Early Draft of California Privacy Regulations Focuses on Opt-Out Rights, Disclosures

The newly formed California Privacy Protection Agency (the Agency) quietly released a preliminary draft of its proposed regulations on May 27, 2022, implementing the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). The 66-page draft includes seven full pages of detailed requirements for obtaining and implementing consumer direction regarding the sale and sharing of personal information, but it does not cover a number of privacy hot topics mentioned in the grant of rulemaking authority to the Agency.

The Agency is required to conduct a formal notice and comment process on the proposed regulations, creating a strong probability of future changes. However, some of the more complicated proposed obligations – particularly around opting-out of sales and sharing – will require significant preparation, planning and budget to implement. Because the rules already are unlikely to be finalized in advance of the CPRA's effective date of Jan. 1, 2023, businesses should begin big-picture planning now.

Range of Topics Covered

View larger image

The draft regulations do not set forth any particular rules related to handling of personal information relating to or privacy requests from employees or individuals who interact with a business in a business capacity. They also do not elaborate on the new requirement for a business to make disclosures in its privacy policy about its practices related to retention of personal information or other topics set out in the grant of rulemaking authority [Civ. Code § 1798.185(a)], including cybersecurity audits, privacy risk assessments and automated decision-making.

Key Takeaways

It will take substantial time for business and legal teams to fully digest the implications of this lengthy draft and begin to strategize on a plan to operationalize concepts while still leaving flexibility for inevitable changes before the regulations become final. On first read, however, some themes and likely operational challenges emerge:

• Heavy focus on consumer-friendly presentation of privacy options. The draft rules push a detailed vision as to how a consumer should experience the process of making privacy choices, including requiring that the process be "easy to understand," prohibiting "dark patterns," requiring "symmetry in choice" and prohibiting manipulative language. This would create significant leeway for the Agency to bring actions against businesses based on subjective judgments about their websites. Further, businesses are likely to experience tension between this principle and the complex requirements related to website disclosures and pop-ups discussed below.
• Rules of the game driven by consumers' expectations. Businesses would be restricted to using personal information in a manner "consistent with what an average consumer would expect," but the proposed rules shed little light on how average consumer expectations should be determined. Some illustrative examples suggest – but do not explicitly state – that expectations would be determined by the nature of the products and services the business provides the consumer, meaning that disclosing a data processing practice in a privacy policy would not be enough to create an expectation if the processing is not essential to the provision of the product and service.
• Confusion as to whether the law is opt-out or opt-in. The CCPA/CPRA is an opt-out law; consent is only required for the sale or sharing of personal information related to consumers under age 16 or a secondary use not disclosed at the time of collection. But, the proposed rule that would require "collection, use, retention, and/or sharing" to be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed" seems to require opt-in consent for many collections of sensitive personal information and sales of personal information. Examples offered to demonstrate the rule suggest that explicit consent would be required for collection of geolocation information through a mobile app, sale of geolocation information and disclosure of a customer mailing list in a way that it would be used for marketing of other companies' products and services. This interpretation has significant implications; it is hard to see how most, if not all, sales of personal information could be "necessary" to providing the products and services.
• Website user experience likely to become more clunky. Various provisions would require new popups, links and disclosures that are likely to substantially alter the user experience on websites and in stores – and many of these features nudge the legal framework toward opt-in. For example, while there is no requirement in the CCPA/CPRA for a business to request that a user accept cookies, the draft regulations call out that, under the symmetry rule, cookie banners must offer both accept and decline options. See § 7004(A)(2)(C). The business must disclose in its privacy policy how a consumer can use an opt-out preference signal [§ 7011(e)(3)(F)] and display to a user whose browser sends such a signal whether it was honored [§ 7025(c)(6)]. The requirements for offering privacy disclosures are equally detailed. For instance, the draft provides that the "notice at collection" provided at or before the point of collection cannot be satisfied by linking to the full privacy policy; a business must deep-link to the specific section of its privacy policy that provides the relevant information [§ 7012(f)], and that link must be provided "in close proximity" to the fields where information is sought or the submit button. § 7012(c)(2). These website and disclosure requirements may effectively set national or global standards; it may not be feasible for businesses to meet these obligations just for California website visitors.
• Enhanced downstream accountability. Sections 7051 and 7053 describe the requirements that would apply to vendor contracts. Of note, the draft seemingly would create a new duty for businesses to conduct due diligence on service providers, contractors and third parties. 7051(e) ("[w]hether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and these regulations."); § 7053(e) (similar). Contracts with service providers, contractors and third parties would also be required to state the "specific" purpose for disclosing the personal information, and this statement cannot be "in generic terms," which could mean that businesses must undertake significant work to update contracts. § 7051(a)(1); § 7953(a)(1).

Other Noteworthy Provisions

• The draft would create new definitions for squishy terms such as "disproportionate effort" and "frictionless manner." §§ 7001(h), (k). While perhaps helpful in theory, these definitions seemingly have little grounding in actual business operations.
• Requests to opt-out of sales and/or sharing need not be verifiable and must be communicated to third parties. §§ 7026(d), (f).
• Section 7050(c) would make explicit that an entity who contracts with a business to provide targeted ads, i.e., "cross-contextual behavioral advertising," cannot be a service provider but rather is a third party, and such sharing is subject to opt-out.
• Along the same lines, a self-serve cookie management control process alone would not be sufficient to effectuate requests to opt-out of sales and/or sharing, because a cookie tool addresses sharing and not sales. § 7026(a)(4).
• Businesses would be required to list in their privacy policies the names of all third parties that the business allows to collect personal information from the consumer, which would include the names of all third parties who set cookies on the business's website. § 7012(g).
• If a business receives a request to correct information it received from a consumer data broker, it must both correct the information and ensure that it is not overridden by inaccurate information later re-received from the data broker. [See § 7023(c).] The business must also disclose the name of the data broker supplying the inaccurate information to the consumer. § 7023(i).

What Happens Next

Although the CPRA requires the CPPA to finalize regulations by July 1, 2022, the state's protracted rulemaking process means final regulations are unlikely until January 2023, if not later. The Agency's next public meeting is scheduled for June 8, 2022, and it has listed discussion of the draft regulations on the agenda.

View larger image

How We Can Help

If you have any questions about the draft regulations and the potential impact to your business, please contact the authors.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.