This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.
Question: With the California Privacy Protection Agency now free to enforce its amended CPRA regulations, what is a last minute checklist of the things I should make sure my company has in place?
Answer: As a result of the California Court of Appeal’s February 9th ruling, the California Privacy Protection Agency (CPPA) is now free to begin enforcing the amended California Consumer Privacy Act (CCPA) regulations that were finalized in March 2023 (the “Regulations”). This means that businesses can be investigated and penalized under the Regulations now; whereas, prior to this ruling, businesses had until March 29, 2024 before enforcement would begin.
The following checklist may help businesses conduct a high-level check, now that the Regulations will be enforced.
- Check that your Privacy Policy and Notice at Collection have been updated pursuant to the Regulations.
- Check that your privacy-related disclosures are readable (even on a small screen), understandable, ADA-compliant, and printable.
- Check that there are links to your Privacy Policy and opt-out mechanism(s) in your website footers/menus and mobile app platform and/or download page, and that the links are in a similar font size and color to adjacent links.
- Check that you provide your Notice at Collection at the locations where you collect personal information from consumers, online and offline.
- Implement the Global Privacy Control (GPC) per the Regulations’ requirements if your business sells personal information or engages in cross-context behavioral advertising. Include information in your Privacy Policy and Notice at Collection about how consumers can use the GPC and how your business will process the signal (e.g., whether the signal applies to the device, browser, consumer account, and/or offline sales, and in what circumstances).
- Check that the purposes for which your business uses personal information are reasonably necessary and proportionate to achieve the original purposes for which the information was collected (note that such purposes must be consistent with the reasonable expectations of consumers), or for a compatible disclosed purpose, or subject to consumers’ consent.
- Avoid the use of dark patterns as defined under the CCPA and Regulations.
- Check your user interfaces to confirm that methods for consumers to submit privacy requests or provide consent are: easy to understand, provide symmetry in choice, avoid language or interactive elements that are confusing to the consumer (such as double negatives), avoid choice architecture that impairs or interferes with the consumer’s ability to make a choice (such as “bundled” choices), and are easy to execute (for example, do not add unnecessary burden or friction to the process of submitting a request or providing consent). The path for a consumer to exercise a more privacy-protective option should not be longer, contain more steps, or be more difficult or time-consuming than the path to exercise a less privacy-protective option. Choice options should be evenly expressed, such as “Yes” and “No” instead of “Yes” and “Ask Me Later,” and “Accept All” and “Decline All” instead of “Accept All” and “More Information.”
- Check your privacy-related disclosures, consent requests, and privacy rights mechanisms for broken or circular links and non-functional email addresses. Check spam filters on email addresses used by consumers to make privacy requests to help ensure that legitimate emails are received in an inbox that is monitored.
- Update your internal procedures for processing consumer correction requests to conform to the Regulations, which contain details on how to respond to requests to correct information.
- Determine whether your business uses sensitive personal information about consumers for a purpose that requires you to provide them with the right to limit your business’s use and disclosure of their sensitive personal information. If so, update your privacy-related disclosures and provide appropriate mechanisms for consumers to exercise this right.
- Confirm that your service provider contracts include the provisions required by the Regulations.
- Confirm that your agreements with third parties to which you sell personal information, or with which you share personal information for cross-context behavioral advertising purposes, contain the provisions required by the Regulations.
- Update your internal training materials to cover the additional details set forth in the Regulations.
The CPPA is working on three more sets of CCPA regulations that are currently in draft form. Businesses should start reading them now, in their draft form, and preparing for their finalization. For a summary of these draft regulations, see our client alert.