What do you need to know about the changes in the new, new, new, new, new CPRA Regs?
- your good faith efforts to comply count
- data minimization (reasonably necessary and proportionate) for the win, in almost any context
Processing
- The processing of information has to be reasonably necessary and proportionate to achieve the purpose. Even if you get consent for a new/incompatible purpose, that use itself still needs to be reasonably necessary and proportionate to achieve the (new) purpose. This is similar to GDPR.
- In the context of dark patterns (deceptive design), the business’ intent to subvert or impair choice has been deleted as an official factor in assessing whether or not it qualifies.
Opt-Out Requests
- You can only use information provided by the consumer in the context of an opt out request for that purpose only.
- You can give the consumer the option to provide information that identifies the consumer so that the request to opt-out of sale/sharing can apply to offline sale or sharing of personal information. However, if the consumer does not respond, you still need to process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or device and any consumer profile the business associates with that browser or device, including pseudonymous profiles.
- Clarifying that opt out requests apply to any consumer profile the business associates with that browser or device.
Right to Limit:
- The purposes which are the exceptions to the right to limit only apply for uses or disclosures which are reasonably necessary and proportionate for those purposes.
CPPA Authority:
- As part of the agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the agency may consider all facts it determines to be relevant, including:
- the amount of time between the effective date of the statutory or regulatory requirement(s) and the alleged violation(s) of those requirements.
- the good faith efforts to comply with those requirements.