How to configure a notice for CPRA compliance

Didomi now enables you to build consent notices compliant with California Privacy Rights Act (CPRA). CPRA has particular features that must be included in your notice: 

  • Vendors  processing Sensitive Personal information (SPI)
  • Purposes grouped into pre-defined categories
  • Global Privacy Control (GPC) taken into consideration. 

The following steps show you how to properly configure CPRA on your notice. 

⚠️ The IAB TCF framework does not apply to CPRA regulation. It is only valid for GDPR.

⚠️ For now, only English language is supported for CPRA. 

⚠️  Multi multi-regations approach is not yet compatible with the Didomi Consents API. As a result, the Cross-Device and Batch Export features cannot be used for CPRA but for GDPR only.

✅ Add SPIs to your vendors

Sensitive Personal Information (SPI) is defined as personal information that is not publicly available, and which reveals information related to:

  • Precise geolocation,
  • Racial or ethnic origin, religious or philosophical beliefs, or union membership,
  • Content of mail, email and text messages,
  • Genetic data,
  • Biometric information for uniquely identifying a user ,
  • Health data,
  • Sex life or sexual orientation.

The list of possible SPIs is specified in CPRA regulations and cannot be customized. 

Vendors collecting SPIs need to be declared in the Didomi console so this can be reflected in your notice:

  1. Go to the Vendors tab in the Data Manager.Capture d’écran 2023-03-09 à 17.28.09
  2. Choose Edit Vendor.
  3. Scroll down to the Sensitive Personal Information (for CPRA only). Capture d’écran 2023-03-09 à 17.26.12
  4. Select the SPIs relevant to your vendor.
  5. Save.

If your vendor does not process SPIs, you can leave the above section empty. 

SPI information will not be disclosed in your notices for other regulations if you use the same vendor for CPRA and other regulations. Except if they use the same SPIs 

It is not possible to add SPIs to IAB vendors, since IAB vendor information is populated directly from the IAB, and they do not yet support CPRA. 

In this case, you need to create a custom vendor instead of using the IAB option. 

✅ Configure your CPRA notice

Follow these steps:

  1. Go to Consent notices and choose Edit Notice
  2. In the Regulations tab of step 1. Regulations, select CPA from the list of regulations (additional several regulations can be selected, since Didomi supports multiple regulations).
  3. Click on Edit Vendors & Purposes.CPRA notice
  4. Select the vendors to be added to your CPRA notice. To create custom vendors, click on Add a new vendor. Capture d’écran 2023-03-09 à 17.48.07
  5. Scroll down to the Sensitive Personal Information section.
    1. If any of the vendors you selected process SPIs, these will be listed.Capture d’écran 2023-03-09 à 17.50.53 If you click on the Preview button next to an SPI, you can access the list of vendors processing this SPI and update it accordingly.       Capture d’écran 2023-03-09 à 18.00.09
    2. If none of the selected vendors process SPIs, this section remains empty. Capture d’écran 2023-03-09 à 17.50.25
  6. Scroll down to the Purposes section. The purposes associated with the selected vendors appear above the three mandatory CPRA categories. Capture d’écran 2023-03-09 à 17.53.12
  7. This is mandatory to drag and drop each purpose into one of the categories. There can only be one category per purpose. 
  8. Save.
  9. You can now proceed to configure further notice parameters in step 2. Customization, before publishing in step 3. Publish.
    cpracustom
    • Don't forget to fill in specific CPRA parameters for each step (Look & feel, Content editor, and Integrations, especially).

For now, only the English language is supported for CPRA notices. 

    • You can see live previews of your CPRA notice, including all CPRA-specific parameters. 

This is how your CPRA notice will look:

 

  • 1st layer       
    fisrtlayer
  • Personal information layer

Capture d’écran 2023-03-09 à 18.45.59

  • Sensitive Personal Information (SPI) layerCapture d’écran 2023-03-09 à 18.46.29
  • Partners layerCapture d’écran 2023-03-09 à 18.49.21

✅ GPC signal

Global Privacy Control (GCP) is a privacy signal supported by several browsers for users to specify at the browser level that they do not want their data to be processed (more details about GPC and supported browsers available in GPC specifications). 

Didomi CPRA notices support GPC automatically. 

As soon as the signal is detected, your CPRA notice is adjusted to respect the user choice via GPC:

  • A "GPC signal detected" icon is displayed in the notice. 
  • All personal information will be set to Do not sell / Do not share.
  • All SPIs will be set to Disagree
  • Instead of Agree and Close there will be a Close button. 

Capture d’écran 2023-03-09 à 18.44.08

There is no option yet to enable or disable GPC from the console. It is automatically supported.