On May 27, 2022, the California Privacy Protection Agency (CPPA) released a much-anticipated first draft of some of the anticipated regulations implementing the California Privacy Rights Act (CPRA).[1] The release accompanied the CPPA’s announcement of its next public meeting on June 8, 2022, where the agency will, among other agenda items, consider possible action regarding the draft regulations and the delegation of rulemaking authority functions to the CPPA’s executive director. Ahead of this meeting, on June 3, the CPPA released a draft Initial Statement of Reasons (ISOR) to accompany the draft regulations, which provides an explanation of the purpose and necessity of the draft regulations, along with an FAQ offering further information about the draft regulations and rulemaking process. While the formal CPRA rulemaking process has not yet officially begun, we expect to learn more about a potential schedule for the notice and comment period for the regulations at the CPPA’s June 8 meeting.

For a more high-level overview of the draft regulations’ key takeaways, please see our Wilson Sonsini Alert.

Notable Provisions

Although the first round of draft regulations covers only a handful of the rulemaking topics identified in the CPPA’s September invitation for preliminary comments, the draft nonetheless proposes significant and prescriptive changes to businesses’ privacy obligations in California. We outline the notable provisions below.

Collection and Use Restrictions (§ 7002)

The draft regulations adopt a restrictive interpretation of the CPRA’s data minimization and purpose limitation principles, and muddy the waters regarding whether the CPRA, which on its face is an opt-out consent statute, may now implicitly require businesses to collect opt-in consent from users for many ancillary data uses. The draft regulations require that a “business’s collection, use, retention, and/or sharing of a consumer’s personal information” must be “consistent with what an average consumer would expect when the personal information was collected,” or “may also be for other disclosed purpose(s) if they are compatible with what is reasonably expected by the average consumer.” The draft regulations go on to specify that a business must “obtain the consumer’s explicit consent. . . before collecting, using, retaining, and/or sharing the consumer’s personal information for any purpose that is unrelated or incompatible” with the purpose for which it was collected or processed, and give several illustrative examples.

One example in the draft regulations explains that an internet service provider that collects a consumer’s geolocation data to provide its service may use that geolocation data for compatible uses (e.g., tracking service outages, determining aggregate bandwidth by location, and other related uses reasonably necessary to maintain the health of the network), but specifies that the business in this example could not sell or “share”—which the CPRA statute defines as disclosing a consumer’s personal information to a third party for cross-context behavioral advertising—the consumer’s geolocation data with data brokers unless the business obtained the consumer’s explicit consent. The draft regulations state that such selling or sharing with data brokers is “not reasonably necessary and proportionate” to the provision of internet services and therefore would require explicit consent. The draft regulations do not provide any examples where selling or sharing personal information is deemed to be necessary, proportionate, or compatible with the provision of a business’s services. As drafted, this would potentially turn the CPRA into an opt-in consent model, particularly for free, ad-supported services, because any purposes that an “average consumer” may not reasonably expect would now require explicit consent.

Dark Patterns and Requirements for Submitting Requests or Obtaining Consent (§§ 7004, 7003)

The draft regulations set forth five principles—not contained in the CPRA statute—that businesses must adhere to in connection with implementing methods for consumers to submit requests and obtaining consumer consent where required. A violation of these principles, except as expressly allowed, would be considered a “dark pattern” under the draft regulations. The principles are:

  1. The language used must be “easy to understand.”
  2. Consumers must have “symmetry in choice” (i.e., the path for a consumer to exercise a privacy-protective option cannot be longer than the path to exercise a less-privacy-protective option). For example, a “Yes” button may not be more prominent (larger, or in a more eye-catching color) than a “No” button.
  3. Businesses must “avoid language or interactive elements that are confusing to the consumer” (e.g., an ON/OFF toggle without further information).
  4. Businesses must “avoid manipulative language or choice architecture,” including words that “guilt” or “shame” the consumer (e.g., messages like “No, I like paying full price” or “No, I don’t want to save money,” displayed when a consumer is rejecting a financial incentive).
  5. Consumer requests must be “easy to execute” without adding unnecessary burden or friction to the submission process. Businesses should test their submission methods to ensure they are functional. The ISOR makes clear “that a dark pattern does not require intent to subvert consumer choice, but rather that it has the effect of subversion.”

These principles tie closely with formatting requirements regarding how disclosures must be displayed to consumers. For example, the draft regulations require business post conspicuous website links (e.g., links to privacy policy, Do Not Sell or Share), and “use a font size and color that is at least the approximate size or color as other links used by the business on its homepage.”  The draft regulations further specify the placement, format, and design of website and mobile app disclosures to ensure readability on different sized screens.

Privacy Policy and Notice Requirements (§§ 7011 – 7012)

The draft regulations largely incorporate the CPRA’s statutory requirements for the contents of privacy policies and then add new requirements. They specify that if a business processes “frictionless” opt-outs, it must explain in its privacy policy how consumers can implement the “frictionless” opt-outs. They also add a new, GDPR-like requirement that businesses identify all third parties to whom they disclose consumers’ personal information.

Importantly, the draft regulations specify that more than one business may control the collection of a consumer’s personal information and that, in such cases, both the first-party business and any third-party businesses would have to provide a notice at collection. For example, if a business allows another business, acting as a third party, to collect personal information from the first-party business’s website, both businesses would have to provide a notice at collection. In another illustrative example provided in the draft regulations, both a coffee shop and a business providing Wi-Fi services at the coffee shop would have to provide notices at collection, with the coffee shop posting conspicuous signage and the Wi-Fi service posting a notice on the first webpage consumers see before connecting to the service. If a first-party business allows third parties to control the collection of personal information, it must provide in its notice at collection either the names of all the third parties or information about the third parties’ business practices.

Opt-Out Notice and Links (§§ 7013 – 7015)

The draft regulations introduce a new, alternative option to posting the CPRA’s “Do Not Sell or Share My Personal Information” link, which it refers to as processing opt-out preference signals in a “frictionless manner” in accordance with Section 7025(f)-(g). An opt-out preference signal is an automated signal sent by a platform, technology, or mechanism that allows consumers to indicate their intent to exercise their opt-out rights. Under the draft regulations, businesses would have three opt-out link options: (1) provide the “Do Not Sell or Share My Personal Information” link along with (if applicable) the “Limit the Use of My Sensitive Personal Information” link; (2) provide a single alternative opt-out link and icon that combines both options; or (3) process opt-out preference signals in a frictionless manner (which we discuss in further detail below). In the ISOR, the CPPA maintains that the introduction of this new “frictionless” opt-out operationalizes Section 1798.135(b)(1) of the CPRA statute, which, according to the CPPA, provides that the choice between posting and not posting certain links depends on the way in which the business processes an opt-out preference signal. Also, the draft regulations emphasize that clicking on one of the opt-out links must either “immediately effectuate the consumer’s right to opt-out” or direct the consumer to the relevant notice.

The draft regulations also emphasize that businesses must provide a notice to opt out of sale/sharing in the same manner in which they collect the personal information being sold or shared. The draft regulations provide several new examples, including that connected devices (e.g., smart TVs and smart watches) must provide notice in a way the consumer would encounter the notice while using the connected device, and that an augmented reality or virtual reality company (e.g., gaming or mobile applications) must provide notice while in the augmented or virtual reality environment. If this example is included in the final version of the regulations, this may be the first requirement to provide a privacy notice in “the metaverse.”

Furthermore, the draft regulations permit businesses to offer a single opt-out link instead of both a “Do Not Sell or Share My Personal Information” and a separate “Limit the Use of My Sensitive Personal Information” link. The alternative opt-out link may be titled either “Your Privacy Choices” or “Your California Privacy Choices,” and must be accompanied by a specific opt-out icon to the right or left of the link, which must be approximately the same size as “any other icons used by the business on its webpage.”

Mandatory Recognition of Opt-Out Preference Signals (§ 7025)

Whereas the CPRA statute supports an interpretation that honoring opt-out preference signals is one option for providing a means for consumers to opt out of the sale or “sharing” of their personal information and to limit the use of their sensitive personal information,[2] the draft regulations make acceptance of this signal as a means for opting out of the sale or “sharing” of personal information mandatory.[3] Indeed, § 7025(e) of the draft regulations expressly rejects an interpretation of the CPRA that would permit businesses to choose whether to post opt-out links or accept opt-out preference signals. The ISOR sheds some light onto CPPA’s rationale, namely, that the CPPA believes that a cross-reference in the CPRA statute concerning the technical specifications for responding to an opt-out signal indicates that there is merely a “choice” between posting and not posting certain links, which depends on the way in which the business processes an opt-out preference. We anticipate that the debate about whether opt-out signals must be accepted will continue throughout the notice and comment period.

Consistent with the CPPA’s interpretation, the draft regulations allow businesses to choose between (1) processing opt-out preference signals and providing the required “Do Not Sell or Share My Personal Information” link or (2) processing opt-out preference signals in a “frictionless manner” —a newly introduced concept—without providing the required link. Under the draft regulations, processing opt-out signals in a “frictionless manner” is a steep hurdle that, among other things, would require a business to be able to fully effectuate a consumer’s opt-out request (i.e., apply it to both online and offline sales) without requesting further information.

The draft regulations also fail to define a meaningful technical standard for an opt-out preference signal and instead suggest that businesses must comply with any signal they receive, so long as it is “in a format commonly used and recognized by businesses,” such as “an HTTP header field” (without providing any details as to the contents or expected values of the field). Although the draft regulations do not identify any existing specifications by name, the ISOR explains that the CPPA drafted the technical specifications with the intent to build upon on the Global Privacy Control, an existing specification, which, as we previously discussed, would not in its current form meet CPRA’s granular opt-out preference requirements. This lack of clarification will present significant compliance challenges, including, for example, how a business would recognize whether the signal was sent by a California resident or what formats will be considered “commonly used and recognized by businesses.”

Requests to Opt Out of Sale / Sharing (§ 7026)

The draft regulations contain enhanced downstream notice obligations for sales and sharing opt-outs. If a business sells or shares a consumer’s personal information with any third party after the consumer submits an opt-out request but before the business complies with that request, the draft regulations require the business to notify all third parties to whom the business has sold or shared the consumer’s personal information and direct them to comply with the request. While the existing CCPA regulations currently contain a similar requirement, the draft regulations go one step further by requiring the third party to forward the request “to any other person with whom the person has disclosed or shared the personal information during that period.”

Also new to the draft regulations is a requirement that businesses provide a means for consumers to confirm that their request to opt out of sale/sharing has been processed by a business. The draft regulations suggest as examples displaying an opt-out status confirmation text or conveying through a toggle or radio button that the consumer has opted out of the sale of their personal information.

Requests to Limit Use and Disclosure of Sensitive Personal Information (§ 7027)

The CPRA statute identifies five purposes for which businesses may process personal information without being required to provide consumers a right to limit the use and disclosure of their sensitive personal information and authorizes the CPPA to draft regulations identifying additional permissible purposes. Although the draft regulations do not identify any new permissible purposes, they provide examples of processing activities that might fall within each of the enumerated purposes, which may prove helpful for businesses attempting to understand whether they need to provide a right to limit.[4]

Requests to Delete (§ 7022)

The draft regulations largely track the CPRA’s deletion requirements, but elaborate on some key points. For example, as required by the CPRA statute, businesses are required to comply with a consumer’s request to delete their personal information by deleting, deidentifying, or aggregating the information in their own systems, notifying service providers and contractors to delete the information from their records, and notifying all third parties to whom the business has sold or shared the information to also delete the information unless this “proves impossible or involves disproportionate effort.” If notifying all third parties would be impossible or involve disproportionate effort, businesses must provide a factual basis for that claim and cannot simply assert it. Additionally, the draft regulations expressly state that a business that has failed to put in place adequate process and procedures to comply with consumer requests cannot claim that responding to a consumer’s request requires disproportionate effort.

Requests to Correct (§ 7023)

The draft regulations add a new section dedicated to the CPRA’s right to request correction of inaccurate personal information. A business must accept, review, and consider any documentation that a consumer provides in connection with their request to correct. A business that complies with a consumer’s request to correct must correct the personal information at issue and implement measures to ensure that the information remains corrected. Additionally, businesses must instruct all service providers and contractors to make the necessary corrections and ensure the information remains corrected. Alternatively, businesses may delete the contested personal information rather than correcting it if the deletion does not negatively impact the consumer, or the consumer consents to the deletion. Notably, the draft regulations also require businesses to provide the consumer with the name of the source from which the business received the allegedly inaccurate information if the business itself is not the source; this may be difficult for many businesses to comply with absent detailed data trails, and could have a profound impact on the data broker industry.

A business may deny the request to correct if, based on the totality of the circumstances, it determines that the contested information is more likely than not accurate. When denying a consumer’s request, the business must explain the basis for the denial, including any conflict with federal or state law, exception to the CCPA, inadequacy in the required documentation, or contention that compliance involves disproportionate effort.[5] A business may deny a consumer’s request to correct if it denied the same alleged inaccuracy within the past six months. If the consumer provides any new or additional documentation to prove the information is inaccurate, however, the business must treat the request to correct as new. A business may also deny a request to correct if it has a good-faith, reasonable, and documented belief the request is fraudulent or abusive. Businesses should implement strong internal processes to ensure accurate documentation of incoming consumer requests as well as any steps taken by the company to verify, respond to the request, or contact service providers or contractors informing them of the request.

Requests to Know (§ 7024)

The draft regulations leave intact most of the existing CCPA regulations’ procedural requirements concerning requests to know. Nevertheless, there are a couple of notable additions. First, there is an apparent inconsistency between how the CPRA statute and the draft regulations treat requests for personal information extending beyond a 12-month period. Whereas the statute says that “a consumer may request that the business disclose the required information beyond the 12-month period,” the draft regulations state that in response to any request to know, the “business shall provide all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request” (emphases added). In line with this departure from the statute, the draft regulations strike all other references to the 12-month look-back period for requests to know contained in the existing CCPA regulations. The ISOR does not offer any explanation about why the CPPA interprets the CPRA statute to require businesses to provide information beyond the 12-month period, even in situations where a consumer has not requested information dating this far back.

Second, the draft regulations attempt to provide a standard to govern a business’s determination that providing information beyond a 12-month period would be “impossible or would involve disproportionate effort.” Specifically, the draft regulations state that where a business believes that providing data beyond the 12-month period would involve such an “impossible” or “disproportionate” effort, the business must “provide the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot provide personal information beyond the 12-month period.” A bare assertion that the response would be “impossible” or “disproportionate” will not suffice.

 Service Providers, Contractors, and Third Parties (§§ 7050, 7052)

Although the CPRA statute already excluded cross-context behavioral advertising from the list of “business purposes” for which service providers and contractors are permitted to process personal information on behalf of businesses, the draft regulations now expressly state that any person that “contracts with a business to provide cross-context behavioral advertising is a third party and not a service provider or contractor.” The draft regulations go on to provide examples of common advertising activities that would fall outside the business-service provider relationship, such as when a business submits its customer list to a social media company to identify users on that platform for targeted advertising (i.e., matched or custom audiences). The draft regulation’s interpretation that, as a general proposition, matched or custom audience creation cannot be a service provider activity is not necessarily consistent with the CPRA statute. That is, depending on the type of data used to create such an audience, it is possible that this advertising activity does not meet the statute’s definition of “cross-context behavioral advertising.”

Under the draft regulations, third parties are required to comply with a consumer’s request to delete or to opt out of sale/sharing forwarded to them from a business “in the same way a business is required to comply with the request.” The draft regulations acknowledge, however, that a third party in receipt of an opt-out request may become a service provider or contractor if the third party complies with the CPRA’s requirements for service providers. In practice, this provision appears to support certain frameworks introduced in the advertising industry, such as the IAB’s Limited Service Provider Agreement, in which a signatory third party becomes a limited service provider upon receiving an opt-out request from the business.

Contracting Requirements (§§ 7051, 7053)

The CPRA statute identifies several detailed contracting requirements for businesses that disclose personal information to service providers, contractors, and third parties. Notably, contracting requirements in the draft regulations do not mirror the statutory requirements and, in some instances, add entirely new obligations. For example, the draft regulations now prescribe a new, five-day time period in which a service provider, contractor, or third party must notify the business if they determine they can no longer comply with the CPRA’s requirements. The draft regulations also require contracts with service providers and contractors to identify the specific business purposes and service for which personal information will be processed and prohibit describing the purposes in generic terms, such as referencing the entire contract generally. Contracts with third parties have a similar requirement. Of particular note, the draft regulations state that a person that does not have a contract that complies with the regulation’s specific requirements is not a service provider or contractor under the CPRA, and that a third party that does not have a compliant contract “shall not collect, use, process, retain, sell, or share the personal information received from the business.” These requirements are likely to add significant friction to contract negotiations between businesses and their service providers and third parties, as one mistake in meeting the draft regulation’s requirements risks invalidating the purpose of the contract and exposing both parties to unexpected liability.

Finally, the draft regulations introduce a new duty to conduct due diligence on service providers, contractors, and third parties if the business wants to take advantage of the liability shield in Sections 1798.145(i)(1)-(2) of the CPRA statute for compliance failures of the service provider, contractor, or third party without the business’s knowledge. For example, the draft regulations state that “[w]hether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and these regulations.” The draft regulations call out as examples never enforcing contractual terms or audit rights as circumstances where a business might not be able to rely on the defense that it did not have reason to believe the service provider or contractor intended to violate the CPRA. This requirement tees up a potentially impossible compliance requirement for small- to mid-sized businesses that do not have the expertise or resources to reasonably audit substantially larger entities.

Investigations and Enforcement (§§ 7300-7304)

Under the draft regulations, the CPPA maintains broad discretion to initiate investigations, which may result from a sworn complaint, CPPA-initiated investigation, government or private referral, or unsworn or anonymous complaints. Perhaps most significant is the scope of the CPPA’s audit right, and, in particular, the criteria by which the agency may select which entities to audit for compliance with the CPRA. Specifically, the draft regulations grant the CPPA the right to conduct an audit to investigate possible violations of the CPRA. Alternatively, the CPPA may conduct an audit if the subject’s collection or processing of personal information presents significant risk to consumer privacy or security, or if the subject has a history of noncompliance with the CCPA or any other privacy protection law. Otherwise, the draft regulations do not provide any substantive details on how the CPPA will conduct an audit.

Please stay tuned for our upcoming webinar on recent CPRA developments. Further information will be posted on the Wilson Sonsini Goodrich & Rosati Events page and invitations will be sent via email.

We encourage businesses affected by the CPRA draft regulations to submit comments to the CPPA. Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and will monitor CPPA guidance, enforcement, and litigation pursuant to the CPRA to assist clients with compliance. For more information or advice concerning your CPRA compliance efforts, or assistance preparing or submitting a public comment to the CPPA, please contact Tracy Shapiro, Maneesha Mithal, Eddie Holman, Amanda Irwin, Clinton Oxford, or any member of the firm’s privacy and cybersecurity practice.

[1] The draft proposed regulations are referred to as “CCPA regulations” instead of “CPRA regulations.” This is because the CPRA was a ballot initiative that amended the CCPA; it did not create a separate, new law. To this end, the draft regulations propose to update existing CCPA regulations and add new rules to implement and interpret the text of the CCPA, as amended by the CPRA. We refer to these draft CCPA regulations as “draft regulations” in this article.

[2] Section 1798.135(b)(3) of the CPRA states: “A business that complies with subdivision (a) [providing conspicuous opt-out links] is not required to comply with subdivision (b) [allowing consumers to opt out through an opt-out preference signal based on technical specifications set forth in the regulations]. For the purposes of clarity, a business may elect whether to comply with subdivision (a) or subdivision (b).”

[3] Section 7027 of the draft regulations, which governs requests to limit use and disclosure of sensitive personal information, does not incorporate Section 7025’s mandate that businesses honor preference signals for requests to limit. Rather, Section 7027 states that businesses that collect personal information online “shall, at a minimum, allow consumers to submit requests to limit through an interactive form accessible via the ‘Limit the Use of My Sensitive Personal Information’ link, alternative opt-out link, or the business’s privacy policy.” Indeed, Section 7027 contains no references to opt-out preference signals at all, despite this option being expressly contemplated by the CPRA statute. The ISOR explains that this omission was intentional, noting that the CPPA did not address this area in an “effort to reduce the burden on businesses to respond to differing signals, [. . .] because no mechanism currently exists to communicate the expression of these rights,” and “to prioritize the Agency’s limited resources in promulgating regulations . . .”

[4] The CPRA permits businesses to process sensitive personal information to ensure “security and integrity,” a term the statute defines as having three components. As clarified in the ISOR, rather than using the term “security and integrity,” the draft regulations incorporated the three-part definition as three separate permissible purposes. This is why there appear to be two additional permissible purposes for processing sensitive personal information in the draft regulations.

[5] The draft regulations use the term “disproportionate effect” rather than the defined term “disproportionate effort,” but we believe this is a drafting error.