How to Make Your Website CPRA Compliant

The General Data Protection Regulation wasn't the only sweeping privacy regime signed into law in 2018. That same year, the California Consumer Privacy Act (CCPA) was set in motion, which went live in 2020 and will soon be replaced by the California Privacy Rights Act (CPRA).

The CPRA (aka, CCPA 2.0) expands red tape directives and gives enforcement watchdogs more teeth to protect information privacy rights worldwide. 

If you’re unable to maintain CPRA compliance by 2022 and your organization falls victim to a data breach, you’ll suffer devastating blows financially, and your reputation as a trusted collective-action organization come 2023. Bypassing the scourge of CPRA violations requires a transparent privacy culture with robust information security programs.

Here, we’ll run through a point-by-point checklist to get your association website fully compliant with the new California privacy law as well as the GDPR and other regulatory developments. We’ll also walk through how you can roll out a solid digital governance plan to remove barriers, improve trust, and achieve sustainable membership growth.

Let's get started!

What is CPRA compliance?

The CPRA expands and overhauls the preexisting California privacy act under CCPA. The new CPRA empowers individuals around the world with groundbreaking autonomy over personal information, such as the right to prohibit public disclosure of private facts and the right to correct and fully control individual data.

CPRA goes into effect on January 1, 2023. Enforcement will start on July 1, 2023 and apply to all personal information collected on or after January 1, 2022.

In other words, CPRA encompasses data that isn’t specific to an individual but could be indirectly tied back. Such “extra-personal” information is categorized as “household data.”

It’s far-reaching, extraterritorial legal power extends to a panoply of data processing and management applications that transcends boundaries.

New or expanded rights under the CPRA

Under the new California privacy law, your web users and CPRA consumers have additional rights not included under the CCPA. New CPRA provisions include the right to:

• Limit personal information collection, retention, disclosure, and use.
• Consent to or opt-out of having personal information disclosed to third parties.
• Access, alter, correct, and delete information.
• Restrict access to precise geolocation and “sensitive personal information”.
• Know all data collected, sold, and shared, to whom and for what purpose.
• Know the length of time information is retained.
• Know the categories of third parties.
• Equal treatment (i.e. prevent retaliation for exercising privacy rights).
• Opt-out of or request information about automated decision-making (profiling), cross-context behavioral advertising, and their results.

New or expanded obligations for CPRA Compliance

• You can’t use or collect personal information for a different purpose without notice.
• Minimize unnecessary storage and use of personal information.
• Detail how data is shared, sold, and/or disclosed in third-party contractual agreements.
• Conduct and submit annual cybersecurity audits and risk assessments for high-risk scenarios affecting individual privacy and security.

How to Make Your Website CPRA Compliant

If you gather information or use tracking cookies in any way on your website, it’s time to become compliant with, and an advocate of, information privacy rights. Here’s how:

Step 1: Map the personal information you collect

Map out the types of personal information and sensitive personal information (if any) your organization and any third-party vendors are processing or holding on your behalf. During this data-mapping exercise, consider:

• With whom you share or sell information.
• All personal information that you, your vendors, and their partners collect.
• Where data is collected and stored.
• Map where third-party tags are firing from, especially those with whom you don’t have direct contractual relationships.

Step 2: Analyze all profiling and tracking activities

Analyze the different visitor profiling or tracking activities conducted on your sites.

• Consider the purpose of each collected, shared, and/or sold dataset, including why your vendors and their partners are collecting this personal information.
• Assess how data is collected, saved, and stored in your database, and how all third parties handle the data.
• Evaluate the levels of data sensitivity for each collection activity.
• Rank associated risks.
• For each data collection activity, record the information collected, the reason for the collection, your intention to share or sell each type of personal information.

Step 3: Fine-tune your privacy disclosure notice

Create a comprehensive disclosure notice and commit to updating it annually. Include the following in your notice:

• Information privacy rights.
• The categories, specific pieces, purposes, and volume of data collected.
• Where and how that personal information is collected.
• The types of third parties to whom you share or sell that information.
• Collection, processing, and disclosure of “sensitive personal information”
• Length of data retention (or, at least, the criteria that will determine that retention period and when this duration will be disclosed).

Step 4: Update your consent and disclosure processes

Revisit and implement all privacy rights processes and mechanisms on your site, mobile apps, and privacy policy. 

• Your home page and privacy policy must also have a visibly noticeable button or link that clearly says - “Do Not Sell My Personal Information” so users can easily and swiftly opt out.
• Increase use of opt-out forms and the Global Privacy Control browser add-on to simplify opt-out processes for CPRA and GDPR.
• Post your newly updated, comprehensive disclosure notice in an accessible, visible public location, such as within your privacy policy page, to comply with both CPRA and GDPR.
• Fine tune your disclosure notices at or before each point of collection. Include a clear, conspicuous link to your newly updated privacy policy.
• CPRA requires affirmative consent for specific use cases, but to be in good standing with the GDPR, it’s best to obtain consent for all data processing activities.
• Allow consumers to control which third-party tags are allowed to execute based on their consent.

