Select your interface:
You are currently viewing instructions for the: Admin
California Privacy Rights Act (CPRA) – what, when and consequences for your website?
The California Privacy Rights Act (CPRA) is a new state-wide data privacy bill passed into law on November 3, 2020.
It underscores California’s position as the US frontier in data privacy legislation, as it significantly expands upon the existing California Consumer Privacy Act (CCPA) that took effect on January 1, 2020.
In short, the California Privacy Rights Act (CPRA) works as an addendum to the CCPA – strengthening rights of California residents, tightening business regulations on the use of personal information (PI), and establishing a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA), among key changes to the Golden State’s data privacy regime.
The California Privacy Rights Act (CPRA) goes fully into effect on January 1, 2023. Enforcement is scheduled to begin on July 1, 2023 – with a so-called lookback period to January 1, 2022, meaning data collected from that date on is liable for compliance.
Want to know more about CPRA?
Check out our blog post: California Privacy Rights Act (CPRA)
CPRA requirements for CMPs
The CPRA is meant to generally regulate the data collection, storage, processing, and sharing practices of for-profit businesses doing business in California.
When it comes to a business' website, the following measures must be in place:
-
A means to opt out of the sharing and sale of personal information
Visitors must be provided with a mechanism that allows them to opt out of the sharing and sale of personal information to third parties.
The wording must specifically be: "Do not sell or share my personal information" -
Honoring the GPC signal
The GPC signal allows an individual to control their preferences on a single browser so that participating websites can automate privacy browsing preferences across the web from a single place. It is a mechanism for consumers who want a comprehensive option that broadly signals the consumer’s opt-out request, as opposed to going website by website to make individual requests, which would be time-consuming, burdensome, and confusing for some consumers.
Cookiebot CMP actively monitors for the GPC signal and triggers an automated opt-out when the signal is enabled in a visitor's browser. -
Double opt-in
Providing visitors with the option to opt-in again manually after an initial opt-out, either by initially opting out, or by the CMP honoring the GPC signal.
CPRA: a Cookiebot checklist
Setting up your Cookiebot CMP subscription for CCPA/CPRA compliance is easy.
Follow the steps below and you are all set.
First time set up
If you are setting up Cookiebot for the first time, you can select the CCPA preset at the very first step in the lower left portion of the screen.
This will automatically configure the banner to comply with CCPA. You can still make some changes to suit your needs though.
Adding CCPA as an additional legislation
When adding CCPA as an additional legislation, you will need to create a separate domain group that is configured to comply with CCPA.
Follow the following steps to create the additional domain group.
- Add a new domain group.
-
If you only have a single domain group:
- Select "Domains & Aliases" from the left-hand menu.
- Click "Manage your domain groups".
-
If you already have multiple domain groups:
- Click "Manage" at the top of the domain group section of the left-hand menu
- Click "Manage" at the top of the domain group section of the left-hand menu
- Click the "+ Create group" button.
-
If you only have a single domain group:
- Name your new domain group "CCPA" and press the "Create group" button.
- Click the "Configure CMP" icon on the line with your new domain group.
- Click "Legislation presets" at the right side of the screen and select the CCPA preset.
- Click the "Save changes" button to save your domain group settings.
The display banner setting
The checkbox labeled "Display banner" determines whether a banner is displayed to a visitor to ask for consent.
Mark the checkbox if you would like the banner to be displayed and offer the "Do not sell or share my personal information" option to all new visitors (a CCPA requirement under some circumstances including when targeting visitors under the age of 16).
Displaying the banner gives the user a choice on whether tracking may take place.
If left unticked, the banner will not be displayed and visitors will not be asked for their consent. Tracking will automatically be enabled on your website.
Right to Restrict Sensitive Personal Information
You must provide a means of withdrawing consent for visitors so they can exercise their "Right to Restrict Sensitive Personal Information".
To enable this, you can enable the Cookiebot CMP Privacy trigger, provide a link to withdraw consent, or point to your privacy policy (with the Cookiebot cookie declaration embedded) to offer a consent withdrawal option, and to provide the required information through our cookie declaration.
We recommend that you provide (a) withdrawal option(s) as part of your standard template to allow your visitors to withdraw their consent from any page on your website.
Comments
0 comments
Please sign in to leave a comment.