It's a Wrap! Enforcing Online Agreements in Light of the CPRA

Mar 03, 2021 Published Article

We're all familiar with it at this point. A popup comes up on your device informing you of a change to terms and conditions, or otherwise asking for permission. For those operating websites, they know that this inconvenience is required to comply with various legal requirements.  What they may not be aware of yet, is that these requirements, and popups, are about to become much, much, more prevalent. Recently, the California Privacy Rights Act ("CPRA"), passed by the voters of the State of California, includes new language specifying how consent is supposed to be obtained for the collection of personal information, amending the California Consumer Privacy Act ("CCPA"). This new manner of consent rules out browsewrap agreements, and would require that popups increase as website operators shift focus to clickwrap agreements, if they have not already.

Browsewrap and Clickwrap

Typically, online agreements comprising Terms of Service or a Privacy Policy can be broken into either (a) browsewrap agreements - agreements that imply assent or agreement to online terms by the mere act of using a website or an online service after a clear and conspicuous notice that terms exist or (b) clickwrap agreements - agreements that show assent or agreement to online terms by having an individual click or otherwise agree to.  While the best option to ensure enforceability is always the one that leaves the most documented signs of assenting to terms (i.e. a clickwrap agreement), both are typically recognized and enforced under California law. The practical effect of this is that to get consent, all that is technically needed is either to (a) show actual consent by having the person click on an "I agree" button, or (b) provide that the website visitor had ample notice that terms existed.

Consent under the CPRA

The CPRA amends the CCPA to provide greater protections to consumers in a variety of ways, including more enforcement through the creation of an agency, as well as more rights given to consumers to control their information, including the right to correct information that's been collected, as well as the rights to limit the use of sensitive personal information.  One of the changes under the CPRA is the addition of a definition for "Consent," stating that it must be a specific, freely given, informed and unambiguous indication of the consumer's intent.  This new definition specifically prohibits the use of "acceptance of a general or broad terms or similar document that contains descriptions of personal information processing" as well as "hovering over, pausing, or closing content" and "dark patterns," interfaces meant to undercut consumer choices (i.e. the use of trick questions, sneaking items into a checkout basket, or making a situation easy to get into but difficult to get out of).  This differs considerably from the prior California law on browsewrap agreements and effectively requires that agreements are shifted to a clickwrap structure, putting privacy policies in line with the explicit approvals required under the European Union's General Data Protection Regulation ("GDPR") which requires explicit permission for the use of cookies in data collection. As such, modifications to the kinds of plugins used to get consent for cookies as required in the GDPR can easily help companies show the consent needed under the CPRA.

What now?

While the CPRA is not yet in effect and will not be until January 1, 2023, enforcement will begin on July 1, 2023 for violations occurring on or after that date. This is a minor, and easily corrected item that can, and should, be promptly taken in the lead-up to complying with the CPRA and its changes, all by using similar methods as those for GDPR cookie consents.  While this will differ from GDPR cookie consents because the CPRA consent must be (1) specific to the privacy policy and (2) unavoidable by clicking elsewhere (i.e. closing the popup), the actual implementation is similar, and will provide evidence that an individual has assented to a privacy policy.

How Newmeyer Dillion Can Help

Newmeyer Dillion can provide advice on existing CCPA compliance policies, help revise CCPA compliance policies to conform to the CPRA, help implement new cybersecurity policies to comply with CPRA, and provide updates to CPRA required notices and privacy policies.  California has a history of being at the forefront of policy developments that expand internally and spread to other states, therefore, CPRA may serve as a template for similar laws in other states.