In brief

The California Privacy Rights Act of 2020 (CPRA) amended the California Consumer Privacy Act of 2018 (CCPA) with most changes taking effect on 1 January 2023 with a twelve-month look-back. Limited exceptions concerning the personal data of employees and business contacts will expire. The new California Privacy Protection Agency (CPPA) has published draft regulations that will, once finalized, expand on the rules in the statute and existing regulations from the California Attorney General. The CPPA is conducting hearings on 24 and 25 August 2022 to solicit input on the draft regulations from the public and may make further changes to them. But with the CPPA’s attention partially focused on the draft American Data Privacy and Protection Act and its possible preemptive effect on California privacy laws, it is unclear if the CPPA will finalize the regulations before the CPRA amendments to CCPA take effect. In the current draft of the regulations, the CPPA does not yet address all of the topics and issues mandated by the CPRA, so we expect further draft regulations to come. Despite the fluid situation, companies should take steps now to prepare before 1 January 2023.

Continue updating contracts

Many companies are still working on updating their contracts to account for the European Union’s standard contractual clauses from 2021 (EU SCCs). The amended CCPA will, and the CPPA’s draft regulations would, impose new and different data protection requirements in contracts among parties that disclose personal information among themselves. Companies should standardize the legal terms as much as possible and have a consolidated set of data protection standards that they would be willing to agree to as customers or service providers. Just as the EU SCCs do, the CPPA’s draft regulations require specifics. Under the draft regulations, the business purpose or service for which the service provider, contractor, or third party is processing personal information may not be described in generic terms, such as by referencing the entire commercial contract generally. To manage the contracting process, companies should consider separating out the mandatory legal terms under the CCPA and the factual descriptions of the particular relationship (similar to the factual annexes that are populated in the EU SCCs). Also, companies need to establish efficient processes to update vendor and customer contracts without protracted negotiations and elaborate signature procedures, including by agreeing on notice and object mechanisms concerning changes mandated by law, standardized terms (see article on Standardizing Data Processing Agreements Globally) and electronic signatures (see article on Electronic Form Over Substance: eSignature Laws Need Upgrades). Contracting parties can align their interests on data processing agreements, which they must update frequently as laws change, by separating those data processing terms that satisfy compliance requirements from commercial terms, which allocate risks and liabilities and determine the framework for dispute resolution and laws governing disputes between the contracting parties (and which cannot be unilaterally updated by one party).

Prepare for customer privacy audits

Companies often spend time on lengthy negotiations of what audit rights should be included in data processing agreements even though such rights are rarely exercised in practice. But under the draft regulations, whether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and its regulations. Simple contract terms for audit rights probably still make sense for many companies, but companies should prepare internally for the possibility that customers will enforce contract terms or exercise rights to audit or test systems.

Update and document data subject request program

The draft regulations elucidate how businesses must respond to requests from California residents to exercise their rights under the amended CCPA, including to know, access, port, delete and correct personal information, to limit the processing of sensitive personal information, to opt-out of the “selling” and “sharing” of their personal information, and to withdraw from financial incentive programs. Businesses should examine which of these rights apply to them and how. For example, if a business does not use personal information for any purposes other than those listed at subsection 7027(l) of the draft regulations, it does not have to offer a “Limit the Use of My Sensitive Personal Information” link. Businesses should then implement required technical controls to respond to requests (including the capacity to respond to opt-out preference signals) and protocols that provide clear guidance to personnel on how to respond to written requests.

The draft regulations also introduce the concept of “disproportionate effort” within the context of a business responding to a consumer request. Disproportionate effort is defined as the time and resources expended by a business to respond to an individualized request significantly outweighing the benefit provided to the consumer from responding to the request. A business can only claim disproportionate effort as an exemption to the duty to respond to a data subject request if they have in place adequate processes and procedures to comply with consumer requests in accordance with the CCPA. Since having in place such processes and procedures is a requirement or necessity under numerous privacy laws globally, businesses should document their program.

Operationalize data minimization principles

The draft regulations introduce further restrictions on the collection and use of personal information. Use, collection, and retention of personal information must be reasonably necessary and proportionate to achieve the purpose(s) for which it was collected or processed. Any collection, use or retention not necessary or proportionate or that is unrelated or incompatible with the purposes for collection requires consumer’s explicit consent. Taken together, section 7002 of the draft regulations suggest that up front explicit consent is required even with detailed notice if the data collection, use, retention, and/or sharing is unrelated or incompatible with the purposes(s) for collection.

Avoid dark patterns

”Dark patterns” refer broadly to tactics that companies use to coerce individuals into making decisions that are likely more favorable for the company than the individual. The amended CCPA provides that consent is not effective if obtained through the use of a dark pattern, and the CPPA’s draft regulations explain in greater detail what might constitute a dark pattern, including by providing several examples of user interfaces that would be considered dark patterns. Outside of the CCPA, the consumer privacy laws of Connecticut and Colorado also restrict the use of dark patterns, and the Federal Trade Commission has issued warnings against the use of dark patterns and taken enforcement actions against companies that allegedly engaged in their use. Businesses should review their user interfaces to ensure that they are clear, present positive and negative options in a symmetrical way, do not hinder users from executing decisions that are less favorable to the company, and generally avoid manipulating users or substantially subverting their autonomy.

Summary

Companies should continue to prepare for the known 1 January 2023 requirements in the amended CCPA itself, but also get ahead of addressing some of the requirements in the draft regulations that improve a company’s overall privacy law compliance program (and that are helpful to address even if the details of the regulations are further changed before they are final). Companies should not delay action merely because the fact that laws and regulations are in flux. This has been the case since 2018 in California and elsewhere. This is the new normal.

Author

Loic Coutelier is an associate in Baker McKenzie's Employment Practice Group in Palo Alto. Loic advises clients on domestic and cross-border employment matters arising throughout the employment relationship. Loic also frequently counsels clients on employment law matters arising from domestic and cross-border mergers and acquisitions, and global corporate reorganizations.

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.

Author

Helena practices international commercial law with a focus on assisting and advising technology companies with cross-border transactions, drafting and negotiating commercial agreements, and advising on global data privacy law compliance. Helena also advises software developers, e-commerce companies, and global mobile and web gaming developers on regulatory restrictions, intellectual property, contracting and data privacy.

Author

Ellie Gladstone is an associate in the Firm's Intellectual Property Practice Group and is based in San Francisco. Ellie advises clients on the intellectual property, data and technology aspects of a wide range of corporate and transactional matters, including mergers and acquisitions and licensing agreements.

Author

Jonathan Tam is a partner in the San Francisco office focused on global privacy, advertising, intellectual property, content moderation and consumer protection laws. He is a qualified attorney in Canada and the U.S. passionate about helping clients achieve their commercial objectives while managing legal risks. He is well versed in the legal considerations that apply to many of the world’s cutting-edge technologies, including AI-driven solutions, wearables, connected cars, Web3, DAOs, NFTs, VR/AR, crypto, metaverses and the internet of everything.

Author

Andrea Tovar regularly advises multinational companies on cross-border commercial transactions and complex international trade matters. Andrea is also a member of the firm’s Technology, Media & Telecommunications Global Industry Group and the California Diversity & Inclusion Committee.

Author

Vivian Tse regularly advises US and multinational companies on complex international trade, regulatory compliance, and cross-border commercial transactions related matters.

Author

Tom is a member of the North America Litigation & Government Enforcement Practice Group in Baker McKenzie's Los Angeles office, and supports the Firm’s privacy, cybersecurity and other international regulatory and advisory practices.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Author

Nick's practice focuses on privacy and cybersecurity, particularly in the healthcare and technology industries. His substantive technical experience, experience with the HIPAA Rules, and deep understanding of information security and privacy regulators' expectations, allows Nick to efficiently guide clients on compliance with emerging laws, regulatory oversight and obligations created through contract.

Author

Stephen Reynolds frequently advises clients on complex matters involving data privacy and security laws and serves on the board of directors of the International Association of Privacy Professionals (IAPP). Stephen’s expertise adds value to organizations by mitigating cyber threats through proactive preventative measures and navigating complex litigation on behalf of clients in data privacy and security. He is uniquely able to and routinely uses his computer background in cases involving data privacy and security, electronic discovery, social media discovery, and computer forensics.