What do you need to know about the changes in the new, new, new, new, new CPRA Regs?

  1. your good faith efforts to comply count
  2. data minimization (reasonably necessary and proportionate) for the win, in almost any context

Processing

  • The processing of information has to be reasonably necessary and proportionate to achieve the purpose. Even if you get consent for a new/incompatible purpose, that use itself still needs to be reasonably necessary and proportionate to achieve the (new) purpose. This is similar to GDPR.
  • In the context of dark patterns (deceptive design), the business’ intent to subvert or impair choice has been deleted as an official factor in assessing whether or not it qualifies.

Opt-Out Requests

  • You can only use information provided by the consumer in the context of an opt out request for that purpose only.
  • You can give the consumer the option to provide information that identifies the consumer so that the request to opt-out of sale/sharing can apply to offline sale or sharing of personal information. However, if the consumer does not respond, you still need to process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or device and any consumer profile the business associates with that browser or device, including pseudonymous profiles.
  • Clarifying that opt out requests apply to any consumer profile the business associates with that browser or device.

Right to Limit:

  • The purposes which are the exceptions to the right to limit only apply for uses or disclosures which are reasonably necessary and proportionate for those purposes.

CPPA Authority:

  • As part of the agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the agency may consider all facts it determines to be relevant, including:
    • the amount of time between the effective date of the statutory or regulatory requirement(s) and the alleged violation(s) of those requirements.
    • the good faith efforts to comply with those requirements.