DG Release Notes - CPRA and GPC – 29 Nov 2022
With this release, 23.16.0, we are committed to helping you stay ahead and remain compliant. Today’s update addresses the California Consumer Privacy Act (CPRA) along with Global Privacy Control (GPC) support within the Universal Consent Platform.
CPRA and GPC
CPRA significantly amends and expands the CCPA, and it is sometimes referred to as “CCPA 2.0.”
For this release we address a few of the major points of the CPRA regulation including:
- GPC (Global Privacy Control)
- Expanded Consumer Rights
- New Notice Template for CPRA
- New Vendor Category – “Sensitive Personal Information”
What this means for you: We are committed to keeping Universal Consent Platform up to date with evolving global privacy regulations with the CPRA being the most relevant example of that. As a Crownpeak customer, you can be confident that your consent solution will help you stay ahead of changing legislation and provide your visitors with world-class privacy experiences.
Let’s look at an example of what we can help you build. CPRA is an extension of CCPA regulation, which requires to have a “Do Not Sell” button on every page where data is sold/shared.
How to set up new notices for CCPA:
- Login to UCP and go to “Manage” in the menu section.
- From there, choose the domain you wish to set up.
- Once in the setup page navigate to the settings.
From here, in the “Configure Consent” column you will see a new drop down to choose the regulation you wish to set up with the following options:
- Custom Regulation
- CCPA
- GDPR
- Nevada Consumer Optout Law
- LGPD
- KVKK
- PDPA
- CPRA
Selecting the CCPA or CPRA regulation will automatically choose “Opt-Out Consent” as the default consent type for those regulations. You’ll no longer be able to choose “Don’t Require Consent” or “Prior Consent” for CCPA/CPRA.
Enabling Global Privacy Control option is currently only available for CCPA/CPRA. GPC is enabled by default for the CPRA regulation.
GPC cannot be enabled for the notices with “No Consent Notification” selected as Consent Display Type.
Notices with the GPC feature enabled do not have an option to disable the “Consent Options Dialog” and “Vendor Display”.
Additionally, “All-or-Nothing Consent” cannot be applied to countries/states with the GPC feature enabled, as it needs to give the option for end users to override the consent at any time for any individual
As a part of CPRA, a new category called Sensitive Personal Information (SPI) has been added to the vendor’s/categories list which is a subset of Personal Information.
Note:
Before adding “Sensitive Personal Information” category to the vendors in a notice, make sure to add the new category to the default category list and publish it to the notices.
To address the GPC signal on a notice, we added a new flag for “Data Sharing”. This flag can be enabled on any custom category where data is shared. Only notices where the GPC feature is enabled trigger this signal and turn off the Vendor Categories with “Is Data Sharing?” labeled “yes.”
If you select both Essential and Data Sharing options for a category, the GPC signal will override the opt - out option to "opted out" for this category for CCPA / CPRA regulations when the GPC support feature is enabled for this notice.
Expanded Consumer Rights:
In addition to the new consumer rights regarding sensitive personal information discussed above, the CPRA provides additional rights for consumers to correct their personal information, to opt out of certain information sharing, and to bring private lawsuits.
The “Request Your Data” form has been updated with new request types specific to CPRA:
- Right to rectification
- Right to restrict use of personal data
- Right to object to the use of personal data
After these forms are filled out (DNS and DSAR), an automated email is sent to the user to verify who they are, and the data is saved within the privacy UI.
To access these forms login to the privacy UI (privacy.evidon.com) and choose the “Access Requests” link in the menu. Once in this menu you will have access to your list of access requests.
You can use basic sorting and wildcard search to filter to whatever level is needed. On the right side above the table there is a checkbox that lets you see the results that have not yet been verified by email.
How GPC Signal Works:
Consumer/End User consent is stored in the browser LSO object with a GPC flag. If a user has GPC enabled on a browser, the categories/vendors with “Data Sharing” marked “yes” are disabled by default. In case of a user who has already provided their consent and then enabled the GPC signal on their browser, a modal will appear to confirm their preferences, since the previous consent was given without GPC.