Off to the Races: Comment Period for CPRA Proposed Regulations Begins

On Friday, July 8th, the California Privacy Protection Agency (CalPPA) began the formal rulemaking process to adopt proposed regulations to implement California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA).  The initial written comment period will end on August 23, 2022 at 5:00 pm Pacific Time.  To cap off the initial comment period, CalPPA will hold a public hearing on August 24th and 25th, during which the agency will accept oral comments and then close the first comment period.

The rulemaking process will take some time. Indeed, it is possible this initial rulemaking round will not be complete until after Thanksgiving.  Revisions to the first draft are expected through likely multiple notice and comment rounds, in addition to deliberations by the CalPPA Board in noticed public meetings. Moreover, once the agency process is complete, the Office of Administrative Law (OAL) will review the proposed regulations to ensure they are consistent with the statute.

Highlights of Proposed Regulations

In the meantime, there is much to digest. The proposed regulations are dense, spanning 66 pages, with edits and additions to almost every section of the existing CCPA regulations.  To throw another curve in the mix, the regulations have moved: they can now be found in the 7000 series of Title 11 of the California Code of Regulations; originally they were at 999.301 et seq.

The proposed regulations address both CPRA amendments to CCPA and also clarify existing CCPA regulations.  They include several real world examples informed by the California Office of the Attorney General’s (OAG) enforcement experiences over the last two years; indeed two of the most senior attorneys in charge of CCPA enforcement at the OAG—Stacey Schesser and Lisa Kim—played a significant role in drafting these regulations.

Below we highlight a selection of some of the key provisions in the draft regulations.

No regulations regarding automated decision making, cyber audits and DPIAs – yet

Some of the biggest news about the regulations is what is not included.  There is no guidance about three of the biggest issues for practical compliance implementation: (a) the automated decision making access and transparency requirements, (b) cybersecurity audits and (c) data protection impact assessments.  Board members explained at the CalPPA’s May 27th meeting that they are holding on drafting regulations about these complex matters due to resource constraints.  The agency plans to issue another round of draft regulations that cover these issues (and other issues left out of the initial rulemaking round).  Recent comments from the agency’s top staff indicates rulemaking may not begin around these issues for some time.

Privacy policies will need to be revised to include new rights and disclosures re sensitive data

As anticipated, the draft regulations include several new privacy policy requirements to reflect the new CPRA consumer rights.  Privacy policies will need to include disclosures about data retention periods, the right to correct personal information, and information about how to opt out of sharing of personal information for behavioral advertising, as well as, if applicable, how to exercise the right to limit the use of sensitive personal information.  Additionally, policies will need to include disclosures about the types of sensitive personal information collected, even if the business does not use such information in a manner that triggers consumers’ rights to limit collection.

Broader notices at collection with vague disclosure criteria

The notice at collection requirements are substantially expanded under the proposed regulations.  Notice would need to include retention periods, disclosures regarding sale/sharing/sensitive information, and the identification of third parties by name if a business “allows the third party to control the collection of personal information.”  11 CCR § 7012(e)(6).  Alternatively, the business could provide “information about the third parties’ business practices.”  Id.  Examples of such third parties include an analytics provider (“Business G”) that is allowed by a first-party business (“Business F”) to collect personal information through Business F’s website.  § 7012(g).  A “first party” is defined as the “consumer-facing business with which the consumer intends and expects to interact.” § 7001(l).

In one of the only references to employment data, the proposed regulations would require businesses “collecting employment-related information” to provide the expanded form of a notice at collection.  11 CCR § 7012(j).

Additionally, the proposed regulations would obligate “third parties that control the collection of personal information”—a new phrase in the draft—to post or provide their own notices at collection.  For example, if a third party collects personal information at a CCPA business’s retail store, the third party will have to issue their own notice at collection.

Secondary use prohibitions: Beyond the privacy policy

The proposed regulations have much to say about secondary uses and meeting consumers’ reasonable expectations about data collection and use.  A business’s collection, use, retention and/or sharing must be consistent with what an “average consumer would expect” when their personal information was collected.  A business can collect and use personal information “for other disclosed purposes,” but if those other purposes are not compatible with the average consumer’s “reasonable expectations,” privacy policy disclosures will not suffice and consent must be obtained.  11 CCR § 7002(a); Initial Statement of Reasons, p. 7-8. Section 7002 includes several examples of unrelated and unexpected uses for which opt-in consent would be required, beginning with the paradigmatic example of the flashlight app that collects location data.  Other examples of unrelated or “incompatible” uses include the sale or sharing of geolocation information by an ISP to a data broker, and the internal use of customer information by a cloud storage company to develop “unrelated [to the purpose for collection] or unexpected new products or services” such as a facial recognition service.  11 CCR § 7002(b).  Notably, the regulations are silent as to whether serving advertisements to a consumer is a “related” or “expected” use of consumers’ data.

