Keypoint: The Agency proposed more revisions to the CCPA regulations for consideration at the December 8 board meeting.

On December 1, 2023, the California Privacy Protection Agency (Agency) published proposed revisions to the CCPA regulations as well as a chart explaining the proposed modifications. The draft regulations were released in connection with the Agency’s December 8 board meeting. Importantly, the draft revisions are only intended to facilitate Board discussion and public participation. The Agency has not yet started formal rulemaking.

The Board now has six sets of draft regulations to discuss at its December 8 meeting: (1) cybersecurity audits, (2) automated decisionmaking technology, (3) risk assessments, (4) revisions to the CCPA regulations, (5) insurance, and (6) data broker registry fee.

The revisions to the CCPA regulations come even though the Agency cannot yet enforce its first set of revisions to the CCPA regulations. The Agency finalized those regulations on March 29, 2023, but a trial court delayed enforcement until March 29, 2024, finding that the CCPA requires a twelve-month delay in enforcement after finalization.

The below article provides a brief overview of some of the more notable proposed revisions.

New Category of Sensitive Personal Information

The revisions add the CCPA’s statutory definition of sensitive personal information to the regulations and then expand that definition by including “personal information of consumers less than 16 years of age.” CCPA § 1798.185(a)(1) grants the Agency the authority to update or add categories of personal information or sensitive personal information “in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.”

The Agency’s accompanying chart explains that this new category is intended “to update and harmonize the definition of sensitive personal information with the definition of sensitive data used by other jurisdictions (e.g., Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, and Virginia).

Although it is correct that those other state privacy laws include information from children in their definitions of sensitive data, those laws define child as under 13 years of age (i.e., the age set by the federal Children’s Online Privacy Protection Act) and not under 16 years of age. However, the CCPA already restricts the selling and sharing of personal information of children under 16 years of age, which is likely the reason the Agency chose that age. Some of the other state laws, starting with Connecticut’s law passed in 2022, adopted the CCPA’s under 16 protections.

Also, it is worth noting that the CCPA does not require consent to collect sensitive personal data like the other state laws but rather provides a right to limit the use of sensitive personal information in certain situations (i.e., opt out).

Higher Monetary Threshold for Applicability and Higher Fines

The revisions would add a new section 7005, which increases the monetary threshold for various items in the CCPA based on the Consumer Price Index. Perhaps most notable is that the monetary threshold for the definition of “business” would be increased from $25,000,000 to $27,975,000. The potential fine amounts also would increase to $2,797.50 (up from $2,500) for each violation and $8,392.50 (up from $7,500) for each intentional violation.

Consent / Dark Patterns

The Agency continued to revise its requirements around dark patterns and choice architecture in regulation section 7004, which was a new regulation added by the Agency during the CPRA rulemaking process. The Agency significantly changed this section during its multiple rounds of edits. When the Agency previously made those changes, it noted that it was doing so to streamline the process for finalizing the last round of regulations. It appears the Agency now wants to revisit some of the provisions it modified or removed. The Agency’s chart also explains that some of these proposals are intended to “harmonize the subsections with Colorado’s regulations regarding user interface design, choice architecture, and dark patterns.”

The revisions also would clarify that consumers have the right to “withdraw consent at any time” subject to statutory exemptions. This change would align the CCPA with the right to withdraw consent first provided for in Connecticut’s law.

Clarification of Treatment of Disclosures to Third Parties

The revisions would clarify the long-standing disconnect with the regulation’s treatment of “third parties” by clarifying that businesses do not sell, share, or disclose personal information to third parties “for a business purpose.” Rather, they disclose personal information to service providers or contractors for a business purpose. This change is proposed in the regulation’s definition and treatment of requests to know and the privacy policy provisions in section 7011.

Notice of Right to Limit Sensitive Personal Information

A new subsection would be added requiring businesses to provide the Notice of Right to Limit in the same manner in which they collect sensitive personal information. For example, brick-and-mortar stores would need to provide the notice through an offline method such as through signage. According to the Agency, this “subsection mirrors the requirements for the Notice of Right to Opt-Out of Sale/Sharing.”

Requests to Delete

The Agency suggests modifying the request to delete regulations by requiring businesses, service providers, and contractors to “implement measures to ensure that the information remains deleted, deidentified or aggregated.” The Agency goes on to state: “For example, if a business, service provider, or contractor receives personal information about consumers from data brokers on a regular basis, failing to consider and address the possibility that deleted information may be re-collected by the business factors into whether that business, service provider, or contractor has adequately complied with a consumer’s request to delete.” It could be argued that this example is in tension with the CCPA’s statutory text which states that the request to delete only extends to “personal information about the consumer which the business has collected from the consumer.”

Right to Complain

If a business denies a request to delete, correct, know, opt-out, or limit the use of sensitive personal information, it would be required to inform the consumer that they can file a complaint with the Agency and Attorney General and provide links to the complaint forms on their respective websites. This provision is similar to the requirement found in other state laws that a controller who denies a consumer’s request to appeal must inform the consumer of their ability to contact the state attorney general.

Opt Out Preference Signals

The revisions would bring back the requirement that businesses must display whether they have processed a consumer’s opt-out preference signal. This requirement was in the initial draft CPRA regulations but was made permissive during the revision process.