an advertiser and they were using it for some broad cross-context behavioral advertising, but there wasn’t necessarily an exchange of consideration. So that fell out of the scope of a sale. The new sharing requirement really gets right in on this use case.
Sharing under CPRA means the transfer of a consumer's personal information to a third party for the purpose of cross-context behavioral advertising, whether or not it’s for monetary or valuable consideration.
For context, cross-context behavioral advertising is advertising that uses a consumer's personal information, gathered from their activities on one business or one website, to advertise to them on a different business or distinctly branded website.
If you’re going to take steps now to build a compliance readiness workstream for opting out of sharing, you have to start with your baseline truth, your data map. Step one or phase one is to look at your current data processing activities, identify the areas where you are sharing information to third parties or vendors, and analyze each of those to see if it meets the definition of sharing. And there are some places where you can start looking first.
Most of this cross-context behavioral advertising sharing is occurring through integrations directly into advertisers. This could be client side integrations on your site or potentially server side integration on your backend. So you would use your data map to outline all of these different processes and activities. That would be phase one.
Once you have a sense of what sharing might be occurring, phase two is to implement an appropriate opt out mechanism.
I’ll also highlight that under the CPRA statute, businesses are obligated to respond to what’s called an opt-out preference signal, which is a signal sent automatically by a consumer's browser. Responding to these signals was optional under CCPA, but in the draft regulations, the CPPA has made honoring these signals mandatory.
There’s also several other state privacy laws that suggest that responding to these opt out preference signals is going to become mandatory in the next few years. So now is a really good time to start exploring what it would take from a technical perspective to implement an opt-out mechanism that respects and responds to these browser-based universal opt out signals.
What does Do Not Share compliance look like from a technical perspective?
So, there’s two paths—one, is how you collect the opt-out itself and the other is how you actually implement the choice. It's one thing to have a user move through an opt-out interface and it's another to actually govern all of your data flows on the back end.
For the former, it's as simple as putting an interface on your website. CPRA is very prescriptive about how this works and Brandon’s blog post is very detailed on that subject, so I won’t take up your time on that. But this is essentially just a footer in your webpage that says "Do not sell or share my personal information"—and the user should be able to efficiently move through that flow to make that choice.
For the backend, you have to make sure you understand all those data pipelines and then have the valves in place on those pipelines to ensure you’re not sending data or sharing it to, for example, an ad network. And that’s really where technology is very important—having a really good platform in place to collect these preferences and to actually encode them across your stack is key.
What does CPRA say about dark patterns?
CPRA defines dark patterns as a user interface that’s designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice, as further defined by regulation.
The draft set of regulations begins to flesh out some examples of dark patterns and then talks a bit about the consequences of using a dark pattern.
The main consequence is that you're not allowed to use a dark pattern interface to obtain consumer consent. If you do, the consent is void. So if you’re relying on that consent to collect personal information, you’re effectively doing it without consent.
The regulations also state that you’re not allowed to use dark patterns in any of your mechanisms that help a consumer to exercise their rights under the law i.e. opt out of sale or sharing mechanisms. You also can’t use dark pattern interfaces to try to steer a user away from exercising their rights.
The regulations give five principles around the use of dark patterns:
Use methods and language that are easy for a consumer to read and understand
Provide symmetry in choice (rejecting all shouldn’t be more difficult than accepting all)
Avoid confusing language or interactive elements
Avoid manipulative language or choice architecture (like copy that guilts or shames somebody into making a choice, such as “No, I prefer to pay full price.”)
Use easy to execute methods
Granted, some of these are a little wishy washy. One of the comments at the last CPPA public hearing asked the agency to adopt a more objective legal standard. We’ll see if they amend their regulations in the next draft, but there are some things that are pretty straightforward—like the symmetry in choice requirement.
Either way, step one for businesses is to look at where you collect consent, what your opt-out mechanisms look like, and then do an analysis under this to see if there are some design choices that will make things clear and easy to understand.
Has your organization has been impacted by the California Privacy Rights Act or other consumer privacy laws? Transcend, an all-in-one platform for modern privacy and data governance, can help you ensure compliance.
Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for state privacy laws coming online in 2024.
From Consent Management, to automated DSR Fulfillment, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.
Discover more articles