On July 8, 2022, the California Privacy Protection Agency (the “CPPA” or “Agency”) began the formal rulemaking process to adopt regulations implementing the amendments to the California Consumer Privacy Act (the “CCPA”) introduced by the California Privacy Rights Act (the “CPRA”). The “Proposed CCPA Regulations” (the “Proposed Regulations” or “Regulations”) were originally released by the Agency on May 27, 2022, and no substantive changes have been made to date.
Next Steps
There is a 45-day public comment period (ending August 23, 2022) during which any interested party may submit written comments. The Agency will hold public hearings on the Proposed Regulations on August 24 and 25, 2022. After the Agency analyzes the comments received during the comment period, the Agency will either adopt the Regulations substantially “as is”, or make modifications based on the comments (in which case the modified text will be made publicly available for at least 15 days before they are adopted by the Agency). Supporting documents of the Proposed Regulations can be found on the Agency’s website.
Key Takeaways
Key takeaways of the Proposed Regulations include the following:
- Agency Audits (§ 7304). The Regulations afford the Agency broad rights to conduct audits, including to investigate potential CCPA violations, where the collection or processing poses a significant risk to consumer privacy or security, or where there is a history of noncompliance with the CCPA or other privacy laws. The Agency’s audit rights extend to businesses, service providers, contractors, or other persons. Notably, audits may be announced or unannounced at the Agency’s discretion.
- Necessary and Proportionate Principle (§ 7002). The CPRA requires a business’s processing of personal information to be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” The Proposed Regulations define this based on what an average consumer would expect when the personal information was collected, such that a business is now required to obtain a consumer’s explicit consent (i.e., an opt in) before collecting, using, retaining, and/or sharing a consumer’s personal information for any purpose that is unrelated or incompatible with the purpose(s) for which the personal information was collected or processed (e.g., a business providing a mobile flashlight app should not collect geolocation data without explicit consent).
- Privacy Policy; Notice at Collection (§§ 7011 – 7012). The Proposed Regulations provide additional content to be included in a privacy policy beginning on January 1, 2023, including information concerning (1) the use and disclosure of sensitive personal information, (2) how opt-out preference signals will be processed, and (3) the sale or sharing of personal information of consumers under 16 years of age. There are also additional content requirements for the notice at collection, including a requirement to provide the names of all third parties that the business allows to collect personal information from the consumer (unless the third party provides its own notice). The Regulations also place additional emphasis on the requirement that the notice at collection include a link to the specific section of the privacy policy that speaks to the processing at issue (a link to the beginning of the privacy policy or an unrelated section of the privacy policy is not sufficient).
- Opt-Out Preference Signals (§ 7025). The Proposed Regulations emphasize that businesses are required in all instances to honor opt-out preference signals. Businesses have a choice only as to the manner in which they process such signals. Businesses that process opt out preference signals in a “frictionless manner” do not have to provide opt out links for sale/sharing or for the right to limit use of sensitive personal information. Processing in a frictionless manner requires (among other things) that the opt-out preference signal alone is sufficient to fully effectuate the consumer’s request to opt-out – the business cannot display a pop-up response, request additional information, or change the consumer’s experience with the product or service.
- Methods for Submitting Consumer Requests and Obtaining Consent (§ 7004). The Proposed Regulations set consumer friendly principles for businesses to design and implement methods for submitting data rights requests and for obtaining consumer consent. For example, businesses must:
- use language that is easy for consumers to read and understand;
- not make it more difficult for consumers to exercise more privacy-protective options;
- avoid confusing language or interactive elements; and
- avoid manipulative language or choice architecture such as language or wording that guilts or shames consumers into making a particular choice.
Businesses are also required to test the methods used for submitting data rights requests to ensure that they are functional and do not undermine consumers’ choices.
- Prohibition of Dark Patterns (§ 7004). The Proposed Regulations prohibit the use of dark patterns to obtain consumer consent. A dark pattern is defined not by any particular method of consent or intent of the business, but by the effect on the consumer (“[a] user interface is a dark pattern if the interface has the effect of substantially subverting or impairing user autonomy, decision-making, or choice, regardless of a business’s intent”).
- Right to Limit Use of Sensitive Information (§ 7027). The CPRA introduced restrictions on the use of “Sensitive Personal Information” (broadly defined in the CPRA to include SSN, driver’s license or passport number, financial and health data, precise geolocation, racial or ethnic origin, genetic data, and biometric identifiers), including an obligation to provide consumers with the right to limit use of their Sensitive Personal Information beyond certain specified use cases. The Proposed Regulations further clarify the circumstances under which a business would not be required to provide consumers with this “right to limit”. The Proposed Regulations expressly require the business to notify service providers and contractors of any “request to limit,” as well as any applicable third parties with access to such sensitive personal information. The Regulations also include detailed requirements for implementing the right to limit, similar to the requirements in the existing CCPA regulations for the exercise of other consumer rights requests (e.g., two or more methods for submitting requests must be offered), however, a business may not require verification for a request to limit – the business may ask for information needed to complete the request, but must comply without verification where feasible.
- Service Provider and Contractor Contracts (§§ 7051). The Proposed Regulations add new requirements that must be included in service provider or contractor agreements that go beyond what the statute requires. For example, the Regulations require the agreement:
- to list the specific business purposes for the processing – it is not sufficient to use generic terms or to refer generally to the services “as described in the agreement.”
- to include a requirement for the service provider / contractor to directly comply with applicable sections of the CCPA and the Regulations, including by implementing reasonable security procedures and practices.
- to grant the business the right to take “reasonable and appropriate steps” to ensure the service provider / contractor’s compliance (examples of “reasonable and appropriate steps” include “ongoing manual reviews and automated scans of the service provider’s system and regular assessments, audits, or other technical and operational testing at least once every 12 months”).
The Regulations encourage ongoing diligence of service providers, noting that a business that never exercises its audit rights may not be able to effectively assert that it was unaware of any non-compliance by its service providers. In addition, service providers and contractors must enter into subcontracts that impose the same requirements on its service providers / contractors.
- Third Parties (§§ 7052-7053). The Regulations impose requirements directly on third parties with respect to the exercise of certain consumer rights (as passed along by a business), and requires third parties to recognize opt out preference signals by consumers. In addition, the Regulations now require businesses that sell or share personal information with third parties to have agreements in place with such third parties that include many of the same flow through provision that a business is required to include in its agreements with service providers / contractors.
The Agency stated that the Proposed Regulations do not address cybersecurity audits, risk assessments, or automated decision-making technology, but that these areas will be the subject of future rulemaking.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor the CPPA rulemaking process and provide updates as they become available. If you have any questions about the Regulations or comment process, please contact us.