CPRA countdown: Updated transparency obligations and opt-out rights

Notice at Collection

Like the CCPA, the CPRA requires that businesses provide consumers with certain information at or before the point of collecting personal information (Notice at Collection). However, the CPRA increases the amount of information that must be provided in that notice. In addition to the categories of personal information to be collected and the purposes for which the personal information is used, the CPRA will require that the Notice at Collection also include:

• Whether the collected personal information is sold or shared;
  • “Selling” is the same definition as under the CCPA and involves various forms of sharing/disclosures of personal information by a business to another business or third party for monetary or other valuable consideration.
  • “Sharing” is a new defined term that applies to any sharing/disclosure of personal information for “cross-context behavioral advertising,” regardless of whether consideration is exchanged. “Cross-context behavioral advertising” is defined as “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
• If the business collects sensitive personal information:
  • The categories of sensitive personal information to be collected;
    • “Sensitive personal information” is a new defined terms that applies to certain categories of personal information, such as financial data, health data, precise geolocation, genetic data, biometric data, information regarding a consumer’s sex life or sexual orientation, and if the business is not the intended recipient, the contents of communications.
  • The purposes for which the sensitive personal information will be collected or used; and
• The length of time the business intends to retain each category of PI, including sensitive PI (if it is not possible to provide specific lengths of time, the business must disclose the criteria it uses to determine such period).

In addition to changing the content requirements for the Notice at Collection, the CPRA will also change the notice process for businesses that collect personal information from sources other than the consumers to whom the personal information relates. Under the current CCPA Regulations, businesses that indirectly collect personal information about consumers and do not sell such information are fully exempted from the Notice at Collection requirement. Businesses that indirectly collect personal information, but also sell such information,  can meet their Notice at Collection requirement by posting a link to their privacy policies in their data broker registration with the California Attorney General. The CPRA will simplify this situation by allowing all businesses that indirectly collect personal information to meet their Notice at Collection obligations by posting the notice prominently and conspicuously on their website homepages.

Privacy Policy

While the CPRA’s requirements for privacy policies are similar to the CCPA’s, businesses will be required to update their privacy policies to add new information related to CPRA rights/concepts. The new content that the CPRA requires for privacy policies includes:

• The business or commercial purposes for “sharing” personal information;
• A list of categories of personal information that the business has “shared;” and
• A description of the new consumer right to limit the use of sensitive personal information and the link that will enable consumers to exercise that right.

Consumer Control Mechanisms (opt-out links)

The CPRA provides consumers with two new opt-out rights that necessitate new opt-out links, if applicable to the business's activities: (1) the right to opt-out of “sharing;” and (2) the right to limit the use of sensitive personal information in certain contexts. Like the current right to opt-out from “sales,” consumers must be able to exercise their new rights via a link on businesses’ “homepage.” The CPRA requires that current CCPA “Do Not Sell My Personal Information” links be updated to state “Do Not Sell or Share My Personal Information” to accommodate the new sharing opt-out right. The CPRA also calls for a new “Limit the Use of My Sensitive Personal Information” link to be added to address that new right. However, the CPRA also allows businesses to use a single link instead of multiple links, provided that it allows a consumer to easily exercise the different opt-out rights.

Authored by Tim Tobin, Ryan Woo, and Julian Flamant.