Companies Get Partial CPRA Reprieve, But Don’t Break Out the Party Hats Yet

Two and a half years after the law was first passed by voters, enforcement of the California Privacy Rights Act (CPRA) is finally here — or is it?

On the eve of the July 1 enforcement deadline for the CPRA, the Sacramento County Superior Court granted the California Chamber of Commerce’s request for an injunction and delayed enforcement of the CPRA regulations until March 29, 2024 — one year after the agency issued the final regulations.

The ruling gives businesses roughly seven months to bring their data protection programs into compliance with CPRA’s new regulations regarding data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns, and consumer request handling.

A partial reprieve

This may come as a welcome reprieve for businesses that haven’t finished (or begun) to implement new regulatory obligations but don’t start celebrating just yet. After all, enforcement of the California Consumer Privacy Act (CCPA) is still in effect, and new laws in Colorado and Connecticut took effect the same day CPRA was scheduled to go into effect. Businesses need to stay focused on building comprehensive compliance programs to deal with these regulations and future laws.

Further, the delayed enforcement ruling does not apply to the privacy rights statute itself or the amendments to the CCPA enacted via the Proposition 24 ballot initiative. As of July 1, 2023, the California Consumer Protection Agency (CPPA) can bring enforcement actions and filings against companies accused of violating the text of the CCPA, which went into effect in 2020. And this enforcement won’t be lenient — the act’s cure period provision, which previously allowed businesses 30 days to mitigate violations before being fined, has expired.

Instead, the California attorney general and the CPPA now have discretion on whether to offer a cure period, in consideration of an organization’s lack of intent to violate the law and any voluntary efforts to cure the alleged violation. That means that putting in a solid effort to comply with California’s privacy regulations could go a long way in preventing fines.

What enforcement patterns tell us about compliance issues

To determine the areas where businesses are falling behind in their CCPA compliance issues (and to get a preview of where they probably need the most help when it comes to CPRA compliance), we need to first examine the typical enforcement patterns of regulators across the globe.

So far, consumer rights — opt-out and right-to-know, in particular — have dominated enforcement of the CCPA, and a $1.3 million settlement with makeup retailer Sephora over consumer opt-out requests not being respected was the first public CCPA enforcement action.

This is unsurprising, given the highly visible nature of the privacy notices and consent banners used to fulfill these rights, and the relative ease of investigating them, compared to back-end data security and governance requirements.

Looking to Europe, we can also see that regulators enforcing the GDPR have taken a similar focus. Since the enactment of the GDPR in 2018, consent-related issues have resulted in over 495 fines.

Privacy notices: Table stakes for CPRA compliance

Privacy policies and notices have been a basic component of data privacy compliance since the introduction of the GDPR back in 2018, and yet, many businesses still miss the mark, or are simply missing the requirement altogether. To date, there have been 17 CCPA enforcement actions related to non-compliant privacy policies.

The text of the CCPA and CPRA is clear that businesses must provide a clear and accessible privacy notice that informs consumers of:

• The categories of personal information collected about consumers and the purposes for which they are used.
  • The consumers’ rights regarding their personal information.
  • The process for consumers to make requests related to their data rights
  •  The categories of personal information that are sold or shared, as well as the categories of third parties with whom this information is shared.

The privacy policy must also include no less than two methods for submitting consumer rights requests. By addressing this requirement, businesses will have satisfied one of the most enforceable and visible provisions of the CPRA.

Technical considerations in implementing opt-out rights

The issue of compliance with the CPRA’s right to opt out is not so simple.

Under the CCPA, data subjects were granted the right to opt out of the sale of personal data. The CPRA has expanded that right to include the sharing of personal data. To facilitate this, Businesses must provide “do not sell/share” my personal data buttons in a conspicuous and readily accessible place on their websites.

This may seem like a straightforward addition to the CCPA’s requirements — and from a regulator’s perspective, it is — but the requirement to limit data sharing can be difficult to implement without strong consent management, data governance and third-party management capabilities. That’s because when a consumer opts out of data sharing, businesses are responsible not only for what they do with customer data but also for what third-party partners may do with the data.

Even when a customer has not opted out of data sharing, businesses are responsible for their third-party partners and must ensure they are compliant with the CPRA. Any data shared with a party not listed on your privacy notice constitutes a violation of the law.

For example, if you host website ads from a third party, you must ensure they do not store customer data. The same requirement extends to services such as trackers, telemetry, online assistants and shopping carts. You will need to monitor and control all data flows with third parties, and you will be responsible for any data leakage.

To comply with these requirements, businesses need the capability to intake and document opt-outs, communicate them to third parties and unilaterally block data collection and processing — all capabilities that can be difficult to achieve without robust consent management tools.

The CPRA’s requirement to recognize opt-out preference signals, also known as universal opt-out methods, or global privacy controls, presents another technical challenge. These mechanisms allow consumers to express their privacy preferences, particularly their desire to opt out of the sale or sharing of their personal data, at a global or universal level to every website or app they interact with.

Opt-out mechanisms are a relatively new standard. Current examples, such as the Global Privacy Control, work by communicating user preferences via HTTP headers, or javascript properties in the user’s browser. Under the CPRA, even where a business posts a “Do Not Sell My Personal Information” link, it must still process opt-out preference signals.

To comply with this requirement, businesses must implement the ability to automatically recognize opt-out signal identifiers and automatically cease the sale or sharing of data. 

California legislators have already taken significant action on this matter. In July 2022, California Attorney General Rob Bonta publicly endorsed the GPC specification, sending letters to several companies highlighting the CCPA requirement to honor the signal. A month later, he announced the $1.2 million settlement with Sephora, saying the company had failed to disclose the sale of personal information, did not provide an opt-out method, did not respect privacy signals and failed to confirm that third-party vendors and data processors were CCPA compliant.

Beyond CPRA: An evolving compliance landscape

While the U.S. still lacks a federal consumer data privacy law, legislators across the country are enacting them. We know California’s didn’t go into effect as planned in July 2023, but measures in Colorado and Connecticut did, and more are on the way — in 2024, privacy laws will go into effect in Montana, Tennessee and Texas.

These laws, while similar in many ways, each have their own requirements that make the task of managing consent across jurisdictions even more complicated. For national and regional businesses, this creates a difficult situation. They must either play by the toughest rules necessary to ensure broad compliance, or they must adopt technical measures, such as consent management and data governance platforms, to allow a granular, state-by-state compliance approach.

From an organizational perspective, it’s essential to stay alert and current. Privacy laws are continuously changing, with new rules and modifications emerging frequently. Businesses are required to monitor these developments closely and adjust their practices of managing consent in line with the changes.

Ultimately, understanding the complex web of worldwide privacy laws isn’t just about grasping the regulations. It also involves possessing the appropriate resources to implement these rules, along with the dedication to remain informed about the constant shifts in the data privacy law environment.