Written Comments Due by November 21
On November 3, 2022, the California Privacy Protection Agency (CPPA, or the Agency) issued modified proposed regulations implementing the California Privacy Rights Act (CPRA),[1] which revise the initial proposed regulations released on July 8, 2022. The Agency’s Notice of Modifications to Text of Proposed Regulations triggers a 15-day public comment period, which ends on November 21, 2022. Below we identify and analyze the key changes from the initial proposed regulations introduced by the modified proposed regulations and discuss the potential topics to be covered in future regulations as discussed during the CPPA Board meeting held on October 28-29, 2022 (“the CPPA October Board Meeting”).
Enforcement of the CPRA (§ 7301)
The Agency, which was mandated by the CPRA statute to finalize regulations by July 1, 2022, added explicit language in § 7301(b) that the Agency could consider the delay in issuing the final regulations as a factor when making enforcement decisions. The exact language states: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date or the statutory or regulatory requirement(s) and the possible or alleged violations(s) of those requirements, and good faith efforts to comply with those requirements.” This language was included after the CPPA October Board Meeting, in which the Board members agreed that while the Agency cannot delay the enforcement date as suggested by public comments, this language is a good middle ground to provide reassurance to the business community, acknowledging how the delay may pose challenges to businesses’ compliance efforts.
Data Minimization (§ 7002)
The modified proposed regulations bring a host of changes to § 7002 on data minimization. Most importantly, the modified proposed regulations introduce “factors” to consider when determining whether a business’s practices fulfill their data minimization obligations. For example, in order to assess whether a particular use of personal information is consistent with consumers’ reasonable expectations, the modified proposed regulations offer five “factors.” Specifically, a business must consider:
- The relationship between the consumers and the business;
- The type, nature, and amount of personal information;
- The source of the personal information;
- The specificity, explicitness, prominence, and clarity of disclosures to the consumers; and
- The degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of personal information is apparent to the consumers.
The modified proposed regulations also identify factors for determining whether another disclosed purpose is compatible with the context for collection, as well as whether the collecting or processing of personal information is reasonable and proportionate to achieve the purposes. The Agency in the CPPA October Board Meeting emphasized that these factors are not meant to be dispositive.
Disclosure Requirements (§ 7012)
Under the modified proposed regulations, a business no longer needs to identify the names of the third parties that it allows to control the collection of personal information in the business’s Notice at Collection. At the CPPA October Board Meeting, Lisa Kim, Deputy Attorney General of the California Department of Justice (CA DOJ)—who recommended this change—stated that while removing this requirement was intended to simplify compliance at this time, the DOJ will continue to monitor how the change plays out in the marketplace. Deletion of this requirement is welcome news for businesses that may face compliance burdens keeping their Notices at Collection constantly updated with every new or terminated third-party contract.
Opt-Out Preference Signal (§ 7025(c))
Although § 7025(c) on opt-out preference signals is notable for its many changes, the modified proposed regulations still do not provide clarity on the technical specifications for processing opt-out preferences signals, other than adding a “JavaScript object” as an example signal format (but without clarifying what properties or methods businesses should expect to be contained within such objects). Despite public comments asking the Agency to provide greater clarity in this area, Lisa Kim (CA DOJ) took the position in the CPPA October Board Meeting that no other technical specifications for opt-out preference signals are needed in the regulations. She also made clear that the CA DOJ interprets the CPRA statute as mandating businesses to honor opt-out preference signals.
The modifications to § 7025 instead focused on how and when a business should treat a preference signal:
- Meaning of a “known” consumer: The Agency clarified that the requirement in § 7025(c)(1) to honor signals from consumers, “if known,” refers to signals not only from consumers who are logged in, but also “any consumer profile associated with that browser or device, including pseudonymous profiles.” For example, if a business identifies that User 1 is visiting the business’s website both with a Browser A and also a Mobile Device B, then the business must process an opt-out preference signal received from Browser A as User 1’s request to opt out on both Browser A and Mobile Device B, even if User 1 is not logged in on Browser A.
- Signals that conflict with consumers’ opt-in to financial incentive programs: The modified proposed regulations clarified that if a consumer’s opt-out preference signal conflicts with their previous decision to join a financial incentive program, then businesses have two choices. If a business asks the consumer to affirm their intent but the consumer does not respond, then the business may ignore the opt-out preference signal. But if a business does not ask, then the business must still process the opt-out preference signal as a valid request. The Agency explained that this is to disincentivize businesses from not asking consumers.
