5 Strategies for CPRA and Data Privacy Compliance
Fast on the heels of the EU’s General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA) went into effect on January 1, 2020 and ushered in a new era of compliance. CCPA affected businesses worldwide, covered a wide range of personal data, and imposed new requirements and liabilities beyond those of GDPR.
In November 2020, voters approved the California Privacy Rights Act (CPRA) to build on CCPA. With CPRA coming into effect on January 1, 2023, covered businesses will have even more compliance obligations. There’s no singular roadmap or strategy to being “CPRA compliant”, but there’s no shortage of strategies to prepare for CPRA and DocuSign solutions can help.
Here are five key strategies to meet new CPRA requirements.
1. Identify risk areas across contracts—in DocuSign and from other sources
CPRA imposes requirements on businesses that share or sell private data, including when the “sale” is not for traditional monetary gain. To address these requirements, you need to know how your service providers and business partners collect and share personal data, both before and after your interactions—and that requires clear knowledge of what is in your agreements. The challenge is that contracts don’t always contain standardized terms around data privacy issues, so even a searchable contract repository won’t obviate a tedious manual review effort.
DocuSign Insight uses AI-driven analysis to provide 360-degree visibility into your agreements, regardless of how and where they’re stored in your enterprise. Pre-configured to automatically and intelligently identify contract clauses triggering data privacy issues, Insight provides a conceptual understanding of your providers’ and partners’ commitments around personal data use, enabling you to manage and mitigate CPRA risk where necessary.
2. Generate revised agreements with third parties that share data
Once you’ve identified the data privacy weak points within your agreements, you’ll want to amend and re-negotiate contract terms. Traditionally, “re-papering” agreements with a range of business partners and service providers was a painstaking, costly, and error-prone process.
DocuSign CLM streamlines this process by automating contract creation, negotiation, and approval. SpringCM helps you efficiently build contracts by leveraging previously-approved clause language and source data from your enterprise systems. It also helps you shepherd agreements through complex negotiations and proprietary workflows.
If your third-party relationships are managed in Salesforce, DocuSign Gen for Salesforce provides an integrated solution to prepare, sign, and store these agreements efficiently and reliably.
3. Execute revised third party agreements quickly and efficiently with all signatories
With CPRA’s start date looming and other state-enacted comprehensive consumer data privacy laws in effect, agreements that have been revised for data privacy compliance need to be executed in an efficient, reliable, and—of course—legally binding way.
DocuSign eSignature provides reliable enforceability of revised agreements with timestamped, tamper-evident, and court-admissible audit trails. Plus, DocuSign’s advanced workflow tools accelerate your execution process: The bulk send feature allows you to gather individual consent from a large number of users, while automated reminders and conditional routing keep complex approvals on track.
4. Collect provable consent to revised T&Cs, disclosures, and privacy policies
CPRA requires that businesses notify consumers if they sell, share, or disclose personal information. Businesses are also required to display a persistent “opt-out” option and secure from consumers under 16 (or their parents/guardians if under 13) an affirmative “opt-in” before their data is leveraged. To minimize risk, businesses should collect—and document—the consent of their consumers to revised End User License Agreements (EULAs), Terms and Conditions, privacy policies, and the like.
DocuSign Click provides an easily-auditable mechanism to capture legally-binding consent to standard terms across all platforms, all with a single click. With Click, administrators can seamlessly process updates to existing agreements, so it’s always clear which users have agreed to which version of an agreement. And Click is compatible with your existing DocuSign eSignature infrastructure, so it’s easy to gain a unified view across all your eSignature and clickwrap agreements.
5. Manage subject access requests—from submission to validation to secure delivery
This one is a three-parter, and it’s a strong opportunity for businesses to turn privacy obligations into enhanced customer trust. CPRA requires businesses to provide consumers the ability to obtain, delete, and stop the sharing of their information, including adding a “Do Not Sell My Personal Information” option to corporate websites. Handling such data privacy “subject access requests” can be a burden and risk point, but it can also show a business’ commitment to consumer privacy and convenience.
Create a seamless experience for consumers to submit subject access requests
DocuSign Guided Forms, powered by Intelledox, provides easy-to-implement, customer-friendly forms to capture such information. Guided Forms provides step-by-step guidance to users and pre-fills forms with known data, so you get complete submissions and fewer errors.
Validate the requestor’s identity to confirm you can share their personal data
The DocuSign Identify family of products includes SMS, phone, knowledge based authentication, and even digital verification of government IDs from a mobile device. This is especially valuable when the requestor can’t be reliably identified via the business’ account process, or when parental consent is required for a minor’s “opt-in” as discussed above.
Process and deliver on data privacy requests in a secure and fully-auditable way
DocuSign eSignature is used every day to securely route encrypted documents for approval, avoiding the need to email sensitive files, risk data exposure, and follow up to confirm receipt. DocuSign provides a powerful platform for businesses to approve and act on subject access requests—ensuring a complete audit trail of every step and access point along the way.
Learn more with our on-demand webinars
With multiple statewide consumer data privacy laws on the books, in addition to comprehensive US Federal Privacy law reform that would replace the invalidated US Privacy Shield on the horizon, managing data privacy risk is an ever-more-challenging priority and presents a patchwork quilt of compliance obligations. Now, more than ever, maintaining data privacy diligence is a mandate, not a choice. Fortunately, meeting your data privacy law requirements can—and should—go hand in hand with building more agreeable B2B and B2C relationships.
This blog post is offered for general information purposes only. It does not constitute, and is not a substitute for, legal advice.