CPPA Approves Draft CPRA Regulations To Begin Formal Rulemaking Process
The California Privacy Protection Agency (CPPA) quietly issued the first draft of the California Consumer Privacy Act (CPRA) regulations and an Initial Statement of Reasons by attaching them to the June 8 board meeting notice. These are draft regulations, meaning they are likely to be subject to extensive public comment and modification before they become final. While the draft regulations provide important guidance on many of the significant provisions of the CPRA, the draft regulations do not address all topics on which the CPRA required the CPPA to adopt regulations. The CPPA omitted topics such as cybersecurity audits, risk assessments, and automated decision-making technology from the draft regulations, leaving these to later regulations.
While several requirements of the CPRA are missing from the draft regulations, the CPPA did address numerous requirements that many have been eagerly awaiting additional guidance on, such as the opt-out recognition mandate and data processing agreements. Although the draft regulations are subject to considerable change over the next several months, businesses should carefully review these draft regulations as they reflect the mindset of the CPPA on these topics and start planning for updates to business processes, procedures, and contracts. It is clear from these draft regulations that the CPRA will increase the cost of doing business in California.
At the June 8 meeting, the board moved to approve the draft regulatory text to begin the formal rule making process and public comment period. This motion authorizes the Executive Director to take all steps necessary to initiate the rulemaking process by submitting its Notice of Proposed Rulemaking Action and the Initial Statement of Reasons to the Office of Administrative Law where it will then be published on the CPPA’s website and in the California Regulatory Notice Register. This will start the public comment period and allow the board to make any non-substantive changes to the proposed text. The board will have additional meetings to discuss public comments and make further decisions about the draft regulations. We will continue to update once the rulemaking process and public comment period officially begin.
Summary of Key Takeaways From Draft Regulations:
The draft regulations update existing CCPA regulations to harmonize them with CPRA, operationalize new rights and concepts introduced by the CPRA, and consolidate requirements, making them easier to follow and understand. A high-level summary of the draft regulations are provided below.
1. Restrictions on Collection and Use of Personal Information
The draft regulations require that a business’ collection, use, retention, and sharing of consumers’ personal information must be “reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed” and “consistent with what an average consumer would expect when the personal information was collected.” Explicit consumer consent is required for the unrelated or incompatible collection, use, retention, or sharing. The draft regulations provide four illustrative examples that businesses will no doubt analyze very carefully when trying to determine if the desired collection or use of personal information will fit within CPRA’s parameters. One example provides that a mobile flashlight application should not collect geolocation data without explicit consumer consent because the collection of such data is not within the reasonable expectations of an average consumer and is not “reasonably necessary and proportionate to achieve the purpose” of providing a mobile flashlight.
2. Avoiding Dark Patterns in Obtaining Consumer Consent
The draft regulations lay out specific requirements for obtaining consumer consent, such that the presentation of privacy choices should be user-friendly and avoid so-called “dark patterns.” To obtain consent, businesses must:
- Use methods and language that are easy for consumers to read and understand;
- Provide symmetry in choice (exercising a privacy-protective option should not take more work than exercising a less protective option);
- Avoid confusing language or interactive elements (e.g., confusing toggle buttons);
- Avoid manipulative language or choice architecture, such as language that guilts or shames the consumer into making a particular choice (e.g., “No, I like paying full price”); and
- Use easy-to-execute methods.
Methods that do not comply with these requirements may be considered “dark patterns” and deemed not to constitute consumer consent.
3. Privacy Notices at or Before the Collection of Personal Information
The CPRA requires businesses to provide a privacy notice at or before the time they collect personal information. Businesses need to disclose the categories of personal information collected, the purpose for which the personal information is used, and whether that information is sold or shared. Consistent with the new definition of “sensitive personal information” under the CPRA, the draft regulations add to the existing requirements by requiring businesses to include categories of sensitive personal information, whether that sensitive information is sold or shared, and the length of time the business intends to retain each category of personal information.
The draft regulations also require both first-party and third-party data collectors to provide notice at collection, recognizing that more than one business may control the collection of a consumer’s personal information. If a business allows a third party to control the collection of personal information, it must include the names of all third parties that the business allows to collect consumers’ personal information. For example, a business that allows an analytics service to collect consumers’ personal information through its website must identify the analytics service as a third party authorized to collect personal information from the consumer or include information about the analytics service’s information practices on the introductory page of its website and on all webpages where personal information is collected. The analytics service must provide a notice at collection on its homepage.
Conversely, a business acting as a third party that controls the collection of personal information, such as in a retail store, must also provide a notice at collection at the physical location where it collects personal information. For example, a coffee shop that allows a Wi-Fi service to collect personal information on the coffee shop’s premises must post signage at the entrance of the store or at point-of-sale to direct consumers to where the notice at collection can be found online, which must identify the Wi-Fi service as a third party authorized to collect personal information. The Wi-Fi service must post its own notice at collection on the first webpage, or other interface consumers see before connecting to the Wi-Fi services offered.
