Nine Common CPRA Compliance Mistakes
Privacy & Compliance | April 11, 2023
With the California Privacy Rights Act (CPRA) taking effect in 2023, and the enforcement deadline of July 1st rapidly approaching, it’s crucial for businesses to understand and adapt to the changes it brings to the state’s privacy laws. Many businesses still struggle with compliance under the existing California Consumer Privacy Act (CCPA), which can lead to significant fines–up to $7,500 per affected consumer–and even legal action under the laws private right of action. To help your business avoid these pitfalls, we’ve outlined some common CCPA and CPRA compliance errors and the necessary adjustments for the upcoming CPRA. Here are some of the most common errors that businesses make.
Misunderstanding CPRA/CCPA Applicability
Many businesses mistakenly believe that California privacy laws only applies to businesses based in California. However, the CPRA’s reach extends to any business serving California residents, regardless of the company’s location, if they meet any of the following criteria:
- Annual worldwide revenue of more than $25 million.
- You buy, sell or share personal data about more than 100,000 Californian residents in any 12-month period. (This threshold also applies to households and devices in California.) This includes buying mailing lists.
- You make at least 50% of your annual revenue from selling the personal data of California residents.
If any of these criteria apply, you must follow the CPRA whenever you handle personal data about a California resident.
Failure to Provide a ‘Do Not Sell’ Notice
Although the CCPA says you must make available a wide range of information about your data handling, the precise location and format is often flexible. The key exception is the way you make it possible for customers to opt-out of the sale of their personal data, which the CCPA says you must do in a specific format.
Under the CCPA, and now under the CPRA, businesses must have a dedicated page allowing customers to opt-out of the sale of their personal data, with a text link on the homepage reading “Do Not Sell My Personal Information.” Furthermore, your homepage must contain a conspicuous and clearly visible link to the opt-out page. This must be a text link using the wording “Do Not Sell My Personal Information.”
The CPRA also gave California residents the right to opt-out of the sharing of personal data, but the law does not explicitly require a separate “Do Not Share” link. Instead, it builds upon the CCPA’s requirements for providing consumers the ability to opt-out of the sale of their personal information. The CPRA expands the definition of “sale” to include “sharing” personal information for monetary or other valuable consideration. As a result, the existing “Do Not Sell My Personal Information” link under CCPA now covers both selling and sharing of personal information under the CPRA.
No ‘Limit the Use of My Sensitive Information’ Notice
Beyond the ‘Do Not Sell/Share’ notice, the CPRA also introduces new consumer rights regarding sensitive personal information, which requires businesses to provide a link that allows users to limit the use and disclosure of their sensitive information. This link should be labeled “Limit the Use of My Sensitive Information” or combined with the “Do Not Sell” page using appropriate wording that encompasses both opt-out options. When consumers click on this link, they should be directed to a page that explains their rights regarding sensitive information and provides them with a straightforward method to submit their request. Learn how the CPRA defines ‘personal’ and ‘sensitive’ information.
Inadequate Opt-Out Methods
The CCPA says your “Do Not Sell” page must normally offer at least two ways to exercise the opt-out right. One of these methods must be a toll-free phone number.
The only exception to this principle is if you only operate online, and you have a direct relationship with the consumer. In this situation only, an email address is sufficient as a way to exercise the opt-out, with a secondary method not required.
Whatever method or methods you make available, you cannot require a consumer to create a new account to exercise their opt-out right.
Neglecting to Obtain Consent for Selling or Sharing Children’s Data
Under both the CCPA and CPRA, businesses must obtain explicit consent before selling or sharing the personal information of minors. Failing to acquire the necessary consent can lead to non-compliance and penalties. Here are the rules for obtaining consent under the CPRA:
For minors aged 13-16: Businesses must obtain the affirmative consent (also known as opt-in) of the minor themselves before selling or sharing their personal information. This requires a clear and easy-to-understand method for minors in this age group to provide their consent.
