In brief
The California Privacy Rights Act of 2020 (CPRA) amended the California Consumer Privacy Act of 2018 (CCPA) with most changes taking effect on 1 January 2023 with a twelve-month look-back. Limited exceptions concerning the personal data of employees and business contacts will expire. The new California Privacy Protection Agency (CPPA) has published draft regulations that will, once finalized, expand on the rules in the statute and existing regulations from the California Attorney General. The CPPA is conducting hearings on 24 and 25 August 2022 to solicit input on the draft regulations from the public and may make further changes to them. But with the CPPA’s attention partially focused on the draft American Data Privacy and Protection Act and its possible preemptive effect on California privacy laws, it is unclear if the CPPA will finalize the regulations before the CPRA amendments to CCPA take effect. In the current draft of the regulations, the CPPA does not yet address all of the topics and issues mandated by the CPRA, so we expect further draft regulations to come. Despite the fluid situation, companies should take steps now to prepare before 1 January 2023.
Continue updating contracts
Many companies are still working on updating their contracts to account for the European Union’s standard contractual clauses from 2021 (EU SCCs). The amended CCPA will, and the CPPA’s draft regulations would, impose new and different data protection requirements in contracts among parties that disclose personal information among themselves. Companies should standardize the legal terms as much as possible and have a consolidated set of data protection standards that they would be willing to agree to as customers or service providers. Just as the EU SCCs do, the CPPA’s draft regulations require specifics. Under the draft regulations, the business purpose or service for which the service provider, contractor, or third party is processing personal information may not be described in generic terms, such as by referencing the entire commercial contract generally. To manage the contracting process, companies should consider separating out the mandatory legal terms under the CCPA and the factual descriptions of the particular relationship (similar to the factual annexes that are populated in the EU SCCs). Also, companies need to establish efficient processes to update vendor and customer contracts without protracted negotiations and elaborate signature procedures, including by agreeing on notice and object mechanisms concerning changes mandated by law, standardized terms (see article on Standardizing Data Processing Agreements Globally) and electronic signatures (see article on Electronic Form Over Substance: eSignature Laws Need Upgrades). Contracting parties can align their interests on data processing agreements, which they must update frequently as laws change, by separating those data processing terms that satisfy compliance requirements from commercial terms, which allocate risks and liabilities and determine the framework for dispute resolution and laws governing disputes between the contracting parties (and which cannot be unilaterally updated by one party).
Prepare for customer privacy audits
Companies often spend time on lengthy negotiations of what audit rights should be included in data processing agreements even though such rights are rarely exercised in practice. But under the draft regulations, whether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and its regulations. Simple contract terms for audit rights probably still make sense for many companies, but companies should prepare internally for the possibility that customers will enforce contract terms or exercise rights to audit or test systems.
Update and document data subject request program
The draft regulations elucidate how businesses must respond to requests from California residents to exercise their rights under the amended CCPA, including to know, access, port, delete and correct personal information, to limit the processing of sensitive personal information, to opt-out of the “selling” and “sharing” of their personal information, and to withdraw from financial incentive programs. Businesses should examine which of these rights apply to them and how. For example, if a business does not use personal information for any purposes other than those listed at subsection 7027(l) of the draft regulations, it does not have to offer a “Limit the Use of My Sensitive Personal Information” link. Businesses should then implement required technical controls to respond to requests (including the capacity to respond to opt-out preference signals) and protocols that provide clear guidance to personnel on how to respond to written requests.
The draft regulations also introduce the concept of “disproportionate effort” within the context of a business responding to a consumer request. Disproportionate effort is defined as the time and resources expended by a business to respond to an individualized request significantly outweighing the benefit provided to the consumer from responding to the request. A business can only claim disproportionate effort as an exemption to the duty to respond to a data subject request if they have in place adequate processes and procedures to comply with consumer requests in accordance with the CCPA. Since having in place such processes and procedures is a requirement or necessity under numerous privacy laws globally, businesses should document their program.
Operationalize data minimization principles
The draft regulations introduce further restrictions on the collection and use of personal information. Use, collection, and retention of personal information must be reasonably necessary and proportionate to achieve the purpose(s) for which it was collected or processed. Any collection, use or retention not necessary or proportionate or that is unrelated or incompatible with the purposes for collection requires consumer’s explicit consent. Taken together, section 7002 of the draft regulations suggest that up front explicit consent is required even with detailed notice if the data collection, use, retention, and/or sharing is unrelated or incompatible with the purposes(s) for collection.
Avoid dark patterns
”Dark patterns” refer broadly to tactics that companies use to coerce individuals into making decisions that are likely more favorable for the company than the individual. The amended CCPA provides that consent is not effective if obtained through the use of a dark pattern, and the CPPA’s draft regulations explain in greater detail what might constitute a dark pattern, including by providing several examples of user interfaces that would be considered dark patterns. Outside of the CCPA, the consumer privacy laws of Connecticut and Colorado also restrict the use of dark patterns, and the Federal Trade Commission has issued warnings against the use of dark patterns and taken enforcement actions against companies that allegedly engaged in their use. Businesses should review their user interfaces to ensure that they are clear, present positive and negative options in a symmetrical way, do not hinder users from executing decisions that are less favorable to the company, and generally avoid manipulating users or substantially subverting their autonomy.
Summary
Companies should continue to prepare for the known 1 January 2023 requirements in the amended CCPA itself, but also get ahead of addressing some of the requirements in the draft regulations that improve a company’s overall privacy law compliance program (and that are helpful to address even if the details of the regulations are further changed before they are final). Companies should not delay action merely because the fact that laws and regulations are in flux. This has been the case since 2018 in California and elsewhere. This is the new normal.