Keypoint: The California Privacy Protection Agency issued a first set of draft regulations that contain a number of notable provisions but do not address all of the CPRA’s rulemaking topics.

On Friday, May 27, 2022, the California Privacy Protection Agency (CPPA or Agency) issued draft regulations in connection with a Board meeting scheduled for June 8, 2022.

In the below post, we provide high-level takeaways from the draft regulations, discuss the rulemaking timeframe, and provide a summary of some of the more notable provisions.

High-Level Takeaways

  • These are draft regulations. They will be subject to extensive public comments and modifications. Businesses should be mindful that the CCPA regulations were significantly revised before being finalized. In that respect, it is perhaps more important to focus on topics and concepts rather than specific verbiage.
  • The timeframe associated with the draft regulations is unclear as the CPPA still must issue a Notice of Proposed Rulemaking to trigger the formal rulemaking process. Expect to learn more at the Board’s June 8 hearing.
  • The draft regulations are a redline of the existing CCPA regulations. While there are many changes to those regulations, the backbone and structure of the regulations remains the same.
  • Despite its 66-page length, the draft regulations do not cover all of the twenty-two regulatory topics set forth in Cal. Civ. Code § 1798.185(a). The Agency will need to issue more regulations on topics such as cybersecurity audits, risk assessments, and opting-out of automated decision-making technology.
  • The Agency wants to make the recognition of opt-out preference signals mandatory notwithstanding the CPRA’s text stating that recognition is optional. Expect this to be a big topic of debate in the rulemaking process. Notably, the draft regulations do not address the technical specifications for opt-out preference signals.
  • The draft regulations create new notice at collection requirements for when a first party (such as a website) allows a third party (such as a website analytics provider) to collect personal information from consumers.
  • The draft regulations provide extensive requirements for obtaining consumer consent and state that the failure to follow those requirements is a dark pattern.
  • The draft regulations operationalize the CPRA’s right to correct inaccurate personal information and right to limit the use of sensitive personal information. The draft regulations also specify the notice requirements associated with the right to limit the use of sensitive personal information and identify the permissible uses for sensitive personal information.
  • Business will need to confirm that they have processed requests to opt out of sales/sharing and requests to limit the use of sensitive personal information. As examples, the Agency states that businesses may display on their website ‘Consumer Opted Out of Sale/Sharing’ or display through a toggle or radio button that the consumer has opted out of the sale/sharing of their personal information or limited the use of sensitive personal information.
  • Cookie management tools, in and of themselves, are not sufficient to effectuate opt-out requests and requests to limit the use of sensitive personal information.
  • The data processing agreement requirements in the draft regulations do not match the statutory requirements. Assuming this continues into the final regulations, businesses will need to consult both texts when drafting such agreements, thereby creating unnecessary compliance issues. The draft regulations also create a new duty for businesses to conduct due diligence on service providers, contractors, and third parties.

Rulemaking Timeframe

The timeframe associated with the draft regulations is unclear. The draft regulations were attached as an agenda item for the CPPA Board’s June 8 meeting. The meeting notice states that the Board will consider “possible action regarding proposed regulations . . . including possible notice of proposed action.”

A presentation filed in connection with the CPPA Board’s May 26 meeting provided a timeframe for pre-rulemaking activities and indicates that at the initial meeting the Board will be presented with draft regulations and an initial statement of reasons. An initial statement of reasons has yet to be made publicly available.

For reference, when the California Attorney General’s office issued its first draft of the CCPA regulations, it circulated a Notice of Proposed Rulemaking Action, containing information on the timeframe for providing written comments, and an Initial Statement of Reasons.

Ultimately, expect the Board’s June 8 meeting to provide clarity on the rulemaking process and potentially be the trigger date for when the 45-day comment period will begin.

Summary of Draft Regulations

The below section provides a summary of the proposed regulations, focusing on parts of the draft regulations that are noteworthy. It does not attempt to summarize or discuss every part and section of the draft regulations.

Restrictions on Collection and Use of Personal Information (§ 7002)

Section 7002 is directed at operationalizing Cal. Civil Code § 1798.100(c)’s requirement that a “business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” The regulations root this analysis in what an average consumer would expect and provide a number of illustrative examples.

Consent and Dark Patterns (§ 7004)

Section 7004 sets forth specific requirements for obtaining consumer consent. As we previously discussed, the CPRA generally uses consent as a mechanism for businesses to circumvent consumer requests. For example, as discussed in our article on opt-out signals, if a consumer exercises an opt out right, a business may seek consumer consent to circumvent that choice. In comparison, the laws in Colorado, Connecticut and Virginia require consent for the collection of sensitive data.

According to the draft regulations, when obtaining consent, businesses must (1) use methods that are easy to understand, (2) provide for symmetry in choice, (3) not use confusing language and elements, and (4) avoid manipulative language (including guilting or shaming language) and choice architecture. The methodology also must be easy to use. The draft regulations state that methods that do not comply with these requirements are dark patterns.

The draft regulations provide a number of examples for symmetric choices, many of which will be familiar to privacy professionals that deal with EU cookie consent issues. For example, a “yes” button must be presented in the same manner as a “no” button and an “Accept All” option must be matched with a “Decline All” option.

The requirement to avoid guilting or shaming the consumer is interesting. For example, the draft regulations state that a business cannot offer choices such as “No, I like paying full price” or “No, I don’t want to save money” because they are manipulative and shaming.

Privacy Policy (§ 7011)

The regulations around privacy policies have undergone substantial changes, but those changes appear to be mostly structural (i.e., moving text around from other parts of the regulations). However, the following new requirements were added:

  • State whether the business discloses sensitive personal information for purposes other than those authorized by the CPRA and regulations and, if so, provide the required notice information (see further discussion below).
  • Provide information on the CPRA’s new rights, such as the right to correction.
  • Explain how opt-out preference signals are processed.

Notice at Collection (§ 7012)

Like the CCPA, the CPRA requires businesses to provide consumers with a notice at or before the time they collect personal information. The notice needs to explain the categories of personal information to be collected from them, the purposes for which the personal information is collected or used, and whether that information is sold or shared.

The draft regulations add to the existing requirements by stating that businesses also must provide a list of categories of sensitive information collected, whether personal information is sold or shared, the length of time the business intends to retain each category of personal information (or, if impossible, the criteria used to determine the retention period).

The draft regulations also create new requirements around first party and third-party data collectors and require both to provide notices. According to the Agency, “[f]or example, a first party may allow another business, acting as a third party, to control the collection of personal information from consumers browsing the first party’s website.”

A first party that allows a third-party to collect data from a consumer must include in its notice the names of all the third parties that the first party allows to collect personal information from the consumer. In the alternative, a business, acting as a third party and controlling the collection of personal information, may provide the first party information about its business practices for the first party to include in its notice at collection.

In an example that will resonate with hundreds or thousands of businesses using analytics services such as Google Analytics, the Agency explains:

Business F allows Business G, an analytics business, to collect consumers’ personal information through Business F’s website. Business F may post a conspicuous link to its notice at collection, which shall identify Business G as a third party authorized to collect personal information from the consumer or information about Business G’s information practices, on the introductory page of its website and on all webpages where personal information is collected. Business G shall provide a notice at collection on its homepage.

Consumer Rights Links

Opt-Out of Sell/Share Links (§ 7013)

The CPRA requires businesses that sell or share personal information to provide an opt-out link to effectuate consumer opt-out requests. Although the CCPA and its regulations already require “Do Not Sell My Personal Information” links, the CPRA regulations add a number of new requirements.

For example, clicking on the opt-out link must “either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice.”

Links also must be conspicuous. For websites, links must appear in a similar manner as other links used on the business’s homepage. For Apps, links must be accessible such as through the settings menu and in the privacy policy.

Finally, businesses do not need to provide a link if they process opt-out preference signals in a “frictionless” manner (see below for more discussion of this issue).

Sensitive Personal Information – Notice and Use Limitation Link (§ 7014)

The CPRA introduces the concept of sensitive personal information, a topic we discussed at length here. In short, the CPRA allows businesses to process sensitive personal information for certain limited purposes. Some of those purposes are set forth in the CPRA; other purposes are subject to Agency rulemaking. If a business processes sensitive personal information for other purposes, it must provide a notice of such processing and allow consumers to restrict the businesses’ processing to the permissible purposes through a “Limit the Use of My Sensitive Personal Information” link. The CPRA regulations address each of these topics through this § 7014 and § 7027 (discussed below).

With respect to the link, the draft regulations create a similar structure as with opt-out links, namely, the link must be conspicuous and either immediately effectuate the request or direct a consumer to a webpage with the notice of right to limit. The notice must describe the consumer’s right to limit and provide instructions on how to submit a request.

Alternative Opt-Out Link (§ 7015)

Rather than providing both an opt-out of sell/share link and sensitive information use limitation link, the CPRA allows businesses that must provide both links to use a “a single, clearly labeled link on the business’ internet homepages” to effectuate both of these requests. The draft regulations state that the link either must say “Your Privacy Choices” or “Your California Privacy Choices.” The link must be conspicuous, include the CCPA’s opt out icon, and direct consumers to a website with certain information.

Mandatory Recognition of Opt-Out Preference Signals (§ 7025)

As discussed in our prior article, CPRA § 1798.135 provides businesses with the option of recognizing opt-out preference signals as valid consumer requests to opt-out of the sale or sharing of personal information and to limit the use of sensitive personal information. Specifically, § 1798.135 provides: “A business shall not be required to comply with subdivision (a) [i.e., provide opt-out links on its website] if the business allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal.” (Emphasis added.)

However, as we previously discussed, there is a need to reconcile that provision with the CCPA regulation’s existing requirement that businesses recognize such signals: “Finally, it remains to be seen how the CPPA will address the Attorney General’s current regulations and FAQs, which require businesses to honor GPC signals as valid opt out of sale requests under the CCPA. With the CPRA making the recognition of opt-out signals optional, there is a need to reconcile the two.”

The draft regulations do not shy away from resolving this conflict and repeatedly state that businesses must recognize such signals notwithstanding the CPRA’s text. In § 7025(e), the Agency takes the position that the CPRA “does not give the business the choice between posting the [opt-out] links or honoring out-out preference signals.” Rather, the Agency creates a new distinction between recognizing opt-out preference signals in a “frictionless” and “non-frictionless” manner. According to the Agency, if a business provides the opt-out links, then it is allowed to honor opt-out preference signals in a “non-frictionless manner.” If a business processes opt-out preference signals in a frictionless manner, it does not need to provide the opt-out links.

The Agency goes on to explain that processing opt-out requests in a frictionless manner means not charging a fee or other valuable consideration, not changing the consumer’s experience with the product or service offered, and not displaying a notification, pop-up, text, graphic, animation, sound, video, or interstitial content in response to the opt-out preference signal.

Further, if a business wants to avoid providing the opt-out links, it also must include certain information in its privacy policy, such as a statement that it recognizes opt-out preferences in a frictionless manner, and it needs to ensure that its recognition of the signal also effectuates opt-outs of any offline sales/shares.

The Agency’s interpretation on this issue is certain to receive significant pushback during the public comment period and will need to be closely monitored as the rulemaking process unfolds.

Notably, the draft regulations do not address the technical specifications for opt-out preference signals, which is a specific topic for rulemaking and necessary to fully effectuate these requirements.

Handling Consumer Requests

Requests to Delete (§ 7022)

The draft regulations provide new details on how service providers and contractors must respond to a business’s notification that a consumer has exercised her right to deletion. For example, they must permanently delete the information and notify their own service providers and contractors to delete the information.

Requests to Correct (§ 7023)

The right to correction is a new right provided by the CPRA, which the draft regulations operationalize through § 7023.

Upon verification, the Agency requires businesses to determine the accuracy of the personal information by considering “the totality of the circumstances relating to the contested personal information.” The Agency provides some guidance on this analysis such as considering the nature of the personal information, how the business obtained it, and documentation relating to the accuracy of the personal information. Businesses also are permitted to request that consumers provide documentation if necessary. Businesses that correct personal information also must implement measures to ensure the information stays corrected and that service providers and contractors correct it.

Requests to Opt-Out of Sale/Sharing (§ 7026)

Of note, the draft regulations state that a “notification or tool regarding cookies, such as a cookie banner or cookie controls, is not by itself an acceptable method for submitting requests to opt-out of sale/sharing because cookies concern the collection of personal information and not the sale or sharing of personal information. An acceptable method for submitting requests to opt-out of sale/sharing must address the sale and sharing of personal information.” This provision – should it remain through the revision process – could impact how businesses use cookie consent tools to effectuate opt-outs.

Businesses also are required to provide “a means by which the consumer can confirm that their request to opt-out of sale/sharing has been processed by the business.” The Agency explains, as an example, that the “business may display on its website ‘Consumer Opted Out of Sale/Sharing’ or display through a toggle or radio button that the consumer has opted out of the sale of their personal information.”

Request to Limit Use and Disclosure of Sensitive Personal Information (§ 7027)

The right to limit the use and disclosure of sensitive personal information is another new right provided by the CPRA, which § 7027 operationalizes. The draft regulations require businesses to provide at least two methods for exercising this right. As with the right to opt out of sale/sharing, the Agency takes the position that a notification or tools regarding cookies are not, in and of themselves, sufficient. Businesses have 15 business days to comply with the request, which includes notifying service providers, contractors, and third parties.

As with requests to opt-out of sales/sharing, businesses must provide a “means by which the consumer can confirm that their request to limit has been processed by the business. For example, the business may display through a toggle or radio button that the consumer has limited the business’s use and sale of their sensitive personal information.”

Finally, the regulations identify seven permissible purposes for processing sensitive personal information without having to provide the right to limit. Those permissible purposes include performing the services or providing the goods that an average consumer would reasonably expect, detecting certain types of security incidents, ensuring for the physical safety of individuals, and for short term transient use.

Data Processing Agreements

Service Providers and Contractors (§ 7050)

The draft regulations make clear that a person who contracts with a business to provide cross-contextual behavioral advertising is a third party and not a service provider or contractor. As a result, that transfer is a share and subject to the right to opt-out of sharing.

Contracts for Service Providers and Contractors (§ 7051)

Section 7051 identifies the requirements for service provider and contractor contracts; however, it does not match all of the statutory requirements and creates a few new ones. For example, contracts would need to require service providers and contractors to notify businesses within five days if they determine that they can no longer comply with the law. The statutory text does not contain the five-day requirement. Ultimately, whenever the regulations are finalized, businesses may need to look to both the statutory and regulatory texts to ensure that all requirements are met. For a detailed analysis of CPRA’s contracting requirements, see our article here.

Finally, the draft regulations create a new due diligence duty, stating that “[w]hether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and these regulations.”

Third Parties (§ 7052)

Section 7052 sets forth the duties of third parties such as complying with consumer requests that are forwarded to them and recognizing opt-out preference signals.

Contract Requirements for Third Parties (§ 7053)

Section 7053 identifies contractual requirements for third party contracts. As with the draft regulations for service provider / contractor contracts, the language in § 7053 does not exactly match the statutory language. This section also creates a due diligence duty.

Investigations (§§ 7300-7303)

The Agency has the discretion to initiate investigations as a result of a sworn complaint, Agency-initiated investigation, referral from government agencies or private organizations, and nonsworn or anonymous complaints. If the Agency proceeds with an investigation, it will issue a notice of probable cause and conduct a hearing. The Agency will then issue a written probable cause decision.

Agency Audits (§ 7304)

The Agency is permitted to perform audits in three situations: (1) to investigate possible violations of the law; (2) if the subject’s collection or processing activities present significant risk to consumer privacy or security; and (3) if the subject has a history of noncompliance with the law “or any other privacy protection law.”