Getting Ready for CPRA – Answers to Your Questions
During WireWheel’s webinar on preparing for CPRA, we received many questions concerning the details of what needs to be done to be prepared for January 1, 2023. Below are answers to some of those questions.
All service providers, contractors and 3rd parties processing personal information on your behalf need to be contractually bound to CCPA/CPRA compliance.
Assessments can be used to identify as much information as possible for you to make a business decision based on the potential risk of working with a specific analytics provider. The goal of an assessment is to understand and remediate any risks associated with a specific processing activity. Once you do an assessment, if the scope of that activity changes or new legislation comes into effect, new assessments should be done for that processing activity.
Assessments are required for:
- Risky data processing
- Processing data that creates a significant risk to consumer privacy or security
- Sensitive data
- Targeted advertising
- Selling/sharing personal information
- Service providers, contractors, 3rd parties
- Processing personal information
- Data brokers
- Adtech vendors
Note: It is unlikely that the larger providers such as Google will respond to your outreach based on the large volume of requests they receive. They do however post their standard PIA questions and data protection language on their websites for your review.
Automated decision-making or profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Topic: Consent Requirements
Under CPRA, consent is required for the following:
- Re-Opt-In for Sale After Previously Opting-Out
- Participation in Financial Incentive Programs
- Sale or Sharing of Personal Information of Minors
- Secondary or Additional Use of Data
Opt-out is required for:
- Automated decision-making (Profiling)
- Cross-Context Behavioral Advertising (Targeted Advertising)
- Sale or Sharing of Personal Information
- Use of Sensitive Data
- Processing of Personal Data – No consent required
- Processing of Personal Data of Minors – No consent required
Note: A pre-checked box is not considered express consent.
Topic: Sephora judgment and Global Privacy Control (GPC)
It is likely that the Sephora result would have been the same under CPRA. The key violations that the Office of the Attorney General (OAG) called out included not disclosing that they share/sell data, not honoring Global Privacy Control (GPC) as a pathway to opt-out and failing to remediate the violations in the given cure period (30 days). All of this will follow suit under CPRA.
The California OAG outlined that Global Privacy Control (GPC) signals must be honored under the CCPA as “Do Not Sell” requests. The California Privacy Protection Agency (CPPA) takes the approach that “Opt-out Preference Signals” generally must be honored as a “Do Not Sell/Share” request and/or a “Limit the use of My Sensitive Personal Information” request. Businesses that do this in a “frictionless manner” may choose to not include links for do not sell/share and limit the use of my sensitive data requests. A frictionless manner as described in the draft regulations means:
- Not charging a fee or other valuable consideration. not changing the consumer’s experience with the product or service offered, and not displaying a notification, pop-up, text, graphic, animation, sound, video, or interstitial content in response to the opt-out preference signal
- Ensure the signal also effectuates opt-outs of any offline sales/shares
- The draft regulations do not address the technical specifications for opt-out preference signals
WireWheel’s UPCP solution can persist a user’s choices across multiple different channels that can significantly reduce, or eliminate, the amount of prompts given to an end-user.
Employee Data Subject Access Requests (DSARs)
The Employee/HR exemption expires under the CPRA effective January 1, 2023. The exemptions that will expire include the personal information of job applicants, employees, owners, directors, officers, and independent contractors in the context of an individual’s employment or application for employment, and to personal information reflecting written and verbal communications where a consumer is acting in a business-to-business commercial transaction. They also apply to personal information collected by a business for emergency contact information and personal information necessary for a business to retain and administer employee benefits, provided the information is used only for those purposes.
Businesses must develop internal and external policies and procedures for accepting, verifying, and responding to employee requests to access, correct, and delete personal information collected on the employee. They also will need to analyze whether they are “selling” or “sharing” employee personal information and, if so, allow employees to opt-out of the same. Finally, businesses will need to consider whether they are collecting sensitive personal information as the CPRA defines the term and, if so, whether they must provide employees with the right to limit the business’ use of such sensitive personal information.
Employee access requests will prove to be especially sensitive and challenging as they can be a precursor to litigation. Businesses should treat any such requests like discovery requests in litigation and ensure that the information provided is limited to the statutory requirements, reflects a complete search of company records, and that any necessary redactions are made.
Additional things to look at include:
- Generally the same rules apply to employee-based marketing as consumer-based marketing. All consents and preferences must be honored.
- Based on the draft regulation language independent contractors are likely to be considered part of your workforce. CPRA does have a 12 month lookback on data. To date, there has been no specific information on if it applies differently for employee data.
- Workspace and work equipment browsing, texting, email or any other repository of personal information will likely be in scope, notwithstanding sensitive information, information about other employees discovered in the request or information tied to litigation.
- There is no specific guidance on whether a dedicated section or a separate privacy notice for employees.
- It is possible that certain CA employment legislations may preempt CPRA and that certain rights such as opt-out of sale and limit sensitive information may not apply in an employment context. This will need to be contemplated and clarified by the California Privacy Protection
- If HR Diversity, Equality & Inclusion (DEI) surveys include personal information “infers characteristics” it would likely be in scope.
CPRA goes into effect on 1/1/23. Enforcement begins 7/1/23. CCPA however is in effect and being enforced. Currently under CPRA there is a 30 day cure period after being notified of the violation to remediate. This cure period will sunset under CPRA. CCPA will be enforced by the California Office of the Attorney General (OAG) until December 31, 2022. CCPA will be enforced by the California Privacy Protection Agency (CPPA) effective January 1, 2023.
CPRA vs. GDPR
CPRA requires opt-in consent for a few specific use cases. However, for many companies, there will be differences between their CCPA and GDPR compliance plans. They may have different systems, processes and teams involved with the collection and processing of data between the US and the EU. It’s recommended that privacy teams analyze their data flows and their ability to support requests from data subjects, particularly in the employee space given the upcoming requirements in 2023.
Sensitive Personal Information (PI)
The CPRA defines “sensitive personal information” as personal information that reveals (a) consumer’s Social Security or other state identification number; (b) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) consumer’s geolocation; (d) consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) the contents of a consumer’s mail, email, or text messages, unless the business is the intended recipient of the communication; and (f) consumer’s genetic data.
We believe that this includes:
- The last four digits of the Social security number
- IP addresses and DeviceIDs
- Biometric information from CCTV images if used in the context of facial recognition or other identification purposes
Targeted/ Cross-Contextual Advertising
Targeted advertising is a type of advertising whereby advertisements are placed so as to reach consumers based on various traits such as demographics, purchase history, or observed behavior. Cross contextual behavioral advertising may leverage automated decision making but they are not synonymous. Automated decision making would also include example activities such as making credit worthiness decisions, profile based pricing, or certain aptitude tests.
Any information or materials that WireWheel provides, including but not limited to presentations, documentation, forms, and assessments, are neither legal advice nor guaranteed to be accurate, complete or up-to-date.
Participants are encouraged to seek the advice of licensed attorneys regarding any legal compliance or other legal matters related to the matters discussed or presented in this webinar and the related materials. The information and materials provided in this webinar are not intended as legal advice, and participants should not rely on them as such.