At the end of May, 2022, the California Privacy Protection Agency (“Agency”) released a preliminary draft of proposed regulations for the California Privacy Rights Act (“CPRA”). The 66-page draft proposal only covers a few topics the Agency is seeking to cover. The issues covered in this draft of the regulations include data collection and processing restrictions, and some detailed requirements on the sale and sharing of personal information. Several notable topics were left out of the proposed regulations and still remain unresolved. Those unresolved items include specifics about soon-to-be required Privacy Risk and Impact Assessments, Automated Decision Making, Personal Data Retention, Cybersecurity Audits and Examinations, and the closely watched fate of the employee carve-out.
On June 8, 2022, after the draft release, the Agency conducted a board meeting where board members and authoring members of the California Attorney General’s Office discussed the proposed regulations as well as the upcoming formal rulemaking process. Deputy Attorney General Lisa Kim and Supervising Deputy Attorney General Stacey Schesser described at a high level what changes the proposed regulations brought to the CPRA. The Board also authorized the Agency’s Executive Director, Ashkan Soltani, to commence the formal rulemaking process.
As things look today, the Regulations are unlikely to be finished by the CPRA’s effective date of January 1, 2023, which will lead to other challenges. There are also a large number of question marks still in place on a lot of very important issues. Nonetheless, businesses and organizations operating in California should start to take notice that the train is beginning to leave the station to operationalize the CPRA.
Generally, the proposed Regulations act as a roadmap for businesses ahead of the 2023 enforcement date. Deputy AG Kim highlighted the main purpose behind the draft, and directed businesses to read the CCPA’s Initial Statement of Reasons, or ISOR, for an in-depth look at the “why” behind the proposed Regulations. Kim and Supervising Deputy AG Schesser pointed out the primary goals of the regulations:
- To update existing CPRA amendments to the CCPA, provide harmonization and clarity to minimize any confusion;
- To operationalize the existing CPRA amendments, so businesses will have a better idea on how to implement policies and procedures to comply with the law; and
- To reorganize and consolidate certain aspects of the law, making it more digestible.
While the formal rulemaking process has not yet commenced, a few comments were taken into consideration at the Board meeting regarding the draft regulations. Many of the concerns came from small businesses, and the Board was asked to extend the CPRA’s January 1, 2023, effective date anywhere between 6 and 12 months to allow businesses to prepare for the law. CPPA Board members urged the public, businesses and individual consumers alike, to participate in the formal comment period by sharing personal experiences and perceived challenges for rule makers to take into account. Below is a more detailed walkthrough of the proposed Regulations, and some of the key takeaways we flagged in our review:
Article 1: General Provisions
Under Article 1, the proposed regulations purport to rework some of the existing regulations to focus on being understandable to both consumers and businesses. For example, the concept of data minimization as restated through section 7002, requires a business’s “collection, use, retention, and sharing of a consumer’s personal information” be done so in a manner that is “reasonably necessary and proportionate” in order to achieve the businesses purpose in collecting the data in the first place. Section 7003 sets forth all of the requirements for businesses regarding consumer disclosures and communications being plain and understandable. The main idea of these sections was already present under the CCPA, but the intention of the newly released drafts is to restate the regulation’s language in order to help businesses better understand their responsibilities.
Another notable section is 7004, which addresses the idea that consent through so called “dark patterns” is not considered consent. “Dark patterns” are defined as a user “interface [that] has the effect of substantially subverting or impairing user autonomy, decision-making, or choice, regardless of a business’s intent.” Dark patterns may appear as manipulative language, consumer shaming, or even bundling consent options. The draft regulations include examples of what is not acceptable, such as pairing “Yes” to accept and “No, I like paying the full price” as options for an offer. Once again, Section 7004 follows the ongoing theme of transparency for the consumer, requiring businesses to provide easy-to-understand methods of obtaining consent. Note that this is also consistent with the FTC’s treatment of on-line disclosures and the doctrine of “deception”.
