Businesses operating in California should follow the development of the California Consumer Privacy Rights Act regulations because, unless they are significantly modified, they are likely to once more place California on the cutting edge of US privacy regulation.
A public hearing on the draft regulations implementing the California Consumer Privacy Rights Act of 2020 (CPRA) concluded on August 25, 2022. The draft regulations, issued on July 8, 2022, in a notice of proposed rulemaking by the newly created California Privacy Protection Agency (Agency), introduce a number of new features that expand upon the CPRA’s statutory provisions.
Significance of This Step
The notice of