Here we go again: The CPPA kicks off the formal rulemaking for the CPRA | Eversheds Sutherland (US) LLP

On July 8, 2022, the California Privacy Protection Agency (the CPPA) officially began the formal rulemaking process for the California Privacy Rights Act (CPRA). The CPPA identified three primary goals for the rulemaking:

  1. To harmonize the existing CCPA regulations with the CPRA amendments;
  2. To operationalize new rights introduced by the CPRA; and
  3. To reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.

The CPPA already released an initial draft of the proposed amendments to the CCPA regulations back in May, which addressed some, but not all, of the rulemaking topics in the CPRA. This round of regulations, excluded discussion of restrictions for automated decision-making, cybersecurity audits, and data protection risk assessments. The announcement of the initiation of the rulemaking process, did, however, include an Initial Statement of Reasons, which explains the CPPA’s rationale behind each of the changes. 

These proposed amendments are now open for public comment. Written comments must be submitted by August 23rd.  Given that several of the proposed amendments arguably go beyond the text of the CPRA, we expect comments will focus on questions of regulatory overreach and will set the stage for potential litigation. That said, these draft regulations provide useful insights into how the CPPA will interpret the CPRA and provides companies a helpful compliance steer six months before the law goes into effect.

Here are the key highlights from the proposed regulations:

  • Data Minimization and Explicit Consent for “Unexpected” Uses: The proposed regulations include a section on the new data minimization requirement, which requires businesses to collect, use, retain and/or share consumers’ personal information in a way that is “reasonably necessary and proportionate” to the original purpose for collecting it. The regulations also add a requirement that any processing be “consistent with what an average consumer would expect when the personal information was collected.”  Any processing that goes beyond what the average consumer might expect requires explicit consent. This may require businesses to seek express consent for many processing practices that are currently common place. For example, the draft regulations state that while a cloud service provider could use consumer personal information it collects to improve the cloud storage services provided, the business “should not use” that information to develop other unrelated products or services, “such as a facial recognition service,” without the consumer’s explicit consent because such a use is not reasonably necessary, proportionate, or compatible with the purpose of providing cloud storage services. We encourage companies to review their current processing practices to determine whether they meet the new test and if not, consider what might need to be done to address this new requirement.
  • Notice at Collection Requirements Apply to both First and Third Parties: The proposed regulations clarify that more than one business may control the collection of a consumer’s personal information and thus have an obligation to provide a notice at collection. For example, a first party may allow another business to control the collection of personal information from consumers browsing the first party’s website. Both the first party that allows the third parties to collect personal information via its website, as well as the third party controlling the collection of personal information, must provide a notice at collection. This addition to the regulations helps clarify parties’ respective obligations in a “joint controller” scenario.  It also underlines the importance of cookie consent banners (or “cookie doors”) to effectuate this notice at collection, delineate who controls the collection of each data element, and allow consumers meaningful control over which business they choose to engage with.
  • Non-Compliant User Interface may be considered a “Dark Pattern”: The proposed regulations provide insight into what user interfaces the CCPA may deem a “dark pattern.”  A “dark pattern” is a user interface that has the effect of substantially subverting or impairing user autonomy, decision-making, or choice, regardless of intent. The proposed regulations set forth various requirements companies must meet when setting up user interfaces for consumers to use when exercising their rights under the CPRA and for obtaining consumer consent. For instance, the methods must be easy to understand, have symmetry in choice, avoid confusing language or interactive elements, avoid manipulative language or choice architecture, and by easy to execute. Any violation of those requirements constitutes a “dark pattern” under the proposed regulations.
  • Expanded Contracting and Due Diligence Requirements: The proposed regulations expand the contracting requirements, arguably even beyond those set out in the CPRA statute, and create new duties for businesses that disclose personal information to service providers, contractors, and third parties. For example, the proposed regulations require contracts with service providers to identify the specific business purposes and service for which personal information will be processed (akin to what the GDPR requires) and prohibit generic descriptions of such purposes, such as referencing the entire contract generally. Businesses would also have a duty to conduct due diligence on service providers, contractors, and third parties in order to take advantage of the CPRA’s liability shield for compliance failures of the service provider, contractor, or third party without the business’s knowledge. For example, the regulations suggest that a business that “never enforces the terms of the contract nor exercises its rights to audit or test the service provider’s or contractor’s systems” may not be able to claim that it does not have reason to believe the provider was in violation of the CCPA. This means that even initial due diligence and contractual protections may not be sufficient, and that continual diligence will become necessary to protect companies from CCPA liability.
  • Mandatory Recognition of Opt-Out Signals: The proposed regulations would require businesses to recognize opt-out preference signals even though the CPRA makes recognition optional. This controversial decision by the CPPA will likely be discussed at length by commenters on the regulations.
  • No Use of Cookie Banners to Submit Opt-Out Requests: In addition to the mandatory recognition of opt-out signals, the proposed regulations restrict how and where businesses may permit consumers to submit requests to opt-out of the sale or sharing of their information. Most notably, the regulations draw a clear line in saying that companies cannot use their cookie banners or similar cookie consent tools as a means for consumers to submit opt-out requests. The regulations rationalize that cookies and cookie banners are about the “collection” of data, whereas opt-out requests are about further sharing of data. Businesses therefore cannot bundle these distinct user controls together. Instead, companies must provide a method for submitting requests to opt-out of the sale/sharing of data that “addresses the sale and sharing of personal information,” such as an opt-out preference signal paired with an interactive form accessible via a “Do Not Sell My Personal Information.” This prohibition on bundling controls may mean that companies cannot streamline their notice at collection practices and instead will have to provide more notices, in more locations.
  • Right to Limit and Right to Correct: The proposed regulations recognize the consumer’s right to limit sensitive information and to correct information. The proposed regulations also would require businesses to confirm receipt of any request to delete, request to correct, or request to know by a consumer. Previously, businesses only needed to confirm a request to delete.

Businesses must comply with the regulations by January 1, 2023. Given the differences between the draft CPRA regulations and existing CCPA regulations, businesses should begin preparing to update their current privacy policies and procedures to be in compliance by January 1, 2023.

[View source.]