CPRA Draft Regulations – Next Round(s)

Firm Publication

It has been a bustling fall for the California Privacy Protection Agency (CPPA or Agency). In the spirit of the upcoming holiday season, the Agency gifted us not one but two rounds of proposed modifications to the regulations (Draft Regulations) that will govern compliance and enforcement under the California Privacy Rights Act (CPRA), the statute that amends California’s landmark domestic consumer privacy legislation, the California Consumer Privacy Act (CCPA).

As we barrel toward CPRA’s effective date, January 1, 2023, the Agency insists diligent efforts remain underway to finalize the Draft Regulations. The first round of Draft Regulations introduced several noteworthy compliance considerations. Our alert concerning the initial Draft Regulations is available here. Following additional public comment periods, the Agency published proposed modifications to the Draft Regulations in October, with another set of revisions hitting late last week.

The most recent proposed modifications largely address items that an optimist could consider “final touches” such as formatting, streamlining language, and making sure citations and defined terms are consistent, and the CPPA appears to be pushing toward finalizing these long-overdue regulations as expeditiously as possible. Full text of the Draft Regulations released in October is available here and the full text of the Draft Regulations released in November is available here. Some notable potential compliance and enforcement considerations across both rounds of proposed modifications to the Draft Regulations include:

Reasonable and Proportionate Personal Information Collection (CPPA superfans GDPR)

  • While not a new requirement, proposed modifications tease out what is meant by “reasonably necessary and proportionate.” Examples provided strongly resemble examples provided by GDPR regulatory bodies and drafters. The similarity should not be surprising as the UK’s Information Commissioner’s Office “Guide to the General Data Protection Regulation” (GDPR) is included as material relied upon by the Agency in composing proposed modifications to the Draft Regulations.

Opt-Out Signals (Still?) Must be Honored

  • The Draft Regulations maintain mandatory honoring of web-based opt-out preference signals.
  • Recent proposed modifications appear to strengthen CPPA’s initial position (as to its rulemaking authority) that opt-out signals must be honored and processed as valid requests to opt out of the sale and/or sharing of personal information. Further, the Draft Regulations leverage expansive language in referring to browsers, devices, and any related consumer profiles (whether pseudonymous or relating to a consumer known to the business).
  • Notably, CPPA softened language to permissive rather than required in a few places:
    • Businesses would no longer be required to display the “status” of one’s opt-out preference signal.
    • Businesses may (but are not required to) inform consumers of any conflict between an opt-out preference signal and participation in a financial incentives program.
    • Businesses that authorize a “Third Party” (as defined in the Draft Regulations) to collect personal information through the business’s website are no longer required to contractually obligate the third party to check for and comply with a consumer’s opt-out preference signal election.

Contractors, Service Providers, and Third Parties

  • As a reminder, distinctions introduced in the statutory text of the CPRA already trigger an additional review of a business’s contractors, service providers, and third parties that may interact with a consumer’s personal information on a business’s behalf (collectively referred to in this alert as Vendors).
  • Proposed modifications underscore specific contractual requirements for each Vendor type. Throughout the Draft Regulations, various references to Vendor obligations have been streamlined to reference statutory, contractual requirements for the respective Vendor type.
  • Operationally a potential win, proposed modifications REMOVE the requirement that businesses must identify the names of Vendors that control the collection of personal information within the Notice at Collection.
  • Sephora settled with the California Attorney General (AG) earlier this year for alleged CCPA violations (announcement available here). The settlement raised eyebrows for a couple of reasons, particularly because the AG described third-party data analytics as de facto “sales.” As initially released, the Draft Regulations appeared to support the AG’s broad brush stroke on Sephora. Proposed modifications clarify that, in some instances, a data analytics Vendor may be classified as a “Service Provider” and not a “Third Party” engaging in the “sale” of personal information.

Dark Patterns Illuminated? 

