What Should We Do About the Draft CPRA Regulations?: Choice

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

In this second post in our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on issues surrounding consumer choice:

  • Dark patterns. Businesses are provided a set of principles to follow in how they allow consumers to submit requests and obtain consent where required. A violation of these principles could be considered a “dark pattern” under the draft regulations and as such, would not constitute valid consent. The inclusion of “dark patterns” follows other regulators’ concerns about the practice, including the FTC. (More information about dark patterns is included in this post.)
  • Opt-out links. The draft regulations permit businesses to offer a single opt-out link instead of both a “Do Not Sell or Share My Personal Information” and a separate “Limit the Use of My Sensitive Personal Information” link. The so-called “alternative opt-out link” may be titled either “Your Privacy Choices” or “Your California Privacy Choices,” and must be accompanied by a specific opt-out icon to the right or left of the link.
    • Unlike the statute, the proposed CPRA regulations arguably suggest that honoring opt-out preference signals are mandatory. This despite global opt-out signals being optional in the CPRA. As proposed, an opt-out preference signal would be sent by a platform, technology, or mechanism on behalf of a consumer. The point is to signal a consumer’s choice to opt-out of the sale and sharing of personal information with all businesses they interact with online instead of making individualized requests with each business. There are no technical specifications for these signals in the draft regulations. The requirements for handling of signals is likely to be subject to much debate and receive significant commentary during the public comment period
  • Right to limit use and disclosure of sensitive personal information. Businesses that collect sensitive personal information must, under the draft regulations, provide consumers a right to limit such use. This may be done through an interactive form accessible via a “Limit the Use of My Sensitive Personal Information” link, an alternative opt-out link, or the privacy policy. A business has 15 days to comply with the request, including notifying service providers, contractors, and third parties. There are instances where a business may use or disclose sensitive personal information without offering a right to limit the use.

Putting it into practice. Companies can review the draft regulations to understand expectations around consent (and how to avoid processes that could be viewed as a dark pattern). They can also begin thinking about how they will handle requirements around opt-out links and preference signals.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.