Step 5: Create a rights request channel and process

Establish a channel and online platform for users to submit personal information requests, as well as a process to fulfill them.

• Ensure all collected data is easily accessible and manageable at all times.
• Consider making your data request responses publicly viewable.
• Ensure you’re prepared to respond in-depth to questions about how you collect, use, and share personal information.
• You must be willing to disclose what data you have collected and allow users to update or alter their information.
• You must delete any and all personal information when requested and notify all third parties to whom you have sold or shared that data with to delete the information as well.

How do I become CCPA/CPRA and GDPR compliant?

Whether you’re selling personal information or not, the consensus is that all websites that collect data or use cookie tracking should adhere to the stricter GDPR standards. 

General Data Protection Regulation (GDPR) requires your website to inform web users right away if you’re using cookies or trackers in any way (e.g. Google Analytics). You must also obtain prior consent and have a legal basis for all data processing activities. Under the CCPA/CPRA, web users need to be able to opt out of data disclosure, not tracking overall.

So what happens if you’re collecting data of members or web visitors in California or the EU?

Cybersecurity attorneys, data innovation groups, and digital think tanks agree that complying with GDPR ASAP and maintaining these stringent standards is the solution – practically, economically, and ethically. Policy institutes and digital transformation masterminds across the web support this integrated compliance solution as well.

There are also software services with (consent-approved) geo-targeting and automation tools to enable multiple, up-to-date website experiences in compliance with the appropriate rule-making authority/authorities.

If granted consent, you can also use automated geo tracking to show visitors in the EU a GDPR-compliant cookie banner and Californians a CPRA/CCPA-compliant declaration to further tailor their experience.

Given the cost and insensibility of maintaining multiple policies, you should also develop a transparent IT and digital governance plan to establish your organization’s privacy culture.

Compliance through digital governance

Regardless of exact procedures you choose, you should establish a robust digital governance framework. Then add it publicly on your website so it’s easily accessible and visible.

Your digital/IT governance plan should:

• Represent your organization’s privacy culture.
• Support your larger organizational strategy and overarching direction.
• Prioritize clarity, upfront transparency, and clear visibility.
• Align your information technology (IT) processes, technology, and people.
• Integrate end-to-end operating rules and internal maintenance systems.
• Include data security practices and regular compliance checks.
• Detail how you will enhance control over and involvement in personal information.
• Have a clear structure and flow that’s easy to read and understand.

You may even incorporate your digital/IT governance processes and practices within your privacy policy page, unless it creates an overwhelming user experience.

If the amount of personal data you collect reaches a certain threshold, you may also want to appoint a dedicated point person to oversee your compliance practices and the integrity and continuous improvement of your digital governance processes and procedures.

California Privacy Rights Act FAQs

1. What is the difference between CCPA and CPRA?

The landmark California Privacy Rights Act closes potential loopholes in the California Consumer Privacy Act, and in many ways, brings the multidimensional California privacy law closer to the stricter GDPR standard.

The CCPA was signed into law in 2018 and became effective on January 1, 2020. Enforcement began shortly after on July 1, 2020, and further CCPA regulations and modifications were issued that same year.

The CPRA is a ballot proposition approved on November 3, 2020. The CPRA will replace the CCPA in 2023, but when the clocks strike twelve in 2022, personal information practices will fold under the expanded CPRA standards.

The CPRA adds new protections and stricter obligations than CCPA. For example, the CCPA established the right to know and delete personal information. CPRA provides the right to correct this information, as well. There’s also new policies related to data minimization as well as streamlined data portability privileges for information transfers.

The CPRA expands breach liability and private right of action, as well. For instance, it covers breaches that provide unauthorized access to an email address and password or security question. There are also triple fines for violations of minor’s data, as well as increased penalties for intentional non-compliance, whether or not a data breach occurs.

2. What are the CPRA consent requirements?

CPRA extends and clarifies the use cases for which consent is required. Consent is newly defined as "freely given, specific, informed and unambiguous indication.” 

Given the new affirmative consent standard, you may need to implement consent mechanisms on your website, mobile apps, and privacy policy for the following use cases:

• Sale or sharing of personal information after prior opt out.
• Sale or sharing of personal information of minors.
• Participation in a financial incentive program.
• Use or disclosure of “sensitive personal information”.
• Research exemption

3. Who needs to comply with CPRA?

Due to its low triggering mechanism, the CPRA applies to for-profit businesses, regardless of physical location, doing business in the US. There are three ways an organization could be defined as a “business” under CPRA:

1. annual gross revenue over $25 million;
2. buying, selling, or sharing the personal information of at least 100,000 consumers or households; or
3. deriving 50% or more of annual revenues from selling or sharing California residents’ personal information. This third threshold isn’t tied to business size or data processing volume, so it includes a substantial number of small and medium-sized businesses.

