CPRA Consent – All You Need To Know

The world of data protection and data privacy is ever-changing, and it can be hard to keep up with the latest news. One topic that has been getting a lot of attention lately is the CPRA consumer consent.

The California Privacy Rights Act (CPRA) defines consent in a new way, which adds specificity and detail to the definition of consent. This new definition is closely related to the General Data Protection Regulation, which outlines CPRA business requirements. Businesses will only be required to obtain consent in specific cases that align with the GDPR. Still, where consent is necessary, it is defined more strictly by the CPRA. Many businesses targeting California residents will have to implement new consent mechanisms on their websites and mobile applications that align with this new standard to access their consumer’s personal information.

In this blog post, we will explore everything you need to know about CPRA consent, from what it is to how it works to how you can get it for your website. By the end, you’ll clearly understand this important topic.

What is consent under the CPRA?

The CPRA, or California Privacy Rights Act, is a new privacy regulation passed in 2020. It amends the state’s existing privacy laws (mainly the California Consumer Privacy Act or CPPA). It gives Californians more control over their personal data while introducing a state regulatory body (California Privacy Protection Agency or CPPA).

The CCPA gave the right to know, access, consent, equality, retention of information, deletion, and portability. Under the CPRA, new rights are listed, such as the right to correct, the right to opt out of automated decision-making, the right to access information about automated decision-making, and the right to limit how sensitive personal information can be used.

The CPRA defines consent in a similar way that the GDPR does. Consent is “a freely given, specific, informed, and unambiguous indication of a data subject’s agreement to the processing of his or her personal data.” According to this definition, the CPRA emphasizes the importance of specific, informed, freely given, and unambiguous consent. The GDPR definition is much more stringent, requiring opt-in for all consumer data collection.

CPRA requires businesses to incorporate improved consent standards on their websites and mobile applications. However, consent is only required in certain circumstances. In other words, you must explicitly agree to collect and use your personal data. This can be done through a written statement, an electronic statement (such as clicking a box), or a verbal statement.

The CPRA requires state and local agencies to make public records available to the public upon a consumer's request unless the records are exempt from disclosure. One of the key exemptions to disclosure under the CPRA is information protected from disclosure by a consumer’s right to privacy.

For information to be protected from disclosure under the CPRA, the individual must have a reasonable expectation of privacy. This means that the information must not be generally known or readily accessible and must be subject to an objectively reasonable expectation of privacy.

Customers are entitled to a clear, genuine relationship with the businesses that offer them goods and services. “Dark patterns” will not be tolerated under the CPRA (CPRA Full Text Summary). Current examples of these actions that should not be sought after include disguised ads, continuous subscriptions from a free trial, or pre-selected preferences embedded within other unrelated content. The most recent amendment prohibits some dark pattern practices. It may also illustrate what businesses should avoid if they want to practice honest business: double negatives, requiring customers to review all reasons for giving consent, or burying consent deep within the longer text.

Businesses will probably also want to know more about how they currently identify consumers who have opted out, such as by using a global privacy control, and what systems need to be put in place to ensure enough consent is given before collecting and selling more data on those consumers. This may necessitate changes to a company’s website, mobile app, or privacy policy to support an affirmative consent process when a consumer has opted out. When a pop-up or targeted email may be required to gain consent, businesses must consider making changes without inviting the cookie consent fatigue that accompanies similar opt-in consent requirements under the GDPR.

Sensitive Personal Information under the CPRA

The CPRA defines sensitive personal information as personal information that reveals:

• a consumer's Social Security number or other state identification number;
• a consumer's account log-in, financial account, debit card, or credit card number, along with any required security or access code, password, or credentials that allow access to an account;
• a consumer's geolocation;
• a consumer's race or ethnicity, religious or philosophical beliefs;
• the contents of a consumer’s mail, email, or text messages unless the business is the intended recipient of the communication; and
• a consumer’s genetic data.

Sensitive personal information also includes the use of biometric information to identify a consumer, the collection and analysis of personal information about a consumer's health, and the collection and analysis of personal information about a consumer's sex life or sexual orientation.

Except for political opinions, sensitive personal information under the CPRA includes and adds to the special categories of personal data listed in the GDPR. The GDPR, on the other hand, makes it illegal to process special categories by default. Controllers must show that processing is allowed because of one of the listed exceptions, such as express consent.

Under the CPRA, on the other hand, it is up to the consumers to make sure that processing is limited to certain activities. Consumers have the right to limit the use and disclosure of sensitive personal information to certain business purposes, such as helping to ensure data security and integrity, non-personalized advertising, performing services on behalf of the business, or doing things to verify, maintain, or improve the service or device that the business owns or controls. Service providers and contractors will also have to limit the sensitive personal information they collect to what is necessary for the business tasks they help with.

The CPRA further prescribes several methods by which businesses would be required to enable consumers to limit the use and disclosure of sensitive personal information:

• by providing a link on their homepage titled “Limit the Use of My Sensitive Personal Information,”
• by utilizing a single link which would easily allow consumers to limit the use of their sensitive personal information and to opt-out of the sale and sharing of their personal information; or
• by complying with the automatic opt-out preference signal.
  

Express consent vs. implied consent

Two types of consent may be required under the CPRA regulations: express and implied consent. Express consent is when an individual explicitly agrees, in writing, to disclose their personal information. Implied consent is when an individual's actions indicate that they are aware that their personal information may be disclosed and take no steps to prevent it.

For example, if an individual provides their name and contact information to a state agency to receive a service, they have given their implied consent to disclose that information to any third party who requests it, unless they have specifically requested that their information remain confidential.

The GDPR and CPRA differ concerning implied consent versus opt-in consent: The GDPR doesn't recognize implied consent. This means that a pre-checked box would be considered implied consent under European data privacy laws. On the other hand, the CPRA is an opt-in law. However, the law does anticipate specific use cases where opt-out would be implemented instead of opt-in. Keep in mind that users always have the option of opting out of anything collected about them--even if they previously opted into it.

The following are sample use cases where opt-out consent applies:

• Automated decision-making (Profiling)
• Cross-Context Behavioral Advertising (Targeted Advertising)
• Processing of Personal Data
• Processing of Personal Data of Minors
• Sale or Sharing of Personal Information
• Use of Sensitive Data

The following are sample use cases where opt-in consent applies:

• Sale or Sharing of Personal Information of Minors (Note that If you are selling or sharing the personal information of minors, you need the consent of their parent or guardian.)
• Secondary or Additional Use of Data
• Re-Opt-In for Sale After Previously Opting-Out
• Participation in Financial Incentive Programs
  

Does the CPRA require consent?

While GDPR has a very stringent definition of opt-in – it needs to be freely given, specific, informed, and unambiguous – the CPRA provides a looser interpretation. Another difference: the GDPR requires opt-in for all data collection, while the CPRA only requires opt-in for specific data types.

The CPRA does not require consent for every use or disclosure of protected health information. In some cases, consent is not required by law; in other cases, the covered entity may seek a waiver of the consent requirement. The following are examples of when consent is not required:

1. When the use or disclosure is required by law
2. For public health activities
3. For health oversight activities
4. For research purposes
5. To avert a serious threat to health or safety
6. For specialized government functions
7. For workers’ compensation purposes

The CPRA requires that service providers obtain consent from individuals before collecting, using, or disclosing their personal information. Consent must be obtained for each specific purpose for which the information will be used. For example, if an organization wants to use an individual's personal information for marketing purposes, it must first obtain the individual's consent.

Organizations must maintain CPRA compliance and obtain consent from individuals in various situations, including when collecting personal information from new customers or employees, when using personal information for a new purpose, and when disclosing personal information to a third party. In some cases, consent may be implied, such as when an individual provides their personal information to enter into a contract with an organization.

Organizations must ensure that they obtain consent from individuals in a manner that is consistent with the requirements of the CPRA. For example, consent must be obtained in writing if the personal information being collected is sensitive in nature. In addition, organizations must ensure that individuals have the right to withdraw their consent at any time.

CPRA on opt-out consent

In addition to saying, "Do not sell or share my personal information", the new CCPA regulations require a link to "limit the use of my sensitive personal information" be presented on the homepage. And much like the "Do not sell or share my personal information" link, it needs to be conspicuous. And it needs to point to a web page that gives complete information on how consumers might make better decisions regarding the use of sensitive personal information and the sale of personal information.

An opt-out preference signal should provide a user with a frictionless option to opt-out of the sale. A good example of this would be global privacy controls, which allow users to control their data regardless of the site they visit or the app they use.

The link must also direct consumers to a website with detailed information on how they can opt-out and restrict their personal data as per CPRA.

Final thoughts

Just because your business is compliant with GDPR and CCPA doesn’t mean it is automatically compliant with CPRA. You must triple-check the CPRA requirements as it is still different from the other two.