Section 7001 defines the terms used throughout the proposed regulations, and according to the ISOR, “assists businesses in implementing the law” while helping consumers to “enjoy the benefits of the rights provided [to] them by the CCPA.” Some of the noteworthy additions include definitions for concepts such as “disproportionate effort”, “frictionless manner”, and “unstructured data.” These definitions may, in theory, help businesses with the burden of compliance under the CCPA, but they lack an objective standard for what falls into these categories. For example, “frictionless manner” is defined as “a business’s processing of an opt-out preference signal that complies with the requirements set forth in section 7025, subsection (f).” 11 CCR § 7001(m). While these definitions technically explain “how” a business should be compliant under the law, the draft’s somewhat circular language could be problematic when it comes to actual business operations.
Article 2: Required Disclosures to Consumers
Article 2 lays out a proposal of how businesses make disclosures to consumers. When describing the proposals, Deputy AG Kim pointed out the new concept of an alternative opt-out link from Section 7015, which businesses could provide to consumers who want to opt out of the sale or sharing of their personal information or limit the businesses use of their sensitive personal information. The link would be imbedded in a business’ website, and it would direct consumers to a page where they will be further informed of these rights, as well as given the opportunity to exercise the rights. The alternative opt-out link is an example of how the proposed regulations operationalize some of the CCPA’s legal requirements. Other notable Article 2 highlights from the proposed regulations include an updated notice for consumers’ opt-out rights, allowing them to opt out of the sharing of personal data, as well as the sale of that information. Businesses could also use the alternative opt-out link to comply with this requirement. Businesses will also need to update their privacy policies. Under Section 7011 of the draft regulations, businesses have additional requirements, such as:
- Providing an explanation of the new consumers’ rights added by the CPRA’s amendments to the CCPA, including the right to correct, right to limit, and the right to opt-out of sale and sharing of personal information. 11 CCR § 7011(e)(2). It should be noted that the practical effect of adding “share” (at least the way “share” is defined in the law) to the opt-out obligation is quite limited. The CCPA’s “sale” definition has the same practical effect as the CPRA’s “share” definition.
- Providing information about how the business responds to and processes opt-out preference signals. 11 CCR § 7011(e)(3)(F). This is a very new concept and has some interesting side effects from a practical implementation perspective, as noted below.
Article 3: Business Practices for Handling Consumer Requests
According to Deputy AG Kim, Article 3 updates how consumers may submit requests to exercise their rights. The Article clarifies that the right to know and right to delete no longer relate to household information, and it provides businesses some timelines and ways to respond to consumer requests and it consolidates the already established exceptions to the consumer right to limit.
One of the most notable updates under Article 3 relates to opt-out preference signals (Section 7025), which is likely to be subject to heavy debate once the formal rulemaking process commences. Opt-out preference signals are defined as a “signal that is sent by a platform, technology, or mechanism, on behalf of a consumer, that clearly communicates the consumer choice to opt-out of the sale and sharing of personal information.” 11 CCR § 7001(r). This clearly includes the browser configuration options around “Do Not Track” (“DNT”) signals.
The CPRA had previously given businesses the option to recognize opt-out preference signals as a method for consumer privacy requests, but the proposed regulations, as written, would require businesses to recognize them. At this point, the proposed regulations are missing technical specifications for opt-out preference signals.
Ironically, the side effect of the DNT recognition requirement is that if a business is only engaging in cross-contextual behavioral advertising via cookies or similar technology on their website (and there isn’t any other “sharing” going on) then the recognition of DNT signals removes the need to post “Do Not Sell or Share my Information” links on the website. For businesses that only “sell” or “share” data by participating in an affiliate advertising network, this is a significant operational benefit. The draft regulations, as written, would effectively remove the requirement for “Do Not Sell” links on those businesses’ websites because the DNT signal is supposed to moot the need for such a link.
On top of the requirement to adhere to requests to delete, section 7022 of the draft regulations creates the obligation for businesses to notify third parties, service providers, and contractors of the consumer’s request to delete. If a business relies on a CCPA exception to refuse a consumer’s request to delete, they will still have to notify the applicable service providers, contractors, and third parties of the consumer’s request to delete any information not subject to a CCPA exception.
