What is the CPRA?
CPRA stands for California Privacy Rights Act. The CPRA took effect on Dec. 16, 2020, and amends and expands the CCPA.
The CCPA and the CPRA are limited solely to California residents and entities doing business in the state of California.
The CPRA creates two additional rights for Californian customers:
1. the right to correct inaccurate personal information; and
2. the right to limit use and disclosure of sensitive personal information.
Why show a banner?
If a website falls under the CCPA and CPRA, it is required to give the following information to the consumer, “at or before the point of collection”, which in most cases means you have to show some sort of cookie banner linking to the following information:
• contact information to exercise their rights, specifically two different methods.
• the categories of personal information collected;
• the purposes of the collection and processing; and
• a specification of whether the information is sold to or shared with third parties.
The CPRA defines “sharing” as renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
Do Not Sell or Share My Personal Information
The CPRA requires websites to include a conspicuous link Do Not Sell or Share My Personal Information on the homepage or the cookie banner, and in the privacy statement. The CPRA also introduces a new notice requirement to provide a separate link titled “Limit the Use of My Sensitive Personal Information” or accommodate an optional technical signal solution. Both links should take consumers to an intake method, an interactive form, for consumer requests.
However: the CPRA also allows websites to forgo providing these links separately and instead choose to provide a single link that enables the consumer to opt out of the sale and sharing of personal information and to limit the use and disclosure of sensitive personal information. In Complianz this single link is called “Opt-out preferences” and the functionality is called “Global Opt-out”. Our users can of course always rename that single link back to Do Not Sell or Share My Personal Information.
Most of the provisions revising the CCPA won’t become “operative” until Jan. 1, 2023 and enforcement will not begin until July 1, 2023.