Keypoint: The California Privacy Protection Agency’s issuance of significantly modified proposed regulations comes days in advance of four scheduled Board meetings where the proposed regulations will open to debate, modification, and potential adoption.
On Monday, September 17, 2022, the California Privacy Protection Agency (CPPA or Agency) issued modified proposed CPRA regulations as well as an explanation for the changes. The modified proposed regulations follow a 45-day written comment period on the initial proposed regulations that ended on August 23, 2022, and two public hearings that were held on August 24 and 25, 2022. Interested parties submitted over 1,000 pages of written comments during the written comment period.
The issuance of modified proposed regulations was expected based on comments made during the Agency’s prior Board meeting on September 23, 2022. The Agency initially issued the modified proposed regulations in connection with two days of Board meetings scheduled for October 21 and 22, 2022. Later in the day on September 17, the Agency announced that it will hold two more days of Board meetings on October 28 and 29, 2022.
At the meetings, the Board will discuss the proposed regulations, including possible adoption or modification of the text. To that end, the accompanying explanation document identifies twenty-eight (28) items that Agency staff recommend for discussion at the meetings.
In the below post, we first provide high-level takeaways from the modified proposed regulations. We then discuss some of the more notable changes. We do not attempt to summarize all of the changes.
- These are still draft regulations. With four days of Board meetings already scheduled and another written comment period anticipated, the regulations are still open to change.
- The timeframe for finalization is still unclear. However, it is apparent from comments made by Agency Executive Director Ashkan Soltani at the September 23 Board meeting that Agency staff are working hard to finalize the regulations as quickly as possible. The scheduling of Board meetings on two Saturdays in October also is a signal that the Board is motivated to get the regulations finalized.
- These are still partial regulations. The modified proposed regulations cover the same topics as the initial draft regulations. Even when these regulations are finalized, the Agency will need to engage in further rulemaking.
- The Agency streamlined (i.e., deleted) a number of requirements, explaining that it was done to simplify the implementation of the regulations at this time. For example, the modified proposed regulations no longer require businesses to identify in their notices at collection which third parties collect personal information on their websites. The modified proposed regulations also no longer mandate (but make permissive) that businesses provide website notifications if they recognize opt out signals, opt out requests, and requests to limit the use of sensitive personal information.
- The recognition of opt-out preference signals is still mandatory.
- Is the use of a data analytics provider a CCPA sale? This issue gained considerable attention after the Sephora settlement. The initial proposed regulations could be read to suggest they were sales, equating a data analytics provider to a third party. However, the modified proposed regulations change the relevant language and the accompanying explanatory document states that in some instances an analytics business can be a service provider and not a third party.
- Businesses that are also subject to the Colorado Privacy Act need to be mindful of how the two sets of draft regulations relate to on another. Helpfully, the Colorado Attorney General’s Office will not hold its public hearing on the Colorado rules until February, thereby allowing California to move further along in its process and perhaps finish its regulations. We will host a webinar on the CPA draft rules on Thursday, October 20.
Restrictions on the Collection and Use of Personal Information
Section 7002 of the proposed regulations seeks to operationalize CPRA § 1798.100(c), which requires a business’s processing of personal information to be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”
The initial version of the proposed regulations grounded this analysis in the reasonable expectations of an average consumer. The modified proposed regulations keep this frame of reference but now provide five factors for businesses to consider when making this determination. The modified proposed regulations also now set forth three factors for whether a disclosed purpose is compatible with the context in which personal information was collected and three factors for determining when processing is reasonably necessary and proportionate to the purpose for which it was collected.
Businesses subject to the Colorado Privacy Act (CPA) should note that Rule 6.08 (Secondary Use) of the draft CPA rules also sets forth a multi-factor test for controllers to determine when a new processing purpose is “reasonably necessary to or compatible with the original specified purpose.”
User Interfaces, Choice Architecture and Dark Patterns
The Agency modified section 7004 of the proposed regulations to remove a number of examples and requirements. For example, the modified proposed regulations remove an example stating that “A choice where the ‘yes’ button is more prominent (i.e., larger in size or in a more eye-catching color) than the ‘no’ button is not symmetrical” and therefore improper. The modified proposed regulations also remove references to businesses not using “manipulative language” or “wording that guilts or shames the consumer into making a particular choice.” Notably, all of the changes in section 7004 were identified by Agency staff as topics for Board discussion at the upcoming meetings.
The changes to section 7004 also should be read in reference to CPA draft Rule 7.09 which covers many of the same topics and currently includes some of the same language removed from the CPRA proposed regulations. For example, CPA draft Rule 7.09B.2 states that “Consent choice options should avoid the use of emotionally manipulative language” and “One choice should not be presented in a way that creates unnecessary guilt or shames the user into selecting a specific choice.” CPA draft Rule 7.09B.1 also states that “Presenting an “I do not accept’ button in a greyed-out color while the ‘I accept” button is presented in a bright or obvious color would not be considered equal or symmetrical.” It will be important to track whether Colorado follows the changes made by California as the CPA rulemaking process unfolds.