  • The initial Draft Regulations attempted to demystify what constitutes a “dark pattern.” Proposed modifications removed some of the more charged verbiage, such as “manipulative language,” that might go to a business’s intent. Proposed modifications underscore the operational effect of the choice architecture and symmetrical experiences for consumers opting in or declining to opt in.  When evaluating consumer choice and consent, businesses would need to present and execute consumer options in a manner that complies with the following:
    • Easy to understand: No legal mumbo jumbo or overly technical language.
    • Symmetry in choice and choice architecture: Choices provided should be straightforward. For example, selecting to opt-out should not lead to a series of additional consumer “choices” before the selection is implemented. Additionally, choice architecture should not impair or interfere with a consumer’s ability to make a choice (e.g., requiring the consumer to opt-in to unnecessary uses of personal information to access the expected service from the business).
    • No confusing elements: Businesses would not be permitted to use things like double-negatives in presenting choices and should avoid using/placing toggles or visual elements in a confusing manner.
    • Easy execution: Businesses would not be allowed to add unnecessary burdens or “frictions” (as defined in the Draft Regulations) to the processes by which consumers exercise their choices. Notably, the “friction” concept forbids merely hyperlinking to a privacy policy for certain specific rights and/or notices. Where applicable, the link must take the consumer exactly to the mechanism or portion of the privacy policy (notice) related to the right.
  • If a business violates ANY of the above, the Draft Regulations treat such action (or inaction) as a de facto dark pattern.
  • Proposed modifications put businesses on notice that lack of intent is not a defense. Subject businesses should test choice interfaces to confirm how such interfaces would operate for the average consumer (or enthusiastic regulator).

Regulatory Audits…Because We Said So

  • The Draft Regulations (still) vest robust (and discretionary) audit rights with the Agency. The Agency may audit a business (WITH OR WITHOUT NOTICE):
    • To investigate possible violations.
    • Because the business has a history of noncompliance with CCPA or any other privacy protection law.
    • Because the Agency thinks it’s a good idea (the business’s collection or processing of personal information, in the Agency’s opinion, “presents significant risk to consumer privacy or security”).

Sensitive Personal Information is Special (Unless it Isn’t)

  • Proposed modifications reinforce and clarify that “Sensitive Personal Information” collected or processed without the purpose of inferring characteristics about a consumer is not subject to a request to limit use and disclosure.
  • Additionally, proposed modifications clarify that businesses may use Sensitive Personal Information for detecting/preventing security incidents and to improve services (so long as such use remains reasonably necessary and proportionate for such purpose).

Missing Anything?

  • Employment-Related and Business-to-Business (B2B) Personal Information:
    • Regulations specifically addressing employment-related and B2B personal information were not included. The Draft Regulations, including proposed modifications, remain silent on specific compliance challenges subject businesses face in contending with employment-related and B2B personal information.
    • California’s legislature entertained multiple bills which would have extended soon-to-expire exemptions for employment-related and B2B personal information. The California legislature adjourned without extending any such exemptions, however, and a special session to pass legislation extending these exemptions is beyond unlikely.
  • Data Protection Assessments and Cybersecurity Audits: The Draft Regulations do not provide any additional guidance on the risk assessments subject businesses must submit to the Agency regularly concerning personal information processing. The requirement to regularly submit these assessments arises even without any investigation or inquiry by the Agency. The CPRA also requires subject businesses to perform an annual “cybersecurity audit.” The Agency has not yet issued any Draft Regulations concerning this requirement.
  • Automated Decision-Making: Regulations have not yet been issued regarding consumer access and opt-out rights relating to a business’s use of automated decision-making technology (including profiling). As a reminder, subject businesses will have to provide information about the logic underlying such technologies and a description of any likely outcome specific to the requesting consumer.

The Agency appears to recognize it is a bit behind on issuing final regulations, as the proposed modifications include language allowing the Agency discretion in considering the amount of time between issuance of the regulations and the effective date as well as good faith efforts to comply in terms of investigations and/or pursuit of same.

Key Dates

  • October 28-29, 2022: CPPA Board Meeting
    • October Draft Regulations are available here.
    • Explanation of Modified Text is available here.
  • November 3, 2022: Public Notice of Proposed Modifications
    • November Draft Regulations are available here.
    • Additional Documents and Information Relied Upon are available here.
  • November 21, 2022: Written public comment period closes at 8:00 a.m.
  • January 1, 2023: CPRA Effective Date
    • Cure period for CCPA violations sunsets.
    • Broad exemption of employee/employment context data expires.
  • July 1, 2023: CPRA Enforcement Commences

Our team will continue to monitor as the CPPA issues additional draft regulations and formal rulemaking commences.  Please click here to subscribe to additional alerts.

Related Professionals
Related Services
Firm Publication

It has been a bustling fall for the California Privacy Protection Agency (CPPA or Agency). In the spirit of the upcoming holiday season, the Agency gifted us not one but two rounds of proposed modifications to the regulations (Draft Regulations) that will govern compliance and enforcement under the California Privacy Rights Act (CPRA), the statute that amends California’s landmark domestic consumer privacy legislation, the California Consumer Privacy Act (CCPA).

As we barrel toward CPRA’s effective date, January 1, 2023, the Agency insists diligent efforts remain underway to finalize the Draft Regulations. The first round of Draft Regulations introduced several noteworthy compliance considerations. Our alert concerning the initial Draft Regulations is available here. Following additional public comment periods, the Agency published proposed modifications to the Draft Regulations in October, with another set of revisions hitting late last week.

The most recent proposed modifications largely address items that an optimist could consider “final touches” such as formatting, streamlining language, and making sure citations and defined terms are consistent, and the CPPA appears to be pushing toward finalizing these long-overdue regulations as expeditiously as possible. Full text of the Draft Regulations released in October is available here and the full text of the Draft Regulations released in November is available here. Some notable potential compliance and enforcement considerations across both rounds of proposed modifications to the Draft Regulations include:

Reasonable and Proportionate Personal Information Collection (CPPA superfans GDPR)

  • While not a new requirement, proposed modifications tease out what is meant by “reasonably necessary and proportionate.” Examples provided strongly resemble examples provided by GDPR regulatory bodies and drafters. The similarity should not be surprising as the UK’s Information Commissioner’s Office “Guide to the General Data Protection Regulation” (GDPR) is included as material relied upon by the Agency in composing proposed modifications to the Draft Regulations.

Opt-Out Signals (Still?) Must be Honored

  • The Draft Regulations maintain mandatory honoring of web-based opt-out preference signals.
  • Recent proposed modifications appear to strengthen CPPA’s initial position (as to its rulemaking authority) that opt-out signals must be honored and processed as valid requests to opt out of the sale and/or sharing of personal information. Further, the Draft Regulations leverage expansive language in referring to browsers, devices, and any related consumer profiles (whether pseudonymous or relating to a consumer known to the business).
  • Notably, CPPA softened language to permissive rather than required in a few places:
    • Businesses would no longer be required to display the “status” of one’s opt-out preference signal.
    • Businesses may (but are not required to) inform consumers of any conflict between an opt-out preference signal and participation in a financial incentives program.
    • Businesses that authorize a “Third Party” (as defined in the Draft Regulations) to collect personal information through the business’s website are no longer required to contractually obligate the third party to check for and comply with a consumer’s opt-out preference signal election.

Contractors, Service Providers, and Third Parties

  • As a reminder, distinctions introduced in the statutory text of the CPRA already trigger an additional review of a business’s contractors, service providers, and third parties that may interact with a consumer’s personal information on a business’s behalf (collectively referred to in this alert as Vendors).
  • Proposed modifications underscore specific contractual requirements for each Vendor type. Throughout the Draft Regulations, various references to Vendor obligations have been streamlined to reference statutory, contractual requirements for the respective Vendor type.
  • Operationally a potential win, proposed modifications REMOVE the requirement that businesses must identify the names of Vendors that control the collection of personal information within the Notice at Collection.
  • Sephora settled with the California Attorney General (AG) earlier this year for alleged CCPA violations (announcement available here). The settlement raised eyebrows for a couple of reasons, particularly because the AG described third-party data analytics as de facto “sales.” As initially released, the Draft Regulations appeared to support the AG’s broad brush stroke on Sephora. Proposed modifications clarify that, in some instances, a data analytics Vendor may be classified as a “Service Provider” and not a “Third Party” engaging in the “sale” of personal information.

Dark Patterns Illuminated? 

  • The initial Draft Regulations attempted to demystify what constitutes a “dark pattern.” Proposed modifications removed some of the more charged verbiage, such as “manipulative language,” that might go to a business’s intent. Proposed modifications underscore the operational effect of the choice architecture and symmetrical experiences for consumers opting in or declining to opt in.  When evaluating consumer choice and consent, businesses would need to present and execute consumer options in a manner that complies with the following:
    • Easy to understand: No legal mumbo jumbo or overly technical language.
    • Symmetry in choice and choice architecture: Choices provided should be straightforward. For example, selecting to opt-out should not lead to a series of additional consumer “choices” before the selection is implemented. Additionally, choice architecture should not impair or interfere with a consumer’s ability to make a choice (e.g., requiring the consumer to opt-in to unnecessary uses of personal information to access the expected service from the business).
    • No confusing elements: Businesses would not be permitted to use things like double-negatives in presenting choices and should avoid using/placing toggles or visual elements in a confusing manner.
    • Easy execution: Businesses would not be allowed to add unnecessary burdens or “frictions” (as defined in the Draft Regulations) to the processes by which consumers exercise their choices. Notably, the “friction” concept forbids merely hyperlinking to a privacy policy for certain specific rights and/or notices. Where applicable, the link must take the consumer exactly to the mechanism or portion of the privacy policy (notice) related to the right.
  • If a business violates ANY of the above, the Draft Regulations treat such action (or inaction) as a de facto dark pattern.
  • Proposed modifications put businesses on notice that lack of intent is not a defense. Subject businesses should test choice interfaces to confirm how such interfaces would operate for the average consumer (or enthusiastic regulator).

Regulatory Audits…Because We Said So

  • The Draft Regulations (still) vest robust (and discretionary) audit rights with the Agency. The Agency may audit a business (WITH OR WITHOUT NOTICE):
    • To investigate possible violations.
    • Because the business has a history of noncompliance with CCPA or any other privacy protection law.
    • Because the Agency thinks it’s a good idea (the business’s collection or processing of personal information, in the Agency’s opinion, “presents significant risk to consumer privacy or security”).

Sensitive Personal Information is Special (Unless it Isn’t)

  • Proposed modifications reinforce and clarify that “Sensitive Personal Information” collected or processed without the purpose of inferring characteristics about a consumer is not subject to a request to limit use and disclosure.
  • Additionally, proposed modifications clarify that businesses may use Sensitive Personal Information for detecting/preventing security incidents and to improve services (so long as such use remains reasonably necessary and proportionate for such purpose).

Missing Anything?

  • Employment-Related and Business-to-Business (B2B) Personal Information:
    • Regulations specifically addressing employment-related and B2B personal information were not included. The Draft Regulations, including proposed modifications, remain silent on specific compliance challenges subject businesses face in contending with employment-related and B2B personal information.
    • California’s legislature entertained multiple bills which would have extended soon-to-expire exemptions for employment-related and B2B personal information. The California legislature adjourned without extending any such exemptions, however, and a special session to pass legislation extending these exemptions is beyond unlikely.
  • Data Protection Assessments and Cybersecurity Audits: The Draft Regulations do not provide any additional guidance on the risk assessments subject businesses must submit to the Agency regularly concerning personal information processing. The requirement to regularly submit these assessments arises even without any investigation or inquiry by the Agency. The CPRA also requires subject businesses to perform an annual “cybersecurity audit.” The Agency has not yet issued any Draft Regulations concerning this requirement.
  • Automated Decision-Making: Regulations have not yet been issued regarding consumer access and opt-out rights relating to a business’s use of automated decision-making technology (including profiling). As a reminder, subject businesses will have to provide information about the logic underlying such technologies and a description of any likely outcome specific to the requesting consumer.

The Agency appears to recognize it is a bit behind on issuing final regulations, as the proposed modifications include language allowing the Agency discretion in considering the amount of time between issuance of the regulations and the effective date as well as good faith efforts to comply in terms of investigations and/or pursuit of same.

Key Dates

  • October 28-29, 2022: CPPA Board Meeting
    • October Draft Regulations are available here.
    • Explanation of Modified Text is available here.
  • November 3, 2022: Public Notice of Proposed Modifications
    • November Draft Regulations are available here.
    • Additional Documents and Information Relied Upon are available here.
  • November 21, 2022: Written public comment period closes at 8:00 a.m.
  • January 1, 2023: CPRA Effective Date
    • Cure period for CCPA violations sunsets.
    • Broad exemption of employee/employment context data expires.
  • July 1, 2023: CPRA Enforcement Commences

Our team will continue to monitor as the CPPA issues additional draft regulations and formal rulemaking commences.  Please click here to subscribe to additional alerts.

In Case You Missed It:

  • Hüskers Dü Privacy
    April 24, 2024 | Firm Publication
  • Bob Brewer Discusses Health Provider Ransomware Attacks for Lexology Pro
    April 24, 2024 | Lexology Pro
  • Kentucky Gallops into the Privacy Race: Kentucky’s New Consumer Data Privacy Law
    April 15, 2024 | Firm Publication