Opt-out requests: symmetry of choice and no cookie banners or confusing toggles

The proposed regulations require opt out notices to be more streamlined: “the path for a consumer to exercise a more privacy-protective option shall not be longer than the path to exercise a less privacy-protective option.”  11 CCR § 7004(a)(2).  In what appears to be a critique of products widely used by many US businesses today, the regulations reject banners that allow consumers to “accept all” with one click, but require the consumer to click on other windows or words, such as “preferences” or “more information” where they have to take additional steps to opt out (e.g., separately opting out of analytics cookies and advertising cookies).  The draft regulations reject the use of cookie banners or cookie controls as an opt-out method, and prohibit use of toggles that fail to clearly indicate what a consumer is selecting.

Global privacy control – “technical specifications” largely absent, all must observe it, and many will likely need technical assistance

The draft regulations include a lengthy section about the global privacy control (which it has re-named the “opt-out preference signal”).  The regulations also appear to fail to comply with CPRA’s instruction that CalPPA develop “technical specifications” for such a signal.  The only “specifications” described are that the signal be “commonly used and recognized by businesses” such as an HTTP header signal, and that the tool or mechanism “make clear to the consumer” that it opts them out of sale and sharing.  We expect there to be significant comment on this topic with calls to define and develop the technical specifications called for my the law.

Additionally, the regulations make clear that businesses must always observe opt-out preference signals, despite the fact that many commentators—including CPRA author Alistair Mactaggart’s Californians for Privacy website—understood CPRA as giving businesses a choice in the matter: either provide links to opt out (as is required under CCPA) or observe the opt-out preference signal.  Indeed, in comments to the CalPPA Board, California Deputy AG Lisa Kim stated to the Board that their interpretation of CPRA’s requirements on the opt-out preference signal was wrong.  Ultimately, if the CalPPA does not change this provision, we expect this issue will need to be addressed directly by the OAL.

The proposed regulations impose significant obligations on businesses with respect to the opt-out signal such that many businesses will need to engage third parties to meet these obligations.  For example, businesses will need to detect the opt-out signal, opt the user out of third-party advertising cookies and, if that same user is logged in to her account, associate her with the opt-out signal and apply the opt-out to all of the user’s activities within the business, including any offline sales or sharing.  11 CCR §7025(c)(7)(B). Additionally, the proposed regulations would require a business to display whether it has, in fact, processed the consumer’s opt-out signal. 11 CCR § 7025(c)(6).

Service provider contracts – expected new provisions and unexpected oversight obligations

It is no surprise that the proposed regulations include expanded requirements for service provider contracts and clarify that such contractual clauses be included in other contracts (e.g., for “contractors”) as well.  The proposed regulations generally repeat the statute’s requirements for service providers, contractors and third parties, with some slight variations.

What was more of a surprise is the inclusion of what, for all purposes and intents, appears to be a new obligation for businesses to audit or test the compliance of service providers, contractors and third parties with CCPA.  Cal. Civ. Code § 1798.145(i) (as amended by CPRA);11 CCR § 7051(e). If a business does not have any “reason to believe” that its service provider, contractor or third party intends to violate CCPA, it is not liable under the statute for any violations of the statute by those parties.  Cal. Civ. Code § 1798.145(i).  However, under the new proposed regulations, a business cannot escape liability by simply stating it did not have a “reason to believe” the service provider, contractor or third party would violate the law if the business never exercised its audit rights or tested the relevant third party systems.  11 CCR § 7051(e).

Responding to data subject requests – no time limitation and downstream obligations

The proposed regulations add potentially significant new obligations for businesses in relation to data subject requests.  These include responding to “right to know” requests with information collected on or after January 1, 2022 with no 12-month lookback limitation.  Additionally, claims of disproportionate effort as a basis to reject a data subject request must be accompanied by a “detailed explanation” of the alleged burden.  Moreover, businesses would be required to notify third party purchasers or recipients of personal information about opt-out and deletion requests and require the third party purchasers or recipients to comply with such requests unless it proves “impossible or involves disproportionate effort.”

Limitations on use of sensitive personal information are subject to multiple exceptions

The proposed regulations appear to hew closely to the text of CPRA and provide that the right to limit the use of sensitive personal information exists only with respect to certain uses of such data (e.g., when it is used for profiling).  Some commentators previously speculated that the regulations would go beyond the text of CPRA and give consumers the right to limit all uses of sensitive personal information.  That regulatory overreach did not yet materialize.

What’s Next ?

As noted at the outset, we expect to see these proposed regulations finalized late in the year, with at least a few additional iterations. But in the meantime, these draft regulations provide plenty topics ripe for comment in the rulemaking process, and companies may wish to start preparing for what may be a significant implementation project.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.