Requests to Limit Use/Disclosure of Sensitive Personal Information (§ 7027(a))
The Agency also clarified when businesses are subject to consumers’ requests to limit the use and disclosure of sensitive personal information in § 7027(a). Although this requirement was plain in the CPRA statute, the modified proposed regulations reiterate that “sensitive personal information that is collected or processed without the purpose of inferring characteristics is not subject to requests to limit” and go on to provide an example of when the processing of sensitive personal information is without the purpose of inferring characteristics about a consumer. Specifically, the modified proposed regulations state that “a business that includes a search box on their website by which consumers can search for articles related to their health condition may use the information provided by the consumer for the purpose of providing the search feature without inferring characteristics about the consumer.”
Dark Patterns (§ 7004)
The modified proposed regulations provide greater flexibility for businesses to demonstrate “symmetry in choice,” which refers to a business obligation that the path that a business provides for a consumer to exercise a privacy-protective option—such as presenting a consumer with a choice for opt-in—cannot be longer than the path to exercise a less-privacy-protective option. Previously, the example in § 7004(a)(2)(B) stated that when a user is presented with a choice to opt in, “an equal or symmetrical choice would be ‘Yes’ and ‘No’ . . .,” indicating that a “Yes” and “No” option is the only way for a business to demonstrate symmetry. In the latest draft, the Agency changed the language to “an equal or symmetrical choice could be ‘Yes’ and ‘No’ . . .,” to make clear that businesses can use other ways to demonstrate symmetry. The Agency also deleted two other examples of dark patterns in order to simplify implementation of the regulations.
Requirements for Service Providers and Contractors (§ 7050)
Permissible Processing of Personal Information by Service Providers and Contractors (§ 7050(a))
The modified proposed regulations provide further details on the purposes for which service providers and contractors may retain, use, and disclose personal information collected from or through a business. Some notable additions include:
- Scope of the Security Exception: Section 7050(a)(4) clarifies that service providers and contractors may use consumers’ personal information to not only “detect” but also “prevent” and “investigate” security incidents. This change is in response to public comments that the word “detect” could be interpreted too narrowly.
- Default Business Purposes: The modified proposed regulation also makes clear in §§ 7050(a)(3)–(4) that service providers and contractors may utilize the exceptions for (1) improving services provided by the service provider or contractor to the business and (2) security, even if these business purposes were not specified in the written contract with the business.
Contractual Requirements (§ 7051(a))
The modified proposed regulations removed the time frame from the contractual requirements in §§ 7051(a)(8) and 7053(a)(6) that the business must require the service provider, contractor, and third parties to notify the business no later than five business days after it makes a determination that it can no longer meet its obligations under the CPRA. The Explanation of Modified Text states that this deletion is to provide greater flexibility to businesses in implementing the new statutory obligation. Additionally, the modified proposed regulations clarify that a service provider or contractor’s contractual requirements to comply with all applicable sections of the CPRA statute and regulations apply only “to the personal information that [the service provider or contractor] [c]ollected pursuant to the written contract with the business.”
Expected Future Changes in the Regulations
During the CPPA October Board Meeting, the Board suggested that the Agency may implement new exceptions for the request to limit use and disclosure of sensitive personal information, including an HR/employee data exception, as well as a health-related research exception. Because these are significant changes and therefore not included in the newest modified proposed regulations, the Agency stated that it would consider including them in the future iteration of the regulations.
Next Steps
The proposed regulations are subject to a mandatory 15-day public comment period. The CPPA will accept written comments until 8:00 a.m. PT on November 21, 2022. Comments may be submitted by the following means:
Electronic:
Comments may be submitted electronically to regulations@cppa.ca.gov by including “CPPA Public Comment” in the subject line and including the comment as an attachment to the email.
Mail:
California Privacy Protection Agency
Attn: Brian Soublet
2101 Arena Blvd., Sacramento, CA 95834
After the 15-day comment period, Agency staff will prepare a final set of regulations, on which the Board will vote again. If the Board approves the final set, then the Office of Administrative Laws has 30 business days to review the rules (which will likely be 45-50 days, given the holidays), deciding whether to approve or deny the package.
We encourage businesses affected by the modified proposed regulations to submit comments to the CPPA. Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues, and will monitor CPPA guidance, enforcement, and litigation pursuant to the CPRA to assist clients with compliance. For more information or advice concerning your CPRA compliance efforts, please contact Tracy Shapiro, Eddie Holman, Clinton Oxford, Yeji Kim, or any member of the firm’s privacy and cybersecurity practice.
[1] The proposed regulations are referred to as “CCPA regulations” instead of “CPRA regulations.” This is because the CPRA was a ballot initiative that amended the CCPA; it did not create a separate, new law. To this end, the proposed regulations update the existing CCPA regulations and add new rules to implement and interpret the text of the CCPA, as amended by the CPRA. We refer to the latest version of the modified proposed CCPA regulations as the “modified proposed regulations” in this alert. Cited section references are to the modified proposed regulations unless otherwise stated.