California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The California Consumer Privacy Act (CCPA) has been in effect since 2018, but starting on January 1, 2023, it’s getting a major update. Passed by voters in 2020, the California Privacy Rights Act (CPRA) adds a lot to the existing privacy law.
Here are the five biggest changes going into effect in 2023.
The CPRA has added two new privacy rights for consumers, and along with them come two new privacy requests that businesses must respond to.
Responding to these requests within the allowed time limit will take prior planning, especially in the case of requests to limit.
Global Privacy Control (GPC) is a browser signal that indicates a website visitor’s privacy preferences, in particular their desire to opt out of targeted advertising.
It is not a new concept introduced by the CPRA. The basic idea hearkens back to the failed Do Not Track standard that was developed in 2009 but never widely adopted. The term global privacy control actually comes from the original CCPA, which discusses the possibility that such a signal could exist in the future. In response to this, a consortium of tech companies developed the GPC standard, and it has already been implemented on many major websites.
What the CPRA has done is make it mandatory that businesses respond to the GPC signal from consumers’ browsers (and any other similar technology that may be developed in the future), and treat it as a valid request to opt out. There was some initial confusion about this, but the California Privacy Protection Agency has since clarified that respecting the GPC signal is not optional.
One of the changes in the CPRA that may have the farthest reaching consequences is the creation of the California Privacy Protection Agency (CPPA). As a first-of-its-kind government office in the United States, the CPPA is dedicated exclusively to CCPA enforcement.
With the power to impose administrative fines and create new regulations, the CPPA will have great influence over the privacy landscape. Once it fully takes over duties from the California Attorney General’s Office in July 2023, there is every reason to believe that CCPA enforcement will increase significantly.
Contract review will be a major component of CCPA compliance going forward. The law already required that contracts with service providers contain certain limitations on the use of personal information; the CPRA introduces contract requirements for all disclosures to third parties, contractors, and service providers.
Contracts must state that personal information is being disclosed for limited purposes, require the recipient to comply with all legal obligations under the CCPA, and give the business authority to verify the recipient’s compliance. Any disclosure not made pursuant to such a contract is unlawful.
An often-overlooked change included in the CPRA is the new purpose-limitation rule. Businesses must restrict their processing of consumers’ personal data to what is necessary and proportionate to achieve the purpose for which it was collected. If the business uses the data for another purpose, it must be compatible with the context in which it was originally collected.
For example, if a business collects personal information in order to provide cloud storage for photos, further using that data to develop facial recognition software would not be compatible with the original purpose, unless it was made very clear to consumers in advance.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.