On November 3, 2022, the California Privacy Protection Agency (“CPPA”) issued a notice of modifications to the Proposed Regulations implementing the California Privacy Rights Act (“CPRA”). These proposed modifications come in response to public comments on, and are meant to clarify, previously issued modifications.
The modifications, which are largely based on the Modified Proposed Regulations published on October 17 but include changes made pursuant to the October 28 and 29 CPPA Board meeting, affect thirty-three (33) sections of the proposed CPRA regulations. Here, we highlight notable proposed modifications from October 17 and November 3 to sections 7002 and 7050:
- The CPPA modified section 7002, which covers “Restrictions on the Collection and Use of Personal Information,” by amending its wording regarding the purposes for which consumer personal information can be collected, used, or shared. The revised regulations specify that a business’s collection and use of personal information “shall be reasonably necessary and proportionate” to achieving either the “purpose for which the personal information was collected or processed” or another “disclosed purpose that is compatible with the context.” The proposed changes also include two lists of considerations, no longer called “factors,” for determining whether a business’s collection or use of personal information meets these requirements. Among other things, these lists ask whether the business’s actions are consistent with the “reasonable expectations of the consumer(s).” Finally, the CPPA added to section 7002 a list of considerations to assist businesses in determining when their use of consumer personal information is “reasonably necessary and proportionate” to achieving a purpose for which the business has obtained consumer consent.
- The modifications to section 7050, which governs the relationship between businesses and service providers and contractors, include clarifying when a person becomes a “service provider” or “contractor.” A portion of the proposed new language specifies that a person “who does not have a contract that complies with [the service provider/contractor requirements set out in] section 7051 … is not a service provider or contractor under the CCPA.” The proposed updates also note that “whether an entity that provides services to a Nonbusiness must comply with a consumer’s CCPA request depends on whether that entity is a ‘business,’ as defined by Civil Code section 1798.140, subdivision (d).” In other words, a business subject to the CCPA must comply with a consumer’s rights request even if the business is providing services to an entity that is not subject to the CCPA.
Other notable proposed modifications to the proposed CPRA regulations include the addition of new defined terms, such as “nonbusiness” and “information practices,” updates to the rules regarding opt-out preference signals in section 7025, and changes to the CPPA’s investigatory procedures in section 7301. The addition of subsection 7301(b) is potentially significant because it allows the CPPA to consider several factors, including good faith efforts at compliance and the time between the issuance of requirements and the alleged violation, when deciding whether to pursue an investigation of alleged misconduct.
The CPPA is accepting written comments regarding the proposed changes until 8:00 a.m. PT on November 21, 2022. Any information provided is subject to public disclosure.
Alston & Bird’s Privacy, Cyber & Data Strategy Team is continuing to monitor developments surrounding CPRA rulemaking and will provide updates as more information becomes available. Please contact us if you have any questions.