For minors under 13: Businesses must obtain the affirmative consent of the parent or guardian of the child before selling or sharing their personal information. To comply with this requirement, businesses should establish a reliable method for verifying the identity of the parent or guardian and confirm that they have the legal authority to provide consent on behalf of the child.
In addition to obtaining consent, businesses must also provide a straightforward way for minors or their parents or guardians to withdraw their consent at any time. This may include the implementation of an opt-out mechanism, such as the “Do Not Sell My Personal Information” or “Limit the Use of My Sensitive Information” links.
The CPRA also triples the fines for violations involving the personal information of minors (under 16 years of age). General violations related to minors’ data can result in fines of up to $7,500, while intentional violations may incur fines of up to $22,500 per affected minor.
Inadequate Employee Training
Lack of proper employee training can lead to unintentional violations of the CCPA and CPRA. It is essential to train your staff on the privacy laws, how they apply to your business, and the specific responsibilities they have in handling consumer data. Educating employees about privacy policies, data protection practices, and the proper procedure for addressing consumer requests can help prevent costly mistakes and ensure compliance.
Insufficient Third-Party Vendor Management
Businesses often work with third-party vendors that handle personal data on their behalf. Under both the CCPA and the CPRA, businesses are responsible for ensuring that their vendors comply with the privacy laws. Failing to adequately manage and monitor third-party vendors can result in non-compliance and potential fines.
To avoid this mistake, it is crucial to:
- Vet third-party vendors to ensure they adhere to privacy regulations and have robust data protection practices in place
- Establish clear contractual agreements specifying each party’s responsibilities and expectations regarding data privacy and security
- Regularly review and audit vendor performance to ensure ongoing compliance with privacy laws
- By addressing these additional common mistakes and maintaining a proactive approach to privacy compliance, businesses can further reduce the risk of violations and ensure the protection of consumer data.
Inadequate Record Keeping
Other than the opt-out right, the CCPA isn’t based on restricting how you can use personal data or requiring that you get consent. Instead, it’s mainly about making customers aware of the ways you use personal data.
To achieve this, the CCPA organizes personal data into 11 categories. The categories are detailed in 1798.140 (o) (1) of the California Civil Code. Broadly they cover:
- Names and numbers that identify an individual.
- Other personal information that identifies an individual.
- Information about characteristics about which it’s illegal to discriminate.
- Commercial information such as purchase history.
- Biometric data.
- Internet data such as browsing and search history.
- Geolocation data.
- Information in audio, video or image form.
- Professional or employment data.
- Education data that identifies an individual and isn’t public knowledge.
- Profiling using data from other categories to infer the person’s preferences, beliefs or other characteristics.
You must keep clear records of all your data use, broken down by category. This is vital so that you can comply with two sets of requirements.
Firstly, when you gather data you must tell the consumer:
- Which categories the data you are collecting falls into.
- For each category of data you collect, the purpose for which you’ll use it.
- Collected data.
- Sold data.
- Disclosed data.
The only practical way to make sure you accurately provide this information is to keep comprehensive records of your data use, making sure you always know what category covers each piece of data.
Not Preparing For The CCPA’s Replacement
As of January 1st, 2023, the CPRA has replaced the CCPA, and enforcement is set to begin on July 1st. The CPRA retains most of the CPRA requirements while introducing several new ones. Businesses must be prepared to make the following changes:
- Adjust records to include a 12th category for sensitive data, such as race, religion, health, financial information, and government-issued numbers
- Implement a system to handle consumer requests to limit the use of their sensitive data for marketing purposes
- Create a new page for customers to exercise their right to limit the use of their sensitive information, or combine this with the “Do Not Sell” page
- Provide category-specific information about data retention and deletion when collecting data
- Update systems to accommodate new consumer rights, such as correcting inaccuracies in data and understanding if data is used for automated decision-making (profiling)
By addressing these common mistakes and preparing for the CPRA, your business can stay compliant with California privacy laws and avoid potential fines and legal issues.