However, the draft regulations only address businesses that control the collection and use of personal information, and do not address any requirements for service providers or contractors to provide notice at collection. Because these entities are required to be under contractual obligations to limit their collection and use of personal information for the benefit of the business and what is disclosed in the business’ privacy disclosures, a separate disclosure by service providers and contractors should not be necessary.
4. Privacy Policies
The CPRA draft regulations defines a “privacy policy” as the larger privacy disclosure for consumers to understand the details of how a business collects and processes their personal information, although these may sometimes be combined with the privacy notice at or before the time of collection. Businesses should review their privacy policies for compliance with the CPRA and the requirements of the draft regulations:
- A comprehensive description of how the business collects, uses, sells, shares, and retains personal information,
- An explanation of consumer rights under the CPRA, such as the right to delete, correct, and opt-out of the sale or sharing of their personal information,
- An explanation of how consumers can exercise their rights under the CPRA, such as how opt-out signals are processed,
- Date the privacy policy was last updated, and
- Data reporting requirements.
4. Opt-Out to Sale/Sharing and Preference Signals
The draft regulations provide clarification on how to comply with opt-out of sale/sharing requests and clarify that opt-out preference signals are mandatory despite global opt-out signals being optional in the CPRA, even if they provide separate links for consumers to opt-out of selling and sharing personal information. Opt-out preference signals are signals sent by a platform, technology, or mechanism (including through an operating system or a browser), on behalf of a consumer that communicates the consumer’s choice to opt-out of the sale and sharing of personal information, and allows a consumer to opt-out of the sale and sharing of their personal information with all businesses they interact with online instead of making individualized requests with each business. The draft regulations provide details on how businesses must comply with opt-out preference signals. The draft regulations do not formally recognize the Global Privacy Control and did not provide conclusive technical specifications for these signals, and the requirements and handling of these signals is likely to elicit comments and requests for more clarification during the public comment period.
The draft regulations introduce the term “frictionless manner,” which may allow businesses to circumvent certain opt-out requirements. A business that interprets Global Privacy Control signals in a “frictionless manner” can avoid providing consumers with “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links on its website. Processing opt-out signals in a frictionless manner means a business cannot charge a fee, require any valuable consideration, change a consumer’s experience with the product or service offered, or display a pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal. Introducing the term “frictionless manner” may discourage consumers from exercising their data privacy rights and result in clunky websites for consumers that use Global Privacy Control signals. However, the draft regulations indicate that the frictionless standard will likely only apply to businesses that track consumers’ browsing for advertising, not those who sell consumers’ data offline.
The draft regulations also state that a cookie banner is insufficient to meet opt-out requirements and requires businesses to provide two or more methods for consumers to submit opt-out requests. Thus, businesses that rely on cookie banners should review their websites to ensure compliance.
In addition to a “Do Not Sell or Share My Personal Information” link and a “Limit the Use of My Sensitive Personal Information” link and interpreting universal privacy businesses may use an alternative, single link for consumers to exercise both opt-out rights. A business may title the alternative opt-out link “Your Privacy Choices” or “Your California Privacy Choices” and must include the opt-out icon specified in the earlier CCPA regulations to the right or left of the title. This alternative opt-out link must direct the consumer to a webpage that includes the description of the consumer’s right to opt-out of sale/sharing, right to limit, and the interactive form or mechanism where the consumer can submit such a request. Small businesses may welcome this alternative because they will not have to invest in the technology to create an interactive opt-out request button on their websites. Further, the “Your Privacy Choices” option syncs well with other state law requirements and helps businesses avoid having multiple confusing links on their websites.
The draft regulations provide examples of how businesses should provide the notice of opt-out of sale and sharing differently depending on how they collect data to ensure its data collection and opt-out methods are consistent, e.g., in a brick and mortar store, over the phone, through a connected device versus through augmented or virtual reality. Further, the draft regulations clarify that companies receiving opt-out requests must notify third parties to stop selling or sharing the consumer’s information. This is a higher burden than what the CCPA or the CPRA currently requires, forcing businesses to proactively discuss how to practically ensure compliance with such opt-out requests with third parties.
5. Right to Limit Use and Disclosure of Sensitive Personal Information
The draft regulations operationalize the right to limit the use and disclosure of sensitive personal information by establishing the rules and procedures businesses must follow regarding the submission and handling of requests to limit. Overall, this regulation attempts to balance the burden of compliance by businesses with consumers’ interest in protecting their sensitive personal information.
A business must provide at least two designated methods for submitting requests to limit. At least one method offered must “reflect” how the business “primarily interacts with the consumer.” For example, a business that collects sensitive personal information from consumers online should allow consumers to submit requests to limit through an interactive form accessible via the “Limit the Use of My Sensitive Personal Information” link, alternative opt-out link, or the privacy policy. As with requests to opt-out of sales/sharing, a notification or tool regarding cookies, such as a cookie banner or cookie controls, is insufficient for submitting requests to limit. A business has 15 days to comply with the request, including notifying service providers, contractors, and third parties.
