As the year ends, privacy and legal departments can audit external-facing privacy statements and other website practices to ensure compliance with the California privacy law amendments, which take effect in January 2023.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), sets forth requirements for businesses that collect personal information of California residents, with heightened requirements for businesses that sell or share that information. The regulations broadly define “sell” and “share” to include data transfers that do not require a monetary payment, including for advertising purposes, cross-marketing initiatives, product discounts and service enhancements.
“Selling” is defined as the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information by any means for monetary remuneration or any other valuable consideration. Leaning into contract principles, the remuneration element can even take the form of a nominal discount on services, service enhancements and other smidgeons of consideration.
This definition of a sell will cover situations where unrelated entities form information partnerships where each entity benefits from the sharing of consumer data. A simple example of this is frequent-flyer or credit card award programs. Consumer personal data is shared between entities to run the programs and make a greater number of awards available to their customers. Each entity benefits, as they can provide more enticing programs to their customers, which drives up business.
Processing by third-party service providers should also be scrutinized under these broad definitions, as state regulators have made clear that they will treat data transfers as “sharing” if a data-processing agreement or service provider addendums are not in place.
Important Details
For businesses that fall under the scope of the CPRA, there are several areas that need immediate evaluation, including:
Year-End Website Audit
An audit can review your compliance with the new law. The critical point to remember when using a single link is to ensure that it leads consumers to information that explains their rights and makes it clear how to easily exercise them. If they do not meet the exception, businesses will need to ensure that the links they provide, their privacy policies, and consumer privacy rights request processes are aligned to meet the requirements of the CPRA.
Businesses will still be required to include statements in their privacy notices and policies regarding personal information selling or sharing activities, even if it is only to state that they do not do so.
John F. Howard is an attorney with Clark Hill in Scottsdale, Ariz. Myriah V. Jaworski is an attorney with Clark Hill in San Diego, Calif. Ilya Smith is an attorney with Clark Hill in Chicago. © 2022. All rights reserved. Reprinted with permission.
This content was originally published here.