General counsel will need to work closely with IT leadership to operationalize big changes to California’s Consumer Privacy Act (CCPA) by the start of next year.
Close cooperation between legal and IT is necessary because some of the most important requirements in the California Privacy Rights Act (CPRA), which was enacted in 2020 to strengthen CCPA consumer protections, specifically link compliance with website and app design.
“It’s a really interesting concept they’re driving at here,” David Stauss, an attorney with Husch Blackwell, said in a webcast. “They've essentially bundled the [enforcement] concepts with design aspects.”
Increased privacy focus
CCPA was enacted in 2018 following passage of the European Union’s sweeping General Data Protection Regulation (GDPR), which seeks to give consumers control over how organizations use personal information.
CPRA builds on CCPA by introducing a novel concept – sensitive personal information (PI) – and also by imposing new requirements around the sharing of data. The new law also takes aim at what some in the privacy field call dark patterns by requiring digital environments to stop using ambiguity as a tactic to discourage people from opting out of protections.
Although CCPA and CPRA protections apply only to California consumers, the infrastructure that organizations build to make their websites and apps compliant will be the same infrastructure any consumer interfaces with, no matter where they are. What’s more, other states, including Virginia, Connecticut and Colorado, are mandating their own privacy protections, making it difficult for organizations to operate digitally without following these states’ privacy laws.
Design considerations
CPRA’s attack on dark patterns is a key reason compliance and design are interwoven. The term refers in part to organizations’ efforts to manipulate consumer behavior by creating asymmetric navigation paths – paths that favor an organization’s use of personal data over the consumer’s preferences. An example is an organization sending consumers to its privacy policy rather than an opt-out button when consumers click a link to limit the use of their personal data. Although the opt-out button is included in the privacy policy, it’s left to consumers to scroll down until they find the link to click.
Another example is the way organizations tweak design to discourage consumer opt outs. For example, instead of giving consumers two identical choices – either to opt out or opt in – organizations give an asymmetrical choice – either to opt in or learn more about privacy. Only when they click on the “learn more” option are consumers given the opt-out choice.
“They’re looking to hold businesses accountable for designing ways to discourage users from exercising their rights,” Stauss said.
Sprinkled throughout CPRA are design requirements that organizations must follow, limiting the flexibility of IT leadership in making technical changes. There’s little flexibility, for example, on deciding how, where and what kind of links the organization uses to direct people to their privacy policy.
“For websites, the link needs to appear in a similar manner as other links that the business uses on its home page,” said Shelby Dolen, an attorney with Husch Blackwell. “For example, they must use the same font size and color as any of the other links.”
Data Sharing
To deepen protections, CPRA introduces a concept, sensitive PI, and builds on CCPA limits on the selling and sharing of data by adding a requirement that organizations confirm, on the website and in an app, that they’ve acted on a consumer’s opt-out choice. That means if a consumer clicks a button opting out of having their sensitive PI shared with a third party, the organization must respond with confirmation they acted on the request.
“This is stuff businesses are going to have to look at and say, ‘How do we operationalize these concepts?’” Stauss said.
Sensitive PI includes consumer driver’s license and Social Security numbers that organizations collect and store, typically as part of transactions.
What makes this technically difficult is that systems and processes must be in place, as part of the behind-the-scenes operational infrastructure that's needed for organizations to be able to confirm a request on a website or in an app.
For consumers who choose not to allow third-party data sharing, for example, the organization must be able to show, through a radio button or a toggle switch, that the request has been complied with. Behind the scenes, a process must be in place that automatically blocks off the consumer’s data from sharing while also pushing down the request to contractors, service providers and third parties.
Rights to know, delete and correct
Similar underlying technical changes are needed to comply with a CPRA requirement that organizations be able to correct sensitive PI and not just delete it at consumers’ request.
To comply, organizations must create a process for accepting and evaluating information that consumers provide showing that their stored data is incorrect and then for correcting it and confirming to the consumer that it’s been corrected. Organizations have 10 days to acknowledge receipt of the request and 45 days to address it.
Addressing it includes pushing the request down to service providers, contractors and third parties.
In cases where correcting the information isn’t practically feasible, or takes a disproportionate effort to correct it, organizations must let consumers know why it’s not feasible. They can also just delete the data as long as doing that wouldn’t negatively impact the consumer.
The option not to correct the data can’t simply be because of the difficulty of operationalizing a process to do it.
“A business that fails to put forth adequate processes to comply with consumer requests can’t then use this disproportionate effort claim,” Stauss said.
Rush for rules
Compounding challenges for complying with CPRA is a time crunch regulators are working under. The law creates the California Privacy Protection Agency, which is writing the rules fleshing out the new requirements.
Given time constraints the agency faces for soliciting and reviewing public comments on its drafts, there's little likelihood general counsel will have a finalized set of rules to work against until shortly before the end of the year, leaving little time to comply before CPRA takes effect in January 2023.
“The regulations probably won’t be ready before the fourth quarter of 2022,” Stauss said.
Although it’s not clear how much will change between now and then, the draft provides a look at the kind of operational changes general counsel and IT leadership will need to consider as they prepare.