The draft regulations set forth seven instances in which a business may use or disclose sensitive personal information without offering a right to limit the use and disclosure of such sensitive personal information, e.g., to perform services or provide goods reasonably expected by an average consumer. For example, a consumer’s geolocation may be used by a mobile application that provides navigational services to a consumer. However, a consumer’s geolocation may not be used by a gaming application where an average consumer would not expect the application to require their geolocation data. This draft regulation recognizes that using or disclosing sensitive personal information is sometimes necessary for a business to carry out its operations.
6. Requests to Correct
The draft regulations devote significant space to the request to correct, which is a new right under the CPRA. If a business receives a request to correct and determines that the consumer’s personal information is inaccurate based on the “totality of the circumstances relating to the contested personal information,” it must ensure that the information is corrected in both its own systems and in the systems of any service providers or contractors that maintain personal information on its behalf. When a business corrects information, it has an obligation to ensure it remains corrected (e.g., ensure it is not overridden by incorrect information restored from a backup or subsequently received from an information broker). Further, if the business is not the source of the inaccurate information, the business must process the consumer’s request and provide the consumer with the name of the source from which the business received the inaccurate information.
The consumer may also request that the business disclose all specific pieces of personal information that the business maintains and has collected about the consumer to allow the consumer to confirm that the business has corrected the inaccurate information.
7. Data Processing Agreements
The draft regulations add to the CPRA statute’s already granular contracting requirements and create new duties for businesses that disclose personal information to service providers, contractors, and third parties. For example, the draft regulations now prescribe a new, five-day time period in which a service provider, contractor, or third party must notify the business if they determine they can no longer comply with the CPRA’s requirements.
The draft regulations also require contracts with service providers and contractors to identify the specific business purposes and services for which personal information will be processed and prohibit generic descriptions of such purposes, such as referencing the entire contract generally. Contracts with third parties have a similar requirement. As a result, businesses will not be able to apply generic provisions across what is sometimes thousands of vendors. On the other hand, vendors must be specific in contract templates about the business purposes and services involved. Thus, the practice of papering relationships with a one-size-fits-all template likely will not be sufficient in the eyes of the CPPA.
Notably, the draft regulations state that failure to meet these prescriptive requirements means that the recipient is not a service provider or contractor under the CCPA. Therefore a business’ disclosure of personal information to such a person may trigger a sale or sharing, for which the business must provide the consumer with the right to opt out. While we have known this for a while, the express statement reemphasizes the importance of including the relevant language in your contracts. In addition, the draft regulations state that a third party that does not have a compliant contract “shall not collect, use, process, retain, sell, or share the personal information received from the business.” These requirements are likely to add significant friction to contract negotiations between businesses and their service providers and third parties, as one mistake in meeting the draft regulation’s requirements risks invalidating the purpose of the contract and exposing both parties to unexpected liability.
The draft regulations add affirmative contractual obligations on third parties. For instance, where a business authorizes a third party to collect personal information from a consumer through its website, either on behalf of the business or for the third party’s own purposes, the business must contractually require the third party to check for and comply with a consumer’s opt-out preference signal received from a first party’s website, unless the business indicates that the consumer has consented to the sale or sharing of their personal information.
The draft regulations also clarify that a person who contracts with a business to provide cross-contextual behavioral advertising is a third party, not a service provider or contractor. As a result, that transfer is a “share” and subject to the right to opt-out of sharing. For example, it is permissible for a social media company to provide non-personalized advertising services based on aggregate or demographic information. However, a social media company cannot use a list of customer email addresses provided by a business to identify users on its platform to serve advertisements to them. This appears to respond to some social media platforms’ use of matched audiences. Although the draft regulations attempt to crack down on the use of matched audiences, there is implicit support for the advertising industry by allowing a third party to become a service provider after receiving an opt-out request if the third party complies with the obligations of a service provider, which follows the Limited Service Provider Agreement issued by the IAB.
Finally, the draft regulations suggest that businesses have to conduct due diligence on service providers, contractors, and third parties to take advantage of the CPRA statute’s liability shield for compliance failures of the service provider, contractor, or third party without the business’s knowledge. A business that does not audit or test its service provider’s, contractor’s, or third party’s systems may not be able to claim it did not have reason to believe the service provider, contractor, or third party intended to use personal information in violation of the CCPA and these regulations.
For more information on the draft regulations and their potential impact on your business, please contact one of the authors or a partner or senior counsel member of Foley’s Cybersecurity and Privacy Team.
The authors gratefully acknowledge the contribution of Lauren Hudon, a rising 2L law student, Marquette University Law School, and summer clerk at Foley & Lardner LLP.