This week, the California Privacy Protection Agency (“CPPA”) released modified proposed regulations (“Modified Regulations”) for compliance with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), and an explanation of the proposed changes, ahead of its upcoming Board Meetings. It is expected that the CPPA will discuss, and possibly adopt or modify further, the Modified Regulations during the CPPA Board Meetings which are scheduled for October 21-22 and October 28-29, 2022.
The Modified Regulations supplement, and in some cases change, the initial proposed regulations, which were issued on May 27, 2022. The CPPA commenced the formal rulemaking process to adopt these initial proposed regulations on July 8, 2022, and the 45-day public comment period closed on August 23, 2022. The Modified Regulations were issued in response to issues raised at two public hearings in August 2022 and the more than 1,000 pages of written comments.
Once the Modified Regulations are approved by the CPPA, a new public comment period will begin, which may range from 15 days for small changes to 45 days for major changes. It is also possible that the CPPA does not approve all or part of the Modified Regulations, which would further delay the rulemaking process, further complicating companies’ compliance efforts with the CPRA, which is due to come into effect on January 1, 2023. Additionally, the Modified Regulations do not address many of the complex issues in the law, including automated decision-making technology and profiling, the treatment of employment data, and cybersecurity standards; it is anticipated that more proposed regulations are forthcoming in these areas. Additionally, since these are proposed regulations, we can also expect that content in the Modified Regulations may be modified or removed upon approval at the Board Meetings.
Key highlights from the Modified Regulations include:
- Clarification that businesses are not required to provide consumers notice of the right to limit the use of sensitive personal information if it is, among others, not collected for the purpose of inferring characteristics about the consumer (11 CCR §§ 7014, 7027). The Modified Regulations provide examples where sensitive personal information may be collected but not used to infer characteristics about a consumer, such as when a business allows consumers to search for sensitive content on their website without any additional data. The Modified Regulations also provide additional purposes for which businesses may process sensitive personal information without being required to offer consumers a right to limit its collection, use and disclosure, including to prevent and investigate certain security incidents (11 CCR § 7027).
- Clarification around data minimization, specifically that the collection, use, retention, or sharing of consumers’ personal information must be reasonably necessary and proportionate to achieve the purposes for which it was collected or processed or another disclosed purpose. Like the initial regulations, the purpose(s) for which personal information is collected or processed must be consistent with the “reasonable expectations of the consumer”; however, the Modified Regulations provide factors to consider in making this determination, including the relationship between the consumer and business, the type and amount of personal information being collected, the specificity and prominence of disclosures, and the degree of involvement of service providers and third parties (11 CCR § 7002). This revision operationalizes the data minimization principles in CPRA § 1798.100(c).
- Elimination of the requirement for businesses to disclose the names of or information about third parties who control the collection of consumer personal information on their behalf in their Notice at Collection. The Modified Regulations also permit first and third party collectors of personal information on a website to provide a single Privacy Notice at Collection that includes information on their collective information practices (11 CCR § 7012). The Modified Regulations also clarify that third parties are required to treat any personal information received from a business in the manner required by the business under the CCPA (11 CCR § 7052).
- Clarification around consumer consent, as defined in the state’s Civil Code, specifically noting that different user interfaces, as well as verbiage choices such as double negative, may impair or interfere with consumers’ choices (11 CCR § 7004). This clarification, along with revisions to 11 CCR § 7009, emphasize the CPPA’s focus on curbing dark patterns in information practices.
- While the requirement that businesses recognize opt-out signals has been preserved, businesses are no longer required to display a confirmation that they received, processed, and/or honored a consumer’s opt-out request.
- Clarification that a vendor does not qualify as a service provider or contractor unless there is a written agreement in place. The Modified Regulations also clarify the provisions that must be included in an agreement with a service provider or contractor. The Modified Regulations also specify that service providers and contractors may be permitted to use personal information for permitted business purposes, even if this is not specifically addressed in the agreement (11 CCR § 7050). However, the definition of “business purpose” has not been further clarified.
- Clarification around the treatment of vendors who service non-profits or other entities not covered by the CCPA/CPRA. In such cases, if the vendor qualifies as a business under the CCPA/CPRA and makes use of any personal information collected for its own purposes (i.e., to improve products or services) from non-profits or non-covered entities, the vendor must still comply with the CCPA/CPRA (11 CCR § 7050).
- Continued debate around data analytics providers. The Modified Regulations clarify that an analytics business may be a third party or a service provider, depending on the nature of the services (11 CCR § 7050). However, the Modified Regulations also clarify that a person who contracts with a business to provide cross-contextual behavioral advertising cannot be a contractor or a service provider, but rather a third party with respect to these services. Generally, the examples of alleged noncompliance published by the Attorney General’s Office still suggest data analytics providers are third parties in most cases and sharing of data with such a provider is a sale, but the AG’s office has acknowledged that each inquiry “requires a fact-specific determination.”
As noted in previous posts, companies should continue to prepare for these changes in California, as well as other state privacy laws changes on the horizon, even though the Modified Regulations demonstrate that it may be some time before the final guidance is issued. If you have any questions about this enforcement action or any other privacy law, please do not hesitate to reach out to one of the contacts listed below.