4. Does CPRA apply to nonprofits?

Nonprofits are currently exempt from the CCPA and CPRA as of now, however, there is growing expectation that nonprofits must respect user data when requested, especially with evolving regulations around the world and data privacy concerns gaining steam.

Whether “exempt” or not, your organization should also be aware of the policies and practices of all vendors, providers, and agencies.

When CCPA 2.0 becomes operative, we can expect greater clarity on the party directly or indirectly responsible for managing user requests, which should be detailed in vendor contracts and service agreements.

5. What is the impact of CPRA on associations?

Essentially, if and you have more than $25M in annual revenue, and your professional association collects information on behaviors, engagements, and preferences of your members, constituents, partners, donors, patrons, event attendees, exhibitors, sponsors, newsletter subscribers, customers, or web visitors, then you must become and maintain CCPA/CPRA compliance.

Beyond your website or digital experience platform (CMS vs. DXP), any software system, application, or tool that collects information on members, nonmembers, and any user of that system, then that system must also become compliant and maintain that standing.

This may include your AMS/CRM, LMS, community site, trade show site, scholarly publishing site, and beyond.

6. What is the risk of non-compliance?

Failure to maintain compliance can result in fines up to $2,500 for each unintentional violation. There is up to a $7,500 fine per intentional violation and each violation of minors’ data (children under the age of 16).

Enforcement begins on July 1, 2023. Violations are publicly visible and searchable on California’s data breach search database. You can search by the violating organization and/or data of breach.

7. Who is the new enforcement agency?

CPRA established a new regulatory muscle, the California Privacy Protection Agency, with judicious amounts of discretionary power over the CCPA and CPRA.

The five-member regulatory authority promises more oversight and costly fines for invasions of privacy and other compliance violations. The Agency will take over administrative enforcement responsibilities from the current regulator, the California Attorney General, on July 1, 2023 (six months after the CPRA effective date).

8. What is “Sensitive Personal Information” under CPRA?

CPRA introduces a specific set of ‘special categories’ that must be treated with extra security. This so-called “sensitive personal information” helps to prioritize enforcement resources and penalties and prevent high-risk violations and high-impact scenarios.

This data category is similar to the European Union’s GDPR definition of personal data and stricter than the former CCPA definition of personal information.

Under the CPRA, sensitive personal information includes traditionally confidential identifying information, like social security number, driver’s license, and banking/financial account information. It also includes exact geolocation, race/ethnicity, religion and more.

Sensitive personal information under new CPRA protections is subject to restricted use and disclosure and purpose use.

9. What is personal information under CCPA and CRPA?

Under CCPA/CPRA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Beyond CPRA: Conquering the era of privacy

The multidimensional ecosystem of privacy laws have sweeping consequences for your association website, and new rule-making shows no sign of a slowdown.

To date, more than two dozen states have proposed or passed comprehensive data protection laws or amendments to existing laws. Beyond California, New York, Virginia, Colorado, Maine, and Nevada are among those driving U.S. information privacy frameworks.

Not to mention the international layer of overlapping regulations, including evolving GDPR requirements and the new Personal Information Protection Law (PIPL), which is China’s first omnibus directive on individual privacy rights.

The PIPL not only has a broad jurisdictional scope and catch-all provisions to further expand cross-border applicability, but it also includes new “separate consent” requirements and other systematic obligations.

This so-called Era of Privacy has dramatically shifted perceptions and behaviors in recent years. Heightened awareness and public pressure has placed a high premium on digital governance and planning and information transparency.

Today, you need a thoughtful, end-to-end framework that integrates all of your IT activities, not just data security, protection, and risk management practices. Your organization’s entire internal structures need to be reoriented to usher in secure IT environments and transparent processing practices.

Wrap-Up: CPRA Website Compliance

The best way to prepare your website for CPRA compliance – while getting up to snuff with the PIPL and the layered, burgeoning privacy landscape – is to comply with GDPR standards. For the most part, the GDPR is still the go-to multi-standard compliance strategy.

Alternatively, consider investing in a compliance software for your website. It’ll help you manage the nuances and discrepancies of an evolving rule-making environment, all-in-one place. However, becoming cyber smart in today’s data economy and the era of privacy requires a long-term approach.

Forward-looking organizations are realizing the need to adopt a strong, scalable privacy culture focused on digital/IT governance and transparency. Need help getting up to speed? Start the conversation here.