The CPPA Issues First Draft Of CPRA Regulations – Part One
On Friday, May 27, 2022, on the brink of a holiday weekend, the California Privacy Protection Agency (CPPA) issued a preliminary draft of its proposed regulations implementing the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
These are only the preliminary draft regulations. This is not the final language.
- The CCPA’s June 8 meeting will likely provide more information on the rulemaking process.
- The deadline for final CPRA regulations is still a moving target. Ashkan Soltani, CPPA Executive Director said in February the CPPA would go “somewhat past the July 1 rulemaking schedule” and the timetable for completion was tentatively expected “in Q3 or Q4.”
- The CPPA will ultimately issue a Notice of Proposed Rulemaking to trigger the formal 45-day rulemaking process.
- Consumers, the CPPA, and the California Attorney General’s Office all are empowered to take businesses, contractors, service providers, and third parties to task for perceived non-compliance with privacy obligations
The draft regulations:
- Do not address all sections of the CPRA. Additional regulations are still needed to address cybersecurity audits, risk assessments, and opting-out of automated decision-making technology.
- Mandate the recognition of opt-out preference signals (i.e. GPC)
- Do not address the technical specifications to accommodate GPC signals
- Create new notice at collection requirements when a 1st parties like websites allow 3rd parties such as analytics providers to collect personal information
- Add consent requirements to prevent dark patterns
- Specify notice and permissible use requirements for the right to limit the use of sensitive personal information
- Require businesses to confirm they’ve processed opt-out of sales/sharing and limitation of sensitive personal information requests
- State that cookie management tools alone are not sufficient to honor opt-out and limitation requests
- Need to align new requirements for data processing agreements with the current CPRA requirements
- Require businesses to conduct due diligence on service providers, contractors, and 3rd parties processing personal information
Summary of The Draft Regulations
Restrictions on Collection and Use of Personal Information: Collection, use, retention, and sharing of a consumer’s personal information should be necessary and proportionate to the purposes for which it was collected or processed. It should not be processed in a manner that is incompatible with those purposes.
Consent and Dark Patterns: When obtaining consent, businesses must
- Use methods that are easy to understand
- Provide for symmetry in choice
- Avoid confusing language and elements
- Avoid manipulative choice language
- Declare and provide appropriate notice if sensitive personal information is processed for purposes other than those authorized by the CPRA and the regulations
- Provide information on the new rights under CPRA
- Explain how opt-out preference signals are processed
Notice at Collection: In addition to existing CCPA requirements to notify about categories of personal information, purpose and use of collection, and if data is shared or sold, the draft regulations now require businesses to provide notice at or before the time of collection of personal information on:
- Categories of sensitive information collected
- Data retention for each category of personal information
There are new notice requirements for 1st and 3rd party data collectors
- 1st parties allowing 3rd parties to collect data from consumers must list the names of all the 3rd parties collecting personal information
- 3rd parties also controlling the collection of personal information should provide notice at collection on their homepage and provide the 1st party information about its business practices for the 1st party to include in its collection notice
Sensitive Personal Information: The CPRA currently allows businesses to process sensitive personal information for certain limited purposes. The CPPA will rule on “other” purposes. If a business processes sensitive personal information for other purposes, it must provide a notice and allow consumers to restrict processing to the permissible purposes through a conspicuous “Limit the Use of My Sensitive Personal Information” link.
Opt-Out of Sell/Share: In addition to the existing “Do Not Sell My Personal Information” links, the draft regulations require that links:
- Are conspicuous
- Have the immediate effect of opting the consumer out OR
- Lead the consumer to a webpage where they can learn and make choices.
- A link is not required if opt-out preference signals are processed in a “frictionless” manner (Global Privacy Controls)
Alternative Opt-Out Link: To help simplify opt-out requests, instead of providing both an opt-out of sell/share link, and sensitive information use limitation link, a “ single, clearly labeled link on the business’ internet homepages” to effectuate both of these requests is permissible. The link must:
- Either must say “Your Privacy Choices” or “Your California Privacy Choices.”
- Be conspicuous
- Include the CCPA’s opt-out icon
- Direct consumers to a website with certain information
Mandatory Opt-Out Preference Signals: The CPRA currently provides for the option of recognizing opt-out preference signals as valid consumer requests to opt out of the sale or sharing of personal information and to limit the use of sensitive personal information. The draft regulations mandate businesses recognize these signals.
The CPPA believes the CPRA “does not give the business the choice between posting the opt-out links or honoring out-out preference signals.” They now distinguish between recognizing opt-out preference signals in a “frictionless” and “non-frictionless” manner. If a business provides the opt-out links, then it is allowed to honor opt-out preference signals in a “non-frictionless manner.” If a business processes opt-out preference signals in a frictionless manner, it does not need to provide the opt-out links.
A frictionless manner means:
- Not charging a fee or other valuable consideration, not changing the consumer’s experience with the product or service offered, and not displaying a notification, pop-up, text, graphic, animation, sound, video, or interstitial content in response to the opt-out preference signal
- Ensure the signal also effectuates opt-outs of any offline sales/shares
The draft regulations do not address the technical specifications for opt-out preference signals
Deletion Requests: The draft regulations require service providers and contractors to:
- Notify the consumer the request has been honored
- Permanently delete the information and
- Notify their service providers and contractors to also delete the information
Correction Requests: The right to correction is a new right provided by the CPRA. Businesses:
- Are required to determine the accuracy of the personal information by considering “the totality of the circumstances relating to the contested personal information.”
- May request that consumers provide documentation as needed
- Must ensure accuracy of the information and that
- Must ensure service providers and contractors also correct it
- Acceptable methods for submitting requests to opt-out of sale/sharing must address the sale and sharing of personal information
- Businesses are required to confirm the request has been honored
- Businesses may display ‘Consumer Opted Out of Sale/Sharing’ or through a toggle or radio button on their website that the consumer opted out of the sale of their personal information.
Limit Use and Disclosure of Sensitive Personal Information Requests: The limitation on the use and disclosure of sensitive personal information is another new right provided by the CPRA. Businesses must:
- Provide at least two methods for exercising this right
- Comply with the request within 15 business days
- Notify service providers, contractors, and 3rd parties
- Provide a means for the consumer can confirm that their request was honored
The regulations identify seven permissible purposes for processing sensitive personal information without having to provide the right to limit. These include:
- Performing services or providing goods an average consumer would reasonably expect
- Detecting certain types of security incidents
- Ensuring the physical safety of individuals
Contracts for Service Providers and Contractors: The draft language introduces new requirements for service provider and contractor contracts that may need better alignment with the existing statutory requirements.
The purpose of contracts is to restrict service providers and contractors from processing personal information for any other purpose from those in the contract and permitted by the law. Contract language should among others include the following provisions:
- Require compliance with all applicable provisions of the CPRA
- Provide the same level of privacy protection as applicable to the businesses
- Cooperate with the business for handling consumer rights requests
- Provide reasonable data security provisions
- Notify the business within 5 business days if the service provider or contractor determines it cannot meet its obligations
- Provide the business the right to take reasonable steps to stop and remediate any unauthorized use of personal information by the service provider/contractor
- Due diligence is required for service providers and contractors processing personal information
Service providers and contractors may:
- Use and combine customer personal information “to detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity.”
- Use customer data to comply with other laws, lawful process, to defend claims, if the data is de-identified or aggregated, or does not include California personal information.
CPPA Audits and Enforcement
- The CCPA is permitted to perform audits in three situations:
- To investigate possible violations of the law
- The subject’s collection or processing activities present significant risk to consumer privacy or security
- The subject has a history of noncompliance with the law “or any other privacy protection law.”
- There are no provisions requiring consumers to file sworn complaints.
- The rules provide that there is “probable cause” of a privacy violation if “the evidence supports a reasonable belief that the CCPA has been violated.”
- The CPPA can find a violation through a probable cause hearing if it provides notice by service of process or registered mail with return receipt to the company “at least 30 days prior to the Agency’s consideration of the alleged violation.”
- Businesses have a right to an in-person proceeding only if it requests the proceeding be made public. Otherwise, the proceeding may be conducted by telephone or video closed to the public.
- Participants are limited to the company representative, legal counsel, and CPPA enforcement staff.
- The CPPA serves as prosecutor and arbiter.
- The draft rules do not define how the agency preserves its neutrality in its later role
- The CPPA then issues a written decision and notifies the company electronically or by mail
- The draft rules provide that this determination “is final and not subject to appeal.”
- Violations can result in an administrative fine of up to $2500 for each violation, and up to $7500 for each intentional violation or if the violation involves minors.
- Multiple parties involved can be held jointly and severally liable.
- There is no process to challenge judgments
Notably, this is the first draft of the regulations and they will likely evolve and be joined by other regulations in the coming weeks. California is clearly drawing a line in the sand on its stance on privacy compliance. We will continue to monitor this subject as it progresses and provide additional updates.