California Privacy Protection Agency Issues Newly Modified Regulations on CPRA
On Monday, September 17, 2022, the California Privacy Protection Agency issued modified proposed CPRA regulations and accompanying explanations. The modified proposed regulations were influenced in part by the large volume of comments collected during the 45-day written comment period on the first round of proposed regulations, the public hearings held in August and subsequent Agency board meetings in September. The next round of Board meetings are scheduled for October 28 and 29 where they will adopt or modify the 28 items called out in the draft regulations. If and when the requatons will be finalized is unknown and likely to follow the same path CCPA proposed regulations did in 2020. The proposed regulations still do not completely address the new law and further rulemaking should be expected, particularly around employee data.
General Overview of the Proposed Regulation Modifications
Collection and Use of Personal Information
The proposed regulations require businesses processing personal information to be “reasonably necessary and proportionate” as it relates to the collection and processing of that data. The earlier version of regulations saw this through the lens of a “reasonable person”. The revised language adds to this by considering three different sets of criteria:
- Can the businesses determine proportionality and necessity?
- What is the relationship between the consumer and the business?
- What type, nature, and amount of personal information does the business seek to collect or process?
- What is the source of the personal information and the business’s method for collecting or processing it?
- What is the specificity, explicitness, and prominence of disclosures to the consumer about the purpose for collecting or processing the consumer’s personal information, such as in the Notice at Collection and in the marketing materials to the consumer about the business’s good or service?
- To what degree is the involvement of service providers, contractors, third parties, or other entities in the collection or processing of personal information apparent to the consumer?
- Are disclosed purposes compatible with the context in which personal information was collected?
- At the time of collection of the personal information, what are the consumer’s reasonable expectations concerning the purpose for which the personal information will be collected or processed?
- What are the other disclosed purposes for which the business seeks to further collect or process the consumer’s personal information?
- Does a strong link exist between the consumer’s expectations that the personal information will be used to provide them with a requested service at the time of collection, and the use of the information to repair errors that impair the intended functionality of that requested service?
- Factors for determining when processing is reasonably necessary and proportionate to the purpose for which it was collected
- What is the minimum personal information that is necessary to achieve the purpose identified?
- What are the possible negative impacts on consumers posed by the business’s collection or processing of the personal information?
- What are the additional safeguards for the personal information to specifically address the possible negative impacts on consumers considered by the business?
Modifications regarding dark patterns should be taken in context of previous regulations covering many of the same topics including the same language removed from the newly proposed regulations around the avoidance of dark patterns. The Agency modified regulations removing a number of requirements including:
- A choice where the ‘yes’ button is more prominent (i.e., larger in size or in a more eye-catching color) than the ‘no’ button is not symmetrical” and therefore improper.
- References to businesses not using “manipulative language” or “wording that guilts or shames the consumer into making a particular choice.”
This section had several impactful changes including:
- Notice at collection no longer needs to identify information regarding third parties that collect personal information through the business.
- Modifying definitional relationships with analytics providers as third parties. The explanation now reads in some instances an analytics business can be a service provider and not a third party. As exemplified in the Sephora case this will be a particularly important change if accepted.
- Deleting subsections dealing with the collection of employment-related information. The explanation states that these subsections were deleted to “conform the regulations to the law following the expiration of the” employee data exemption.
Sensitive Personal Information
The modified language around the limitations of the use of sensitive personal information clarifies that a business:
- Does not need to provide a Notice of Right to Limit or the “Limit the Use of My Sensitive Personal Information” link if the sensitive personal information does not infer characteristics about a consumer.
- May display through a toggle or radio button (but not mandatory) that confirms requests to limit sensitive personal information, as well as opt-out preference signals, and opt-out requests were processed by the business.
- Can use sensitive personal information to prevent and investigate certain types of security incidents.
Opt-Out Preference Signals
The modified proposed regulations still require businesses to recognize opt-out signals and as stated above not required display whether they have recognized the signal. Businesses may still provide this functionality as they choose.