On January 1, 2023 the California Privacy Rights Act (CPRA) went into full effect. Known as Prop 24 on the November 2020 California ballot, the CPRA is best described as an amendment that significantly expands and clarifies the 2018 California Consumer Privacy Act (CCPA), a suite of consumer privacy rights that regulates the collection and sale of personal information.
You can view the complete text of the CPRA here.
Marker Seven serves clients from all kinds of businesses whose websites serve customers in California and are impacted by this landmark legislation. If you are concerned that your business and your website are also affected, here are several questions that you should have your own legal team answer. Now is the time to make sure your website is ready.
Who does this law apply to? According to the CPRA, a liable business is any for-profit entity that collects, shares or sells California consumers’ personal information and meets at least one of the following criteria:
- Has a gross annual revenue of over $25 million;
- Buys or sells, or shares the personal information of 100,000 or more consumers or households; OR
- Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
(See subdivision 1798.140(d) for complete definition)
This leads to an obvious follow up question: What data counts as personal information? In a nutshell, “personal information” is any piece of data that identifies, describes or could be reasonably linked to a particular consumer or household. (See subdivision 1798.140(o)(1) for complete definition)
So, what does the CPRA (in combination with the CCPA) mean for businesses that gather customer data?
The CPRA describes The Responsibilities of Businesses here. Several center around an “easily accessible means” for consumers to exercise their privacy rights. For many businesses, the most easily accessible means of reaching their consumers is through their website.
Here are some questions to ask when evaluating your website:
Are you collecting more information than you need? Web forms and customer registration forms cannot simply gather information for the sake of gathering it. You can’t ask a customer to report their shoe size if you sell hair color products, for a silly example. Review your forms and make sure that every field has a clear, customer-oriented reason for being filled in. More detail is provided in the Responsibilities of Businesses.
- Informs consumers of their rights
- Informs consumers of the kinds of personal information you have collected, or disclosed or sold to others
- Discloses how long you keep personal information or explains the criteria by which you use to determine how long it is kept
- Tells consumers how to contact you for privacy requests such as deleting or correcting information
How will your customers control their information? The CPRA grants consumers the right to control their personal information, including limiting its use and preventing its disclosure to others. Meeting these requirements will look different for every business and will depend largely on internal business practices and the kind of information needed, gathered, and used.
If you gather information on your website, you may need to build “opt-out” functionality into your workflows, or include additional links to information about how to do so, for example. Marker Seven can work with you to design a satisfying user experience that meets your compliance requirements and works with your internal processes.
How will your customers make personal data requests? The CPRA requires businesses to respond to consumers who have requested information about, or corrections to, any personal data that you store. Similarly, you must delete consumer data if requested to do so and direct any service providers you use to delete as well. (There are several exceptions to this rule, however, so be sure to seek legal counsel if you do not wish to – or cannot – comply.)
It further specifies that consumers “should be able to exercise these options through easily accessible self-serve tools”. (see Consumer Rights above)
Just like opting out, you will need internal processes and resources to fulfill requests and comply with consumer privacy preferences. But, having your website provide that first point of “easily accessible” contact for making privacy requests can save you customer support hours and prevent customer frustration.
Is the data safe? The CPRA requires businesses to “take reasonable precautions to protect consumers’ personal information”. While this is just good common sense, the California legislation gives consumers and the government additional avenues for holding data holders accountable if personal information is leaked or stolen. So it’s good business sense, too.
Marker Seven has extensive experience helping businesses understand and implement website updates and features that resolve legal compliance issues. We are experienced engineers and UX designers and have worked with companies and legal teams of all sizes.
- California Consumer Privacy Act of 2018 (CCPA) – Office of the California Attorney General
- The California Privacy Rights Act of 2020
- Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information – Pew Research Center