At a meeting of the California Privacy Protection Agency (“CPPA”) on June 8, we learned additional information about the initial batch of proposed regulations (“Proposed Regulations”) to the California Privacy Rights Act (“CPRA”) that were published on May 27. The Proposed Regulations keep much of the pre-existing California Consumer Privacy Act (“CCPA”) regulations but modify and add some key provisions. Because the CPRA was drafted as an amendment to the CCPA, the Proposed Regulations reference the CCPA (as amended by the CPRA). The Proposed Regulations focus on data subject rights, contractual requirements, and obligations related to disclosures, notices, and consents. Additional proposals will cover cybersecurity audits, privacy risk assessments, and automated decision making, among other areas. While we expect significant changes as the Proposed Regulations proceed through the formal rulemaking process, which the CPPA has not yet officially started, we provide our key takeaways below:
Data Subject Rights
- Transparency: The Proposed Regulations require that businesses clearly explain to consumers their rights and methods for submitting data subject requests and avoid making it overly burdensome to exercise those rights.
- The Proposed Regulations promote the use of language that is easy to understand and avoids confusing elements when describing data subject rights and how they can be exercised.
- The Proposed Regulations state that consumers must be able to exercise more privacy-protective measures as easily as less privacy-protective options (e.g., opt-out process shall not require more steps than opt-in process). Methods should be tested to ensure functionality and should not introduce unnecessary steps that could be seen as undermining consumer choice.
- The Proposed Regulations proscribe the use of manipulative language, choice architecture, or other methods like bundling different consents together, which could be seen as pushing consumers into making a particular choice.
- Dark Patterns: The Proposed Regulations prohibit the use of dark patterns—technology that substantially subverts or impairs consumer autonomy, decision-making or choice. Under the Proposed Regulations, consent obtained through the use of such technology might not be considered valid, potentially leaving businesses in the position of never having obtained consent for certain data uses.
- Right to Opt-Out of Sale / Sharing: According to the Proposed Regulations, the “Do Not Sell or Share My Personal Information” link—which must be prominently posted by businesses that engage in data sales or certain sharing—should either immediately opt the consumer out of all sales/sharing or direct the consumer to a webpage where the consumer can make that choice. Additionally, businesses would need to notify any downstream third parties to stop selling or sharing the information.
- Opt-Out Signals: There has been much discussion and debate about how strictly “opt-out preference signals” (“OOPS”) would be enforced under the regulations. These signals are increasingly being deployed as an option on some types of browsers. If the Proposed Regulations are approved, businesses would be required to accept any OOPS that they receive or detect, if the OOPS is in a commonly used and recognized format (such as an HTTP header field) and designed to make clear to the consumer that it is opting them out of the sale or sharing of personal information. In effect, this would require businesses to treat OOPS as an additional opt out method that they support, even though businesses have no control over the design or deployment of the signals. However, if the OOPS conflicts with another privacy setting specific to the business, which allows the business to sell or share personal information, the business can notify the consumer about the discrepancy and ask them whether they would like to opt back into sales and sharing.
- Right to Limit: If a business uses or discloses sensitive personal information for purposes other than those “necessary to perform the services or provide the goods reasonably expected by an average consumer” or as otherwise allowed in the regulations, the Proposed Regulations would require the business to provide consumers notice of their right to limit the use of information and at least two methods for submitting requests to limit the use or disclosure of the information.
Disclosures, Notices and Consents
- Purpose Limitations: The Proposed Regulations would impose purpose limitations on the processing of personal information. If approved, the regulations would limit processing of personal information to activities that are consistent with what an average consumer would expect based on the notice provided when the information was collected. Explicit consent would be required before processing personal information for purposes that were incompatible with those expectations.
- Readability: The Proposed Regulations would require that disclosures be easy to read and understandable to consumers, avoiding technical or legal jargon. Disclosures would need to be readable on smaller screens and reasonably accessible to consumers with disabilities in accordance with industry standards, such as the Web Content Accessibility Guidelines, version 2.1. In addition, disclosures would need to be presented in the languages in which the business provides contracts, disclaimers, sale announcements or other information to consumers in California.