Section 1798.106 of the California Consumer Protection Act (CCPA) provides consumers with the right to correct inaccurate information. Section 7023 of the proposed regulations operationalizes the right to correct by setting forth the procedures for businesses to follow for consumer submissions and the handling of requests to correct. Other state laws also provide consumers the right to requests to correct, so the operationalized methods of the draft regulations will assist compliance efforts of businesses operating in other states. Regarding requests to opt-out of sale or sharing, section 7026 of the proposed regulations states that a notification or pop-up for cookies is not by itself an acceptable method for submitting requests to opt out of sale/sharing. According to the ISOR, this section of the regulation has been restructured to be “easier to read and understandable for businesses and consumers.”
Section 1798.121 of the CCPA provides consumers the right to request a business to limit its use and/or disclosure of their sensitive personal information. The draft regulations add a new section 7027 aimed at giving consumers with the ability to limit the use of sensitive personal to instances where that information is necessary for the business to provide goods and services and only for purposes that are reasonably expected by a consumer requesting those goods and services. According to the proposed regulations, businesses using or disclosing personal information must provide two or more designated methods for submitting requests to limit. At least one of the methods should reflect the manner in which the business primarily interacts with the consumer (Online, Brick and Mortar Store, etc.).
Article 4: Service Providers, Contractors, and Third Parties
Article 4 of the Draft Regulations highlights responsibilities for businesses regarding their relationship with third parties, service providers, and contractors. Section 7050 clarifies that a person who contracts with a business to provide cross-contextual behavioral advertising is a third party and not a service provider or contractor. 11 CCR § 7050(c). As a result, that transfer of personal information is subject to the right to opt-out of sharing.
Both sections 7051 and 7053 lay out the requirements that apply to vendor contracts. Notably, the draft proposals would create a new due diligence duty for businesses when working with contractors, service providers, and third parties. The regulation states that “[w]hether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and these regulations.” 11 CCR § 7051. Furthermore, Section 7052 sets forth the duties of third parties such as recognizing opt-out preference signals and complying with consumer requests. The ISOR states that the listed responsibilities for a third party “benefits businesses by sharing the burden of communicating online requests to opt-out of sale/sharing”
According to Deputy AG Kim, Article 5 through Article 8 are all relatively unchanged. The differences come in where the statutory language lies, and the draft regulations work to align the language of the CCPA and the CPRA amendments.
Article 9: Investigations and Enforcement
Supervising Deputy AG Schesser discussed the additions made to Article 9, stating that the proposed provisions outline requirements for complaints made to the Agency. The proposed regulations also provide what the Agency needs to start its own investigations. Schesser briefly covered probable cause hearings, stating that the Agency may conduct probable cause hearings if there is evidence to support a reasonable belief that the CPRA was violated. (11 CCR §7303(a)). Other sections of the proposed regulations cover requirements for Sworn Complaints (Section 7300), CCPA Investigations (Section 7301), Stipulated Orders (Section 7303), and Agency Audits (Section 7304).
The Agency said during its February 17, 2022 board meeting that the regulations are unlikely to be finalized on time. Many of the public comments at the June 8 board meeting echoed concern to the Agency to push the enforcement date back at least 6 months. This additional time would allow businesses, small and large, to adjust their privacy practices to be compliant ahead of the enforcement date. With that said, the Executive Director Soltani, was just recently authorized to commence the final rulemaking proceedings. The proceedings will commence when the Agency publishes a notice of proposed action in the California Regulatory Notice Register. After providing the notice, the public will be welcomed to comment on the proposed regulation for 45 days, which could even be extended should the Agency seek to make substantial changes. With penalties that can get up $7,500 per violations, and both the California Attorney General’s Office and the California Privacy Protection Agency having enforcement powers, businesses should be keeping a close eye on the Agency for further updates.
We do not recommend that organizations in California make any drastic compliance plans right now based on the current state of things. We do recommend that organizations subject to the CCPA/CPRA start looking at their vendor and service provider agreements. The draft regulations give pretty clear direction as to the kinds of things that will need to be included in these agreements, even if the actual text of the regulation isn’t final.
On compliance with the rest of the CPRA, there are simply too many unknowns at this point. However, this recent publication and initial public comment activity signals that the 2023 CPRA train is at least rumbling in the distance.