California Privacy Rights Act (CPRA) – what, when and consequences for your website?
The California Privacy Rights Act (CPRA) is a new state-wide data privacy bill passed into law on November 3, 2020.
It underscores California’s position as the US frontier in data privacy legislation, as it significantly expands upon the existing California Consumer Privacy Act (CCPA) that took effect on January 1, 2020.
In short, the California Privacy Rights Act (CPRA) works as an addendum to the CCPA – strengthening rights of California residents, tightening business regulations on the use of personal information (PI), and establishing a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA), among key changes to the Golden State’s data privacy regime.
The California Privacy Rights Act (CPRA) goes fully into effect on January 1, 2023. Enforcement is scheduled to begin on July 1, 2023 – with a so-called lookback period to January 1, 2022, meaning data collected from that date on is liable for compliance.
CPRA requirements for CMPs
The CPRA is meant to generally regulate the data collection, storage, processing, and sharing practices of for-profit businesses doing business in California.
When it comes to a business' website, the following measures must be in place:
- A means to opt out of the sharing and sale of personal information
Visitors must be provided with a mechanism that allows them to opt out of the sharing and sale of personal information to third parties.
The wording must specifically be: "Do not sell or share my personal information"
- Honoring the GPC signal
The GPC signal allows an individual to control their preferences on a single browser so that participating websites can automate privacy browsing preferences across the web from a single place. It is a mechanism for consumers who want a comprehensive option that broadly signals the consumer’s opt-out request, as opposed to going website by website to make individual requests, which would be time-consuming, burdensome, and confusing for some consumers.
Cookiebot CMP actively monitors for the GPC signal and triggers an automated opt-out when the signal is enabled in a visitor's browser.
- Double opt-in
Providing visitors with the option to opt-in again manually after an initial opt-out, either by initially opting out, or by the CMP honoring the GPC signal.
CPRA: a Cookiebot checklist
Setting up your Cookiebot CMP subscription for CCPA/CPRA compliance is easy.
Follow the steps below and you are all set.
Step 1: Add your domain
- Log into the Cookiebot Manager and navigate to the Domains tab.
- Enter the domain name (excluding the "https://" part, for example: domain.com)
Step 2: Configure your banner type
- Navigate to the Dialog pane
- Select the "Do Not Sell (Opt-in)" banner type in the dropdown menu labeled "Type"
This provides the "Right to opt-out" in the initial consent submission. Furthermore it makes provisions for the "Right to opt-out of automated decision making" and allows a visitor to opt in after an initial (automated) opt-out.*
*This is referred to as "Double opt-in".
The display banner setting
The checkbox labeled "Display banner" determines whether a banner is displayed to ask for consent.
Mark the checkbox if you would like the banner to display and offer the "Do not sell or share my personal information" option to all new visitors (a CCPA requirement under some circumstances including when targeting visitors under the age of 16).
Displaying the banner gives the user a choice on whether tracking may take place.
If left unticked, the banner will not be displayed and visitors will not be asked for their consent. Tracking will automatically be enabled on your website.
You must provide a means of withdrawing consent for visitors so they can exercise their "Right to Restrict Sensitive Personal Information".
We recommend that you provide (a) withdrawal option(s) as part of your standard template to allow your visitors to withdraw their consent from any page on your website.
Geo location settings (optional)
If you wish to only display a banner to visitors in California, you can do so by configuring "Distribution" at the bottom of the page: