California regulators issue draft CPRA regulations, but much uncertainty remains
On Friday, May 27, the California Privacy Protection Agency (“CPPA”) released a draft of proposed regulations for implementation of the California Privacy Rights Act (“CPRA”). The release is a welcome development for businesses looking for compliance clarity ahead to the January 1, 2023, implementation date of the CPRA.
Businesses that will be subject to the CPRA should take note of these draft regulations, while keeping in mind that substantially more rulemaking still lies ahead. First, assuming the CPRA rulemaking process resembles that of the California Consumer Privacy Act (“CCPA”) in 2019, the draft regulations will see material revisions in places once the proposed language goes through a full public review and comment phase. Second, this first tranche of proposed regulations does not fully address all of the twenty-two proposed rulemaking topics set forth in Section 1798.185(a) of the statute, or even most of those topics. Instead, several important topics were not addressed by the CPPA in this first draft. As a result, the public will need to wait for subsequent drafts in order to get a sense of the CPPA’s approach to material rulemaking topics.
Some of the more notable concepts and themes from the draft CPRA regulations include the following:
- Restrictions on collection and use of personal information (Section 7002) – Under the statute, a business’s collection, use, retention, and/or sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed. The draft regulations explain that “to be reasonably necessary and proportionate”, the business’s collection, use, retention, and/or sharing must be consistent with what an average consumer would expect when the personal information was collected. Any uses or disclosures of personal information beyond those which are reasonably necessary and proportionate would require the consumer’s explicit consent. This section includes helpful examples for businesses to consider. One example that may cause concern among businesses suggests that many sales of personal information by businesses could require the consumer’s explicit consent because sales are not reasonably necessary and proportionate to the provision of the goods or services offered by a business.
- Requirements for disclosures, communications to consumers, methods for submitting requests, and obtaining consumer consent (Sections 7003 and 7004) – For any requests for consent, any disclosures to or communications with consumers, or any methods for submitting rights requests, the verbiage and presentation of the text must be easy to understand, clear, and prominent. Requests for consent and other communications with consumers should avoid confusing language and manipulative language. The CPPA also introduced a concept of “symmetry of choice” with regard to consent requests. For instance, with regard to cookie banners used to record a consumer’s cookie preferences (e.g., to opt-out of advertising cookies), it would not be acceptable to only provide an “Accept All” option and a “More Information” option within the cookie banner. Rather, use of an “Accept All” option must be balanced with a “Decline All” option. The draft regulations also note that the opt-in field for a financial incentive program should not be defaulted to “yes”.
- Privacy policy requirements and notice at collection (Sections 7011 and 7012) – The draft regulations provide more details around the requirements for contents of a privacy policy and when the various types of parties must provide notices. These are mostly related to accounting for the new CPRA rights (e.g., right to correct personal information) and disclosures related to sensitive personal information. However, some surprising and materially new obligations were also included. For instance, when a third party controls the collection of cookie data from a first-party website (i.e., a cookie-based sale of personal information), the first-party’s privacy policy must identify all such third-party cookies by name, or provide disclosures about the third party’s data processing, such disclosures to be provided by the third party. To illustrate this point, the draft regulations include an example involving the use of an analytics cookie on a first-party website. In the example, the first-party must identify the analytics company as a “third party authorized to collect personal information” from consumers on the first-party’s website. This example is surprising because analytics cookie providers are generally likely to be service providers, not third parties, so it is unclear if this requirement extends to all analytics providers (even those who are service providers), or only to third parties in the context of a sale.
- Do Not Sell / Share opt-out links (Section 7013) – The draft regulations state that clicking on the sale/sharing opt-out link must “either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice.” This may suggest that linking out to a third-party platform to effectuate cookie-based sale/sharing opt-outs (e.g., the DAA and NAI behavioral advertising opt-out tools) is inadequate. Links must be conspicuous, such as in the website footer in the same appearance as other links.
- Sensitive personal information rights and use limitation link (Section 7014) – The draft regulations provide guidelines on providing notice of the right to limit the use and sharing of sensitive personal information, as well as the “Limit the Use” link. As with the sale/sharing opt-out links, the “Limit the Use of My Sensitive Personal Information” link must be conspicuous and either immediately effectuate the request or lead the consumer to a webpage where the consumer can learn about and make that choice. A business must provide the notice of right to limit in the same manner in which it collects the sensitive information that it uses or discloses. A business does not need to provide a notice of the right to limit or a “Limit the Use of My Sensitive Personal Information” link if it only uses and discloses sensitive personal information for purposes specified in Section 7027(l) of the draft regulations and also states in its privacy policy that the business does not use or disclose sensitive personal information for any purpose other than what is specified in that section of the regulations.
- Alternative opt-out link (Section 7015) – The draft regulations provide guidelines on the option to create an alternative opt-out link to replace a separate “Do Not Sell/Share” link and “Limit the Use” link. Instead, the regulations would allow a business to offer a single, consolidated link to effectuate both of these requests, titled either “Your Privacy Choices” or “Your California Privacy Choices”.
- Requests to delete, correct, or know (Sections 7020, 7021, 7022, 7023, 7024) – The draft regulations do not propose any substantive changes to the rights submission requirements. Section 7021 unsurprisingly extends the requirement to acknowledge a request within 10 business days to also apply to the new right to correct. Section 7022 reiterates that to honor a deletion request, the business must also notify service providers and contractors to delete the records, and notify all third parties to whom the data was sold/shared to delete the information “unless impossible or involves disproportionate effort”. Section 7023 provides draft guidelines around the new right to correct. For instance, a business may deny a Request to Correct if the business determines that the contested information is “more likely than not” accurate based on the totality of the circumstances. A business may require the consumer to provide documentation of the assertion that the information is inaccurate. After correcting the information, the business must instruct its service providers and contractors to make the same updates. A business may delete the contested information as an alternative to correcting it, if deletion does not negatively impact the consumer. If a business denies a request to correct, the business shall inform the consumer, explain the basis for denial and tell the consumer that it will note (internally and externally) to any person that the information is contested by the consumer. If the business is not the source of the contested information, it shall provide the consumer with the name of the source of the information. The lookback period for requests to know is no longer limited to a 12-month lookback; this is in line with the CPRA statute.
- Opt-out preference signals (Section 7025) – There has been confusion about the need to recognize global privacy controls (“GPCs”) under California law, since the CCPA suggested that honoring GPCs was mandatory, while the CPRA statute suggested that it was optional for businesses to respond to GPCs for opt-outs of sales and sharing. The draft CPRA regulations repeatedly expressly state that recognizing GPCs is mandatory. In Section 7025 and elsewhere, the CPRA draft regulations frame a requirement for businesses to have an “opt-out preference signal” that provides “a simple and easy-to-use method by which consumers interacting with businesses online can automatically exercise their right to opt-out of sale/sharing. Through an opt-out preference signal, a consumer can opt out of sale and sharing of their personal information with all businesses they interact with online without having to make individualized requests with each business.” The draft regulations state that a business must treat as a valid sale/sharing opt-out request any opt-out preference signal that: (1) is in a format commonly used and recognized by businesses, such as an HTTP header field; and (2) the platform/mechanism makes clear to the consumer that the signal is meant to have the effect of a sale/sharing opt-out. According to the draft regulations, a business must treat the opt-out preference signal as a sale/sharing opt-out for that device or browser, as well as for the individual consumer if the consumer’s identity is known. This position is somewhat controversial, given that the CPRA statutory text seems to suggest that responding to GPCs is optional.
- Guidelines about new right to request to limit use and disclosure of sensitive personal information (Section 7027) – In addition to the draft language in Section 7014, the draft regulations also state in Section 7027 that these requests are not subject to verification requirements and must be honored within 15 business days. Section 7027(l) provides a lengthy list of certain data processing activities involving sensitive personal information that are NOT subject to the right, meaning that these activities can continue even after receipt of a request to limit the use and sharing of sensitive information. These include any processing necessary to perform the services or provide the goods reasonably expected by an average consumer, to detect security incidents, to resist illegal or malicious actions directed at the business, and to ensure the physical safety of natural persons, among others.
- Contract requirements with service providers and contractors (Sections 7050 and 7051) – The draft CPRA regulations provide extensive requirements of what a business must include in its written agreements with service providers and contractors. These contracting requirements are the same with regard to service providers and contractors alike. One item contained in the draft regulations that is not found within the CPRA statute itself is a new requirement to contractually obligate service providers and contractors to notify the business within five days if they determine that they can no longer comply with the law. Also, the draft regulations emphasize that if a business fails to enforce its contracts with service providers and contractors and does not conduct diligence on the service provider’s or contractor’s processing of the business’ personal information, or conduct audits, then the business may be deemed to have “sold” personal information to that recipient company. In other words, the CPPA is suggesting that businesses cannot simply fictionalize a service provider relationship on paper to gloss over what would otherwise be a sale.
- Contract requirements with third parties (Sections 7052 and 7053) – The draft CPRA regulations specify requirements of what a business must include in its written agreements with third parties. For instance, these agreements should state that the third party must comply with a consumer’s request to delete or opt-out of sales, if forwarded by the business, and the third party must comply with a consumer’s request to limit the use of their sensitive personal information, if forwarded by the business. Further, the contract must specify the limited and specific uses for which the third party can use the acquired personal information, without reliance on broad or undefined references to an agreement. In other words, under the draft regulations it would no longer be acceptable for a business to sell personal information as a “blank check” for whatever uses the third party wishes to make of it. Contracts with third parties would also need to require that the third party comply with the CCPA/CPRA and grant the business audit or attestation rights to confirm the third party’s compliance with the use limitations. The business must have the contractual right to, upon notice, take reasonable steps to stop and remediate a third party’s unauthorized use of personal information. Finally, for cookie-based sales on a first-party business’ website, the business must contractually require the third party to check for a consumer’s opt-out preference signal before dropping the cookies that would trigger a sale.
- Verification (Sections 7060, 7061, 7062, 7063) – There are no materially and substantively new requirements for verification.
- Investigations and complaint filing (Sections 7300, 7301) – The draft CPRA regulations describe how the CPPA can investigate and enforce the CPRA. The CPPA may investigate upon receipt of a sworn complaint filed with the agency, and the CPPA may initiate its own investigations. Section 7300 provides specific instructions and requirements for filing a consumer complaint to the CPPA.
- CPPA agency audits (Section 7304) – The draft CPRA regulations state that the CPPA may audit a business, service provider, or contractor to ensure compliance with the CCPA/CPRA. The agency may audit in three circumstances: (1) to investigate possible violations, (2) where the CPPA believes that data processing presents a significant risk to consumer privacy or security, or (3) where the subject has a history of noncompliance with privacy protection law.
Take-aways for businesses subject to the CPRA
The above-described draft regulations are incomplete and subject to materially change over the coming months. Businesses should monitor the release of more complete regulations and, in the meantime, immediately start the process of addressing broader CPRA statutory obligations and related obligations under state laws set to take effect in 2023 in Colorado, Connecticut, Utah, and Virginia.