No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Companies Get Partial CPRA Reprieve, But Don’t Break Out the Party Hats Yet

With enforcement delayed to March, companies have more time to get their policies in order

by Jason Patel
July 19, 2023
in Data Privacy
CPRA delayed

An 11th-hour court decision delayed some aspects of the California Privacy Rights Act by more than six months, but data privacy is still the law of the land in the Golden State and, increasingly, across the U.S. Jason Patel of CHEQ shares his insights into the evolving data privacy landscape.

Two and a half years after the law was first passed by voters, enforcement of the California Privacy Rights Act (CPRA) is finally here — or is it?

On the eve of the July 1 enforcement deadline for the CPRA, the Sacramento County Superior Court granted the California Chamber of Commerce’s request for an injunction and delayed enforcement of the CPRA regulations until March 29, 2024 — one year after the agency issued the final regulations.

The ruling gives businesses roughly seven months to bring their data protection programs into compliance with CPRA’s new regulations regarding data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns, and consumer request handling.

A partial reprieve

This may come as a welcome reprieve for businesses that haven’t finished (or begun) to implement new regulatory obligations but don’t start celebrating just yet. After all, enforcement of the California Consumer Privacy Act (CCPA) is still in effect, and new laws in Colorado and Connecticut took effect the same day CPRA was scheduled to go into effect. Businesses need to stay focused on building comprehensive compliance programs to deal with these regulations and future laws.

Further, the delayed enforcement ruling does not apply to the privacy rights statute itself or the amendments to the CCPA enacted via the Proposition 24 ballot initiative. As of July 1, 2023, the California Consumer Protection Agency (CPPA) can bring enforcement actions and filings against companies accused of violating the text of the CCPA, which went into effect in 2020. And this enforcement won’t be lenient — the act’s cure period provision, which previously allowed businesses 30 days to mitigate violations before being fined, has expired.

Instead, the California attorney general and the CPPA now have discretion on whether to offer a cure period, in consideration of an organization’s lack of intent to violate the law and any voluntary efforts to cure the alleged violation. That means that putting in a solid effort to comply with California’s privacy regulations could go a long way in preventing fines.

virginia flag
Data Privacy

Virginia Is for Lovers (of Data Privacy)

by Alex Tray
May 17, 2023

In the three years since California implemented its landmark data privacy act (CCPA), more than 20 other states have considered or passed similar rules.

Read moreDetails

What enforcement patterns tell us about compliance issues

To determine the areas where businesses are falling behind in their CCPA compliance issues (and to get a preview of where they probably need the most help when it comes to CPRA compliance), we need to first examine the typical enforcement patterns of regulators across the globe.

So far, consumer rights — opt-out and right-to-know, in particular — have dominated enforcement of the CCPA, and a $1.3 million settlement with makeup retailer Sephora over consumer opt-out requests not being respected was the first public CCPA enforcement action.

This is unsurprising, given the highly visible nature of the privacy notices and consent banners used to fulfill these rights, and the relative ease of investigating them, compared to back-end data security and governance requirements.

Looking to Europe, we can also see that regulators enforcing the GDPR have taken a similar focus. Since the enactment of the GDPR in 2018, consent-related issues have resulted in over 495 fines.

Privacy notices: Table stakes for CPRA compliance

Privacy policies and notices have been a basic component of data privacy compliance since the introduction of the GDPR back in 2018, and yet, many businesses still miss the mark, or are simply missing the requirement altogether. To date, there have been 17 CCPA enforcement actions related to non-compliant privacy policies.

The text of the CCPA and CPRA is clear that businesses must provide a clear and accessible privacy notice that informs consumers of:

  • The categories of personal information collected about consumers and the purposes for which they are used.
    • The consumers’ rights regarding their personal information.
    • The process for consumers to make requests related to their data rights
    •  The categories of personal information that are sold or shared, as well as the categories of third parties with whom this information is shared.

The privacy policy must also include no less than two methods for submitting consumer rights requests. By addressing this requirement, businesses will have satisfied one of the most enforceable and visible provisions of the CPRA.

Technical considerations in implementing opt-out rights

The issue of compliance with the CPRA’s right to opt out is not so simple.

Under the CCPA, data subjects were granted the right to opt out of the sale of personal data. The CPRA has expanded that right to include the sharing of personal data. To facilitate this, Businesses must provide “do not sell/share” my personal data buttons in a conspicuous and readily accessible place on their websites.

