close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
close
Ditch the manual workflows and spreadsheets
Reduce the staff required to process consumer privacy requests down to 1 person.
See retail solution
request manager icon
close
Replace OneTrust
Reduce risk and build customer trust in less time, with less effort, and at a fraction of the cost of OneTrust.
Compare to OneTrust
request manager icon
View other resources
header image

CCPA to CPRA and the Role of CPRA Regulations

The CCPA did not explicitly mention user-initiated opt-out signals. The CPRA, effective Jan 1, 2023, fills this gap.

  • §1798.135 of the CPRA provides businesses with the option of recognizing an opt-out preference signal as a way to honor consumer requests to “opt out of the sale or sharing of personal information and to limit the use of sensitive personal information.”
  • This is discretionary, but If a business elects to recognize an opt-out signal, it does not have to provide opt-out links on its internet homepage. However, the business would still need to disclose in its privacy policy that it recognizes such signals.
  • The statute further clarifies that an opt-out signal must be sent “with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations adopted” by the California Privacy Protection Agency (“CPPA”).

The CPPA’s regulations implementing the CPRA provide comprehensive guidelines for honoring user-initiated opt-out preference signals.

  • Rules confirm that OOPS should be honored in addition to other other valid opt-out mechanisms.
  • Rules also introduce the concept of “frictionless” opt-outs, and clarify how a business may resolve conflicts with previously recorded privacy choices.

No-Code, Bannerless Solution

At DataGrail, we love no-code solutions which can be implemented very quickly by your teams so they can get back to helping your business grow. As such, we’ve identified an elegant solution to comply with GPC signals which your marketing teams can implement today with a tool they’re likely already using.

  • This solution is best for supporting Do Not Sell or Share compliance obligations in California, and analogous obligations in Virginia, Colorado and Connecticut, when browser /device-level data is “sold” or ”shared” for ad targeting and related digital uses. ¹
  • The solution can be readily paired with opt-out request intake forms that cover offline and electronic marketing data “sales” driving direct marketing, offline to online data matching, and related uses. ²

We believe it’s also the most ethical way to conduct business, as you can respect US consumers’ ‘set-it-once-and-forget-it’ privacy preferences.

¹ https://www.eff.org/issues/online-behavioral-tracking

² https://www.acxiom.com/how-we-can-help/unify-offline-and-digital-data/; https://oag.ca.gov/news/press-releases/data-privacy-day-attorney-general-bonta-putsbusinesses-operating-loyalty

³ For more information see https://moz.com/blog/an-introduction-to-google-tag-manager

continue reading