Early Draft of California Privacy Regulations Focuses on Opt-Out Rights, Disclosures
- The California Privacy Protection Agency (the Agency) released a preliminary draft of its proposed regulations implementing the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
- The lengthy draft includes detailed requirements for obtaining and implementing consumer direction regarding the sale and sharing of personal information, but it does not cover a number of hot topics, including unique employee and business-to-business issues, retention, cybersecurity audits, privacy risk assessments and automated decision-making.
- Because the regulations already are unlikely to be finalized in advance of the CPRA's effective date of Jan. 1, 2023, businesses should begin big-picture planning now.
The newly formed California Privacy Protection Agency (the Agency) quietly released a preliminary draft of its proposed regulations on May 27, 2022, implementing the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). The 66-page draft includes seven full pages of detailed requirements for obtaining and implementing consumer direction regarding the sale and sharing of personal information, but it does not cover a number of privacy hot topics mentioned in the grant of rulemaking authority to the Agency.
The Agency is required to conduct a formal notice and comment process on the proposed regulations, creating a strong probability of future changes. However, some of the more complicated proposed obligations – particularly around opting-out of sales and sharing – will require significant preparation, planning and budget to implement. Because the rules already are unlikely to be finalized in advance of the CPRA's effective date of Jan. 1, 2023, businesses should begin big-picture planning now.
Range of Topics Covered
It will take substantial time for business and legal teams to fully digest the implications of this lengthy draft and begin to strategize on a plan to operationalize concepts while still leaving flexibility for inevitable changes before the regulations become final. On first read, however, some themes and likely operational challenges emerge:
- Heavy focus on consumer-friendly presentation of privacy options. The draft rules push a detailed vision as to how a consumer should experience the process of making privacy choices, including requiring that the process be "easy to understand," prohibiting "dark patterns," requiring "symmetry in choice" and prohibiting manipulative language. This would create significant leeway for the Agency to bring actions against businesses based on subjective judgments about their websites. Further, businesses are likely to experience tension between this principle and the complex requirements related to website disclosures and pop-ups discussed below.
- Confusion as to whether the law is opt-out or opt-in. The CCPA/CPRA is an opt-out law; consent is only required for the sale or sharing of personal information related to consumers under age 16 or a secondary use not disclosed at the time of collection. But, the proposed rule that would require "collection, use, retention, and/or sharing" to be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed" seems to require opt-in consent for many collections of sensitive personal information and sales of personal information. Examples offered to demonstrate the rule suggest that explicit consent would be required for collection of geolocation information through a mobile app, sale of geolocation information and disclosure of a customer mailing list in a way that it would be used for marketing of other companies' products and services. This interpretation has significant implications; it is hard to see how most, if not all, sales of personal information could be "necessary" to providing the products and services.
- Enhanced downstream accountability. Sections 7051 and 7053 describe the requirements that would apply to vendor contracts. Of note, the draft seemingly would create a new duty for businesses to conduct due diligence on service providers, contractors and third parties. 7051(e) ("[w]hether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and these regulations."); § 7053(e) (similar). Contracts with service providers, contractors and third parties would also be required to state the "specific" purpose for disclosing the personal information, and this statement cannot be "in generic terms," which could mean that businesses must undertake significant work to update contracts. § 7051(a)(1); § 7953(a)(1).
Other Noteworthy Provisions
- The draft would create new definitions for squishy terms such as "disproportionate effort" and "frictionless manner." §§ 7001(h), (k). While perhaps helpful in theory, these definitions seemingly have little grounding in actual business operations.
- Requests to opt-out of sales and/or sharing need not be verifiable and must be communicated to third parties. §§ 7026(d), (f).
- Section 7050(c) would make explicit that an entity who contracts with a business to provide targeted ads, i.e., "cross-contextual behavioral advertising," cannot be a service provider but rather is a third party, and such sharing is subject to opt-out.
- Along the same lines, a self-serve cookie management control process alone would not be sufficient to effectuate requests to opt-out of sales and/or sharing, because a cookie tool addresses sharing and not sales. § 7026(a)(4).
- Businesses would be required to list in their privacy policies the names of all third parties that the business allows to collect personal information from the consumer, which would include the names of all third parties who set cookies on the business's website. § 7012(g).
- If a business receives a request to correct information it received from a consumer data broker, it must both correct the information and ensure that it is not overridden by inaccurate information later re-received from the data broker. [See § 7023(c).] The business must also disclose the name of the data broker supplying the inaccurate information to the consumer. § 7023(i).
What Happens Next
Although the CPRA requires the CPPA to finalize regulations by July 1, 2022, the state's protracted rulemaking process means final regulations are unlikely until January 2023, if not later. The Agency's next public meeting is scheduled for June 8, 2022, and it has listed discussion of the draft regulations on the agenda.
How We Can Help
If you have any questions about the draft regulations and the potential impact to your business, please contact the authors.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.