The California Privacy Protection Agency (CPPA) recently issued a $1.35 million fine against a California business for privacy law violations. They also issued a detailed multi-year compliance plan.
These are some takeaways we are discussing with clients:
“Do Not Sell” Also Means Cookies
- Third party cookies and other third party trackers share personal information in a way that can constitute a sale.
- Your “do not sell” process needs to allow the efficient opt out of sharing through these mechanisms as well.
- If your do not sell webform does NOT result in opting out of sharing through trackers, you need to make that clear to the users. Not doing so may be misleading.
GPC Is a Must
- You must support browser based opt-out signals like (Global Privacy Control) GPC and you must explain how that is done in your privacy notice.
A Compliant DPA Is a Must
- If you share personal information with third parties, you must enter into a compliant Data Processing Agreement (DPA) with them addressing this sharing. The DPA must contain all the provisions that are required under California Consumer Privacy Act (CCPA).
Your Privacy Notice Must Be Compliant Too
- Your privacy notice must be CCPA compliant. This means that it
has to:
- Disclose the categories of personal information the business collected in the preceding 12 months.
- Contain affirmative statements whether the business sold, shared, or disclosed personal information over the preceding 12 months.
- Identify the categories of recipients to whom personal information was sold, shared, or disclosed, and the specific business purpose for which it was sold, shared, or disclosed.
- Inform people of their rights and how to exercise them.
Don't neglect your applicant notice
- If you have California-based job applicants, you need a California-compliant applicant privacy notice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