This may seem like a straightforward addition to the CCPA’s requirements — and from a regulator’s perspective, it is — but the requirement to limit data sharing can be difficult to implement without strong consent management, data governance and third-party management capabilities. That’s because when a consumer opts out of data sharing, businesses are responsible not only for what they do with customer data but also for what third-party partners may do with the data.

Even when a customer has not opted out of data sharing, businesses are responsible for their third-party partners and must ensure they are compliant with the CPRA. Any data shared with a party not listed on your privacy notice constitutes a violation of the law.

For example, if you host website ads from a third party, you must ensure they do not store customer data. The same requirement extends to services such as trackers, telemetry, online assistants and shopping carts. You will need to monitor and control all data flows with third parties, and you will be responsible for any data leakage.

To comply with these requirements, businesses need the capability to intake and document opt-outs, communicate them to third parties and unilaterally block data collection and processing — all capabilities that can be difficult to achieve without robust consent management tools.

The CPRA’s requirement to recognize opt-out preference signals, also known as universal opt-out methods, or global privacy controls, presents another technical challenge. These mechanisms allow consumers to express their privacy preferences, particularly their desire to opt out of the sale or sharing of their personal data, at a global or universal level to every website or app they interact with.

Opt-out mechanisms are a relatively new standard. Current examples, such as the Global Privacy Control, work by communicating user preferences via HTTP headers, or javascript properties in the user’s browser. Under the CPRA, even where a business posts a “Do Not Sell My Personal Information” link, it must still process opt-out preference signals.

To comply with this requirement, businesses must implement the ability to automatically recognize opt-out signal identifiers and automatically cease the sale or sharing of data. 

California legislators have already taken significant action on this matter. In July 2022, California Attorney General Rob Bonta publicly endorsed the GPC specification, sending letters to several companies highlighting the CCPA requirement to honor the signal. A month later, he announced the $1.2 million settlement with Sephora, saying the company had failed to disclose the sale of personal information, did not provide an opt-out method, did not respect privacy signals and failed to confirm that third-party vendors and data processors were CCPA compliant.

Beyond CPRA: An evolving compliance landscape

While the U.S. still lacks a federal consumer data privacy law, legislators across the country are enacting them. We know California’s didn’t go into effect as planned in July 2023, but measures in Colorado and Connecticut did, and more are on the way — in 2024, privacy laws will go into effect in Montana, Tennessee and Texas.

These laws, while similar in many ways, each have their own requirements that make the task of managing consent across jurisdictions even more complicated. For national and regional businesses, this creates a difficult situation. They must either play by the toughest rules necessary to ensure broad compliance, or they must adopt technical measures, such as consent management and data governance platforms, to allow a granular, state-by-state compliance approach.

From an organizational perspective, it’s essential to stay alert and current. Privacy laws are continuously changing, with new rules and modifications emerging frequently. Businesses are required to monitor these developments closely and adjust their practices of managing consent in line with the changes.

Ultimately, understanding the complex web of worldwide privacy laws isn’t just about grasping the regulations. It also involves possessing the appropriate resources to implement these rules, along with the dedication to remain informed about the constant shifts in the data privacy law environment.


Tags: California Consumer Privacy Act (CCPA)GDPR
Previous Post

5 Takeaways From FinCEN’s First Enforcement Action Against Trust Company

Next Post

The Congo: Cobalt & Your Supply Chain Risks

Jason Patel

Jason Patel

Jason Patel is associate vice president of engineering & tech innovation at CHEQ, where he leads the privacy product and engineering teams.

Related Posts

todd snyder runway show scarf

Lessons Learned: Todd Snyder CCPA Enforcement Action

by Richart Ruddie
May 29, 2025

Third-party risk, overcollection of data and lax training all cited by California data privacy enforcer

federal trade commission building

[Q&A] Big Tech & Free Speech Under the Microscope: FTC’s New Direction

by FTI Consulting
April 28, 2025

What compliance teams need to know about the changing approach to consumer protection and data privacy

data governance concept

The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening

by Brian McGinnis and Maddie San Jose
April 16, 2025

Despite the absence of comprehensive federal privacy legislation, American businesses face mounting regulatory pressure from multiple directions. Brian McGinnis and...

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

Next Post
Hands holding dirt

The Congo: Cobalt & Your Supply Chain Risks

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights