In advance of its June 8 public board meeting, the California Privacy Protection Agency (“CPPA”) has released draft regulations intended to implement and interpret new requirements under the California Privacy Rights Act (“CPRA”). In addition to codifying the new obligations under the CPRA (e.g., the right to correct, right to opt out of “sharing”), the Draft Regs include helpful illustrative examples and also provide details regarding certain new obligations, which we’ve summarized below.
- Service Provider agreement requirements. The Service Provider agreement requirements in the Draft Regs do not align with the requirements in the statutory text of CPRA. If this remains unchanged throughout the regulatory process, businesses will need to consult both texts when drafting service provider agreements agreements.
- New “disproportionate effort” definition. In the context of responding to consumer requests, the Draft Regs state that a “disproportionate effort” might be involved when the personal information (PI) that is the subject of the request is not in a searchable or readily-accessible format, is maintained only for legal or compliance purposes, is not sold or used for any commercial purpose, and would not impact the consumer in any material manner.
- Consumer consent and dark patterns. The Draft Regs provide extensive requirements for obtaining consumer consent and state that methods that do not follow provided requirements are dark patterns. One key theme expressed throughout this section of the Draft Regs is symmetry – ensuring that the method for consumers to opt-in is presented equally and in the same manner as the method for consumers to opt-out or say “No.”
- Right to correct. Within the new right to correct, the Draft Regs state that businesses that correct PI must also implement measures to ensure that (1) the information stays corrected, and (2) that service providers and contractors correct the PI as well.
- New (broader) look-back period for requests to know. In response to requests to know, businesses must by default provide consumers with all their PI dating back to January 1, 2022. This is potentially problematic because it contradicts the requirement under CPRA’s text which states that a business is only required to provide PI from the prior 12 months unless otherwise expressly requested by the consumer.
- Honoring opt-out signals is mandatory. The Draft Regs state that businesses must recognize Do Not Sell or Share (DNS) opt-out preference signals despite the CPRA’s text stating that recognition is optional. However, the Draft Regs do not clarify what constitutes a valid opt-out preference signal, and do not mention the Global Privacy Control (GPC) (which is an opt-out preference signal previously supported by the California Attorney General).
- Notice at collection – distinction between first parties and third parties. The Draft Regs create new requirements around first party and third party data collectors, and require both to provide a notice at collection.
- Broad CPPA audit rights. The Draft Regs permit the CPPA to perform audits in three situations: (1) to investigate possible violations of the law, (2) if the subject’s collection or processing activities present significant risk to consumer privacy or security, and (3) if the subject has a history of noncompliance with the CCPA or any other privacy protection law.
The timeframe for publication of a final version of the Draft Regs is currently unclear. To date, the CPPA has not issued a Notice of Proposed Rulemaking to start the formal rulemaking process, but many anticipate that the June 8th CPPA board meeting will provide details on the expected timing for completion of the rulemaking process. To read the draft CPRA regulations, click here. If you have any questions about this enforcement action or any other privacy law, please do not hesitate to reach out to one of the Contacts listed below.