Disclaimer: These Summaries and FAQs regarding the California Privacy Rights Act (CPRA), amending and renaming the California Consumer Privacy Act (CCPA) are intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CPRA. If you have questions about complying with the CPRA, you should contact your legal counsel.
The CPRA, a ballot initiative passed by voters in November 2020, amends the CCPA and renames the CCPA to the CPRA. The CPRA includes additional privacy protections for consumers as discussed below.
- Opt-Out of Sharing for Targeted Advertising. The CPRA extends a consumers right to opt-out of sales to include a right to opt-out of the sharing of the consumer’s personal information for targeted advertising (defined as “cross-contextual behavioral advertising”), whether such sharing is made with or without consideration. The CPRA contains an opt-out requirement for the sharing or sales of personal information, with the exception of the sharing or sales of personal information relating to children under the age of 16. (Children aged 13 to 16 must provide opt-in consent for the sale of their personal information. Website owners collecting, using, selling, or sharing personal information relating to children under the age of 13 must obtain verifiable parental opt-in consent to do so.).
- The CPRA does not outright prohibit the sharing of personal information. Rather, if a company shares personal information for targeted advertising the company must provide notice of this to the consumer and give the consumer at least 2 methods for opting-out of the sharing of personal information for targeted advertising, one of which must be an interactive webform to opt-out requests. Use of the Technology to acquire email addresses and send emails to those addresses is sharing under the CPRA, which would require notice and the ability to opt-out of such sharing.
- There are few exclusions from a “sharing” of personal information triggering the opt-out requirements, including when a Technology user directs the Technology provider to intentionally disclose personal information with one or more third parties.
- If the Technology user desires to permit the Technology provider or any other third party to use the personal information for their own purposes outside of providing services to the Technology user, the Technology user should comply with the notice and opt-out requirements under the CPRA relating to the sharing of personal information for targeted advertising.
- On its website homepage, a user of the Technology should provide a clear and conspicuous link titled “Do Not Sell or Share My Personal Information” that enables a user to opt-out of the sharing of a visitor’s personal information.
- In its CPRA privacy notice, a user of the Technology should disclose and describe that, among other things, the website owner uses tracking technology to collect identifiable information about visitors (e.g., an email address or hashed email address), how it uses the information and that it shares the information with third parties (e.g., with the Technology provider to identify email addresses of visitors). Details will vary depending on the nature of the website and particular Technology used.
- Vendor Agreements. Under the CPRA, specific language is required in business agreements depending on the nature of the business arrangement between the parties.
- Sale of Personal Information. While the CPRA does not outright prohibit the sale of personal information, the newly defined term “sharing” broadly encompasses targeted advertising. The implication of the separate definition of sharing, suggests that such activities be may no longer considered sales under the CPRA.
- Opt-out of Profiling and Automated Decision Making. While not detailed in the CPRA, the CPRA vests the Attorney General or a soon to be formed governing body, the California Privacy Protection Agency, with the authority to further establish rules governing access and opt-out rights with respect to automated decision-making technology, including profiling.