August 9, 2022

Volume XII, Number 221

Advertisement
Advertisement

August 08, 2022

Subscribe to Latest Legal News and Analysis

What Should We Do About the Draft CPRA Regulations?: Choice

In this second post in our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on issues surrounding consumer choice:

  • Dark patterns. Businesses are provided a set of principles to follow in how they allow consumers to submit requests and obtain consent where required. A violation of these principles could be considered a “dark pattern” under the draft regulations and as such, would not constitute valid consent. The inclusion of “dark patterns” follows other regulators’ concerns about the practice, including the FTC. (More information about dark patterns is included in this post.)

  • Opt-out links. The draft regulations permit businesses to offer a single opt-out link instead of both a “Do Not Sell or Share My Personal Information” and a separate “Limit the Use of My Sensitive Personal Information” link. The so-called “alternative opt-out link” may be titled either “Your Privacy Choices” or “Your California Privacy Choices,” and must be accompanied by a specific opt-out icon to the right or left of the link.

    • Unlike the statute, the proposed CPRA regulations arguably suggest that honoring opt-out preference signals are mandatory. This despite global opt-out signals being optional in the CPRA. As proposed, an opt-out preference signal would be sent by a platform, technology, or mechanism on behalf of a consumer. The point is to signal a consumer’s choice to opt-out of the sale and sharing of personal information with all businesses they interact with online instead of making individualized requests with each business. There are no technical specifications for these signals in the draft regulations. The requirements for handling of signals is likely to be subject to much debate and receive significant commentary during the public comment period

  • Right to limit use and disclosure of sensitive personal information. Businesses that collect sensitive personal information must, under the draft regulations, provide consumers a right to limit such use. This may be done through an interactive form accessible via a “Limit the Use of My Sensitive Personal Information” link, an alternative opt-out link, or the privacy policy. A business has 15 days to comply with the request, including notifying service providers, contractors, and third parties. There are instances where a business may use or disclose sensitive personal information without offering a right to limit the use.

Putting it into practice. Companies can review the draft regulations to understand expectations around consent (and how to avoid processes that could be viewed as a dark pattern). They can also begin thinking about how they will handle requirements around opt-out links and preference signals.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 179
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Advertisement
Advertisement
Advertisement