- Notice at Collection: Regardless of whether the business collects personal information or does so through a service provider, the Proposed Regulations would place the burden of providing notice at the point of collection on the business. The Proposed Regulations explain that the notice at collection should enable consumers to exercise meaningful control over a business’s use of their personal information. In other words, it should give consumers all the information they need to decide whether to share personal information with the business and whether to limit or opt out of some uses or disclosures of personal information. For businesses that collect personal information through webforms, the Proposed Regulations indicate that a link to the notice should be placed near where consumers enter or submit information. Among other elements, the notice at collection must include
- the length of time the business intends to retain each category of data;
- whether the category of information will be sold or shared;
- information about the consumer’s right to opt-out of the sale or sharing of information, if applicable; and
- the names of all third parties that the business allows to control the collection of personal information, or information about their business practices.
Contractual Requirements
- Service Provider Contracts: Among other things, the Proposed Regulations would require businesses to have contracts with service providers that
- prohibit the service provider from selling or sharing personal information and from retaining, using, or disclosing personal information for any purposes other than those specified in the contract or as permitted by the CCPA/CPRA;
- identify the specific business purposes and services for which the service provider processes personal information;
- require the third party to check for opt-out signals and honor requests to opt-out of the sale or sharing of personal information; and
- grant the business the right to take reasonable and appropriate steps to ensure that the service provider uses personal information in a manner consistent with the business’s obligations under the CCPA/CPRA.
- No Generic References: The Proposed Regulations state that service provider contracts should not describe the business purposes or services that are being provided in a generic manner, such as by referencing the entire contract generally. This could mean that businesses which recently revised agreements with service providers to comply with the CCPA, might need to make additional revisions if the Proposed Regulations are approved.
- Effect of Non-Compliance: Contracts that do not comply with the Proposed Requirements would render the vendor not a “service provider” under the CCPA/CPRA, which could make the disclosure of personal information a sale, obligating the business to provide a “Do Not Sell or Share My Personal Information” link.
- Contracts with Third Parties: In addition to the required contract provisions for service providers, the Proposed Regulations would create additional contractual requirements for businesses engaging with other third parties to sell or share personal information. These include
- specifically identifying the purpose for which personal information is sold or shared; and
- requiring third parties who are not service providers to comply with applicable provisions of California privacy law.
Investigations and Enforcement
- Broad Authority: The Proposed Regulations would provide the CPPA with broad authority to audit businesses and enforce the CCPA/CPRA. Among other authority, the CPPA would be permitted to audit (even unannounced) any person to ensure compliance with the CCPA/CPRA and initiate proceedings by sworn consumer complaint or of its own accord. The CPPA would also be able to conduct audits if the subject’s processing “presents significant risk to consumer privacy or security” or “if the subject has a history of noncompliance with the CCPA or any other privacy protection law.”
Next Steps
While this initial set of draft regulations would provide some clarity to preexisting questions, it leaves open many questions. The CPPA discussed the Proposed Regulations at its June 8 board meeting but did not vote to begin the formal rulemaking process at that time. The formal rulemaking process will begin once the CPPA approves the rulemaking file and files a Notice of Proposed Rulemaking Action, which is posted on the CPPA’s website and published in the California Regulatory Notice Register. After notice is published, businesses will have 45 days to file public comments and the CPPA will also hold a public hearing. After the comment period, the CPPA will address the comments it has received and publish notice of any changes. If the CPPA proposes material changes to the Proposed Regulations after the initial comment period, there will be a subsequent 15-day comment period, at the end of which the CPPA is required to address all comments before finalizing and formally adopting the regulations.
While we expect additional rounds of proposed regulations and significant revisions to the regulations before they are finalized, it is not clear that all of the regulations will be finalized before the CPRA comes into effect at the beginning of 2023. Organizations doing business in California can begin to prepare for the CPRA’s effective date by evaluating business practices and internal compliance programs to assess compliance with the CPRA. We will continue to monitor these developments.