Notably, section 7011 governing the contents of privacy policies did not undergo substantive revisions. The changes in this section were restricted to adding / modifying defined terms and fixing internal cross-references. The lack of substantive changes to this section will lend hope to privacy professionals that this regulatory topic may be near completion.
Notice at Collection of Personal Information
Section 7012 contains at least three significant changes.
First, the notice at collection will no longer need to identify information regarding third parties that collection personal information through the business. The initial proposed regulations stated that “If a business allows third parties to control the collection of personal information [it must identify in its notice at collection], the names of all the third parties; or, in the alternative, information about the third parties’ business practices.” This language (as well as other similar language in section 7012) was deleted in the modified proposed regulations “to simplify implementation at this time.”
Second, in a change that will draw significant attention after the Sephora enforcement action, the Agency modified one of the illustrative examples dealing with analytics providers. The initial language referred to an “analytics business” as a third party, suggesting that it could not be a CCPA service provider. This was significant because it suggested that businesses need to provide the right to opt out of sales simply if they are using analytics providers such as Google Analytics. However, in its explanatory document, the Agency states that it revised the example “such that Business G is an ad network instead of an analytics business. This change was made because in some instances an analytics business can be a service provider and not a third party.”
The question whether an analytics provider can be a service provider has been the subject of much debate post-Sephora, including in an IAPP article co-authored by Omer Tene and Gabe Maldoff. The discussion has been fueled by illustrative enforcement case examples published by the Attorney General’s Office, which have suggested that the use of analytics providers constitutes a sale. For example, in one use case, the Office states that the “business also exchanged personal information about users’ online activities with various third-party analytics providers but did not post the required notices or provide consumers with methods to opt-out of the sale of personal information.” Indeed, the question even goes back to the original CCPA regulations, with the Office responding to a question as to whether the use of Google Analytics and Adobe Analytics constitutes a sale by stating that it “require[s] a fact-specific determination.” See Appendix A, Response #533.
Third, the modified proposed regulations delete the subsections dealing with the collection of employment-related information. The Agency’s explanatory document states that these subsections were deleted to “conform the regulations to the law following the expiration of the” employee data exemption. However, the regulations still do not cover the treatment of employee data, thus potentially leaving this issue for another round of rulemaking.
Right to Limit Use of Sensitive Personal Information
The modified proposed regulations add language to sections 7014 and 7027 to clarify that a business does not need to provide a Notice of Right to Limit or the “Limit the Use of My Sensitive Personal Information” link if it only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer.
This language was noticeably missing from the initial proposed regulations even though CPRA § 1798.121 states that “Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section . . ., and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100.” As we previously explained, this limiting language can significantly benefit businesses in comply with the CPRA given the statute’s broad definition of sensitive personal information as compared to the definitions in other state privacy laws.
Section 7027(h) also was modified to make it permissive (but not mandatory) that websites confirm that a request to limit has been processed by the business. The initial proposed regulations suggested that a business would need to display through a toggle or radio button that the consumer has limited the business’s use and sale of their sensitive personal information. As discussed below, similar changes were made with respect to the processing of opt-out preference signals and opt-out requests.
The Agency also deleted the examples regarding providing the Notice of Right to Limit “to simplify implementation at this time.”
Finally, the Agency modified some of the purposes for which businesses can process sensitive personal information in section 7027(m). For example, businesses could now use sensitive personal information to prevent and investigate certain types of security incidents.
Opt-Out Preference Signals and Right to Opt-Out of Sales
Notwithstanding arguments that the CPRA makes the recognition of opt-out signals optional, the modified proposed regulations still require businesses to recognize such signals. However, the modified proposed regulations no longer require businesses to display whether they have recognized the signal.
In the initial version of the regulations, businesses would have been required to provide a means by which the consumer can confirm that their request to opt-out of sale/sharing had been processed by the business such as through displaying on its website “Consumer Opted Out of Sale/Sharing” or displaying through a toggle or radio button that the consumer has opted out. Similarly, a business was required to display whether they processed a consumer’s opt-out preference signal such as by displaying on its website “Opt-Out Preference Signal Honored.” These provisions were made permissive in the modified proposed regulations.
That said, in the accompanying explanatory document, Agency staff identified the deletion of the requirement that websites state whether they have recognized the opt-out preference signal as a topic of discussion for the Board.
Service Providers to Non-Businesses
The modified proposed regulations restore the understanding that service providers to non-profits, government entities and other entities that do not qualify as businesses under the CPRA do not have to comply with the CPRA unless they are acting in their own capacity as a business. This change was made by deleting the existing section 7050(a) and replacing it with a new section 7050(g).