Finalized regulations under the amended California Consumer Privacy Act (“CCPA”) are one step closer to becoming a reality. On February 3, 2023, the California Privacy Protection Agency (the “Agency”) voted to submit its proposed regulations to the Office of Administrative Law, which is one of the last steps before the regulations become law. The Office of Administrative Law will review the proposed regulations to ensure they are clear, necessary and based on valid legal authority. Further modifications may be necessary as the draft rules move toward the finish line. Nevertheless, we expect the current version of the proposed regulations to be a good proxy for the finalized version. This is because the amended CCPA grants the Agency broad authority to formulate its own regulations, and the Office of Administrative Law proposed few substantive edits to the California Attorney General’s proposed CCPA regulations in 2020. Below we outline 7 key takeaways from the Agency’s proposed regulations if they are adopted in their current form.
- A business must avoid using dark patterns when seeking consent or offering data subject rights. U.S. regulators are increasingly using the term “dark patterns” as a catch-all to cover a variety of misleading, deceptive or unfair practices, but the Agency provides some relatively structured guidance on how to avoid the use of dark patterns. In particular, the regulations require a business’ methods for obtaining consent or submitting CCPA data subject requests to be easy to understand, symmetrical in choice, straightforward, non-manipulative, and easy to execute. The regulations provide some explanations and examples that help to clarify what these principles mean in practice.
- Service providers, contractors and third parties must also delete personal information in response to data subject requests. The Agency’s regulations make it clear that a business that gives effect to a California resident’s request to delete personal information must also instruct its service providers and contractors to delete the personal information, and that these service providers must delete the personal information and instruct their own downstream service providers and contractors to delete the personal information. If the business sold or shared personal information to third parties, it must also instruct those third parties to delete the personal information unless doing so would be impossible or involves disproportionate effort. The regulations define “disproportionate effort” to mean, essentially, where the time and resources required to respond to the request would significantly outweigh the reasonably foreseeable impact to the data subject by not responding, and the definition specifically states that a business, service provider, contractor or third party that has failed to implement “adequate processes and procedures” to receive and process data subject requests “cannot claim that responding” to a request would involve disproportionate effort.
- A business should carefully review the regulations when negotiating data-related provisions with other parties. The CCPA requires businesses to include certain elements in their contracts with service providers, contractors and third parties to whom they disclose personal information or de-identified information, sell personal information, or share personal information for cross-context behavioral advertising. The regulations include some examples of what these elements should entail. For example, the CCPA requires the business to reserve the contractual right to take reasonable and appropriate steps to stop and remediate the recipient’s unauthorized use of personal information. The proposed regulations indicate that a business may satisfy this requirement by obliging the recipient to produce documentation that verifies that it has honored a data subject request if the business instructs the recipient to comply with the request.
- The Agency has shed light on its enforcement procedures and powers. For example, the Agency appears to commit to responding to every sworn complaint regarding an alleged violation of the CCPA. The Agency has also reserved broad powers to investigate, audit and commence enforcement proceedings against persons alleged to have violated the CCPA.
Many of the underlying CCPA requirements on which the Agency’s regulations expound have been in force since January 1, 2023, so companies have had to pursue compliance despite significant uncertainty around the applicable rules. Even if one round of finalized regulations now appears imminent, companies will have to continue to navigate an uncertain regulatory landscape since the Agency has signaled that it will release additional CCPA regulations in the future, including with respect to privacy and security risk assessments and automated decision-making technology.