Keypoint: On the heels of last week’s Board meeting, Agency staff quickly turned around a modified version of the proposed regulations, triggering a fifteen day comment period and further signaling that the Agency is on track to finalize the regulations in January/February 2023.
On November 3, 2022, the California Privacy Protection Agency (Agency) issued a notice of modifications to the text of proposed California Consumer Privacy Act (CCPA) regulations. The notice follows a two-day meeting held by the Agency Board on October 28 and 29, 2022, during which the Board authorized Agency staff to take all steps necessary to prepare and notice modifications to the proposed regulatory amendments. The notice states that the Agency will accept written comments regarding the proposed changes or materials added to the rulemaking file up to 8:00 a.m. on Monday, November 21, 2022.
In the below post, we first provide a brief overview of the rulemaking process to date and its path forward. We then review some of the substantive modifications the Agency made to the proposed regulations after last week’s Board meeting.
Rulemaking Process to Date and Path Forward
The Agency’s notice is the latest step in a months-long rulemaking process.
The Agency first published draft proposed regulations on May 27, 2022, in connection with an Agency Board meeting held on June 8, 2022. The Agency initiated the formal rulemaking process on July 8, 2022. The Agency accepted written comments on the proposed regulations until August 23, 2022, and held two public hearings on August 24 and 25, 2022.
On September 17, 2022, the Agency issued modified proposed regulations as well as an explanation for the changes. The modified proposed regulations made numerous substantive changes to the proposed regulations, which we documented here.
On October 28 and 29, 2022, the Agency Board held a meeting to review and consider the modified proposed regulations. At the meeting, Agency staff identified a number of additional changes to the proposed regulations, the majority of which were non-substantive. During the meeting, Board members also identified a number of additional changes for Agency staff to consider. At the conclusion of the meeting, the Board authorized Agency staff to take all steps necessary to prepare and notice modifications to the proposed regulatory amendments.
Based on comments made by Agency General Counsel Philip Laird at the meeting, it was expected that Agency staff would take a week or two to make the necessary updates and publish the notice of modifications. However, Agency staff were able to accomplish their work in only a matter of days. The quick turnaround again signals that the Agency knows that timing is an issue with finalizing the regulations, which were statutorily required to be finished in July.
As noted, stakeholders will now have until 8:00 a.m. on Monday, November 21, 2022, to submit written comments. After the comment period – and assuming no further comment period is warranted – Agency staff will prepare a final rulemaking package for Board consideration, which package will include a final statement of reasons. The Agency will then submit the final package to the Office of Administrative Law, which will have 30 business days to review. This process is expected to be concluded in January/February 2023.
Substantive Modifications to Proposed Regulations
In this section, we discuss some of the substantive changes Agency staff made to the proposed regulations after the October 28 and 29 Agency Board meeting. This section does not attempt to identify all changes – many of which were grammatical. For a discussion of prior changes to the proposed regulations, please see our article here.
New Regulation on Enforcement Considerations in Light of the Delay in Promulgating Regulations
Arguably, the most significant change is the addition of new regulation § 7302(b), which allows the Agency take into account the delay in issuing regulations when engaging in enforcement action. Specifically, the new regulation states:
“As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
Stakeholders will likely take issue with the fact that the new regulation is only permissive, stating that the Agency “may” take the delay in promulgating regulations and good faith efforts to comply into consideration instead of that it “must” take them into consideration. Given that businesses are likely to have six or seven less months to prepare for the July 1, 2023 enforcement start date than set forth in the statute, stakeholders will likely be looking for stronger assurances in the comment period that the delay in promulgating regulations and good faith efforts to comply will be taken into account in enforcement actions.
Right to Limit the Use of Sensitive Personal Information
Section 7027(m) lists the permissible purposes for which businesses can process sensitive personal information without having to provide consumers with the right to limit. Agency staff made a number of changes to this regulation in light of comments made by Board members at the hearing.
First, the preamble now specifically refers to § 17981.121(a) of the CCPA.
Second, the Agency added the phrase “provided that the use or disclosure is reasonably necessary and proportionate for those purposes” to the preamble such that it is clear that all of the specified purposes must satisfy that requirement. In a companion change, Agency staff deleted similar language from clauses (2), (3), (4), (6), and (7).
Finally, the Agency moved the word “collect” from the preamble to clause (8). That clause now states: “To collect or process sensitive personal information where such collection or processing is not for the purpose of inferring characteristics about a consumer.” That clause previously stated “For purposes that do not infer characteristics about the consumer.”
Opt-Out Preference Signals
In § 7025(c)(1), the Agency added the requirement that businesses shall treat opt-out preference signals as a valid request to opt-out of sale/sharing for that browser or device “and any consumer profile associated with that browser or device, including pseudonymous profiles.”
In § 7025(c)(2), the Agency clarified that if a business gives consumers the option to provide information that identifies the consumer so that the request to opt-out of sale/sharing can apply to offline sales/shares and the consumer does not respond, the business shall still process the opt-out preference signal as a valid request to opt-out for that browser or device and any consumer profile the business associates with that browser or device, including any pseudonymous profiles.
In § 7025(c)(4), the Agency clarified how the opt-out preference signal will work when it conflicts with the consumer’s participation in a business’s financial incentive program that requires the consumer to consent to the sale or sharing of personal information. The business may notify the consumer that processing the signal would withdraw them from the program and ask the consumer to confirm whether they intend to withdraw from the program. If the consumer confirms they want to withdraw, the business shall effectuate that request. If the consumer does not affirm their intent to withdraw, the business does not have to withdraw them from the program. If the business does not ask, the business must process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or device and any consumer profile the business associates with that browser or device.
Purpose Limitations, Secondary Uses and Data Minimization
The Agency also made a number of changes to § 7002 as discussed at the Board meeting.
First, the Agency removed the word “factors” from §§ 7002(b) and (d). This was done to try to eliminate the suggestion that the follow-on clauses were to be balanced against one another.
Second, the word “clarity” was added to § 7002(b)(4) such that it now reads “[t]he specificity, explicitness, prominence, and clarity of disclosures to the consumer(s) . . . .”
Third, the Agency added the following sentence to § 7002(d): “The business’s collection, use, retention, and/or sharing of a consumer’s personal information shall also be reasonably necessary and proportionate to achieve any purpose for which the business obtains the consumer’s consent in compliance with subsection (e).”
In § 7004(c), which deals with dark patterns, the Agency added the sentence: “For example, a business’s intent to design the user interface to subvert or impair user choice weighs heavily in favor of establishing a dark pattern.”
In § 7012(g)(3)(a), the Agency changed “ad network” to “third party ad network.” This provision deals with how third parties must provide notices of collection. As originally drafted, it could be read to state that an analytics business is a third party. It was then amended to remove the reference to analytics business and instead said “ad network.” In the latest change, the regulation now states “third party ad network.”
The Agency replaced the text in § 7050(g). The new text reads: “Whether an entity that provides services to a Nonbusiness must comply with a consumer’s CCPA request depends upon whether the entity is a “business,” as defined by Civil Code section 1798.140, subdivision (d).” The prior text read: “Whether an entity that provides services to a Nonbusiness must comply with a consumer’s CCPA request depends upon whether the entity is a “business.” One of the elements of the definition of “business” includes whether that entity—alone, or jointly with others— determines the purposes and means of processing the personal information at issue. For example, Entity A provides cloud storage services to a Nonbusiness. The Nonbusiness stores personal information in the cloud. If Entity A receives a request to know from a consumer, it must evaluate whether it meets the definition of “business.” If the Nonbusiness is the only entity that determines how that personal information is processed and used, then Entity A is not a “business” and does not need to comply with the consumer’s request. However, if Entity A uses the personal information it stores on behalf of the Nonbusiness for Entity A’s own purposes, such as developing new products or services, Entity A may fall under the definition “business” and may have to comply with the consumer’s request with regard to that personal information.”
In § 7051(a)(3) dealing with data processing agreements, the Agency deleted the sentence: “This section shall list the specific business purpose(s) and service(s) identified in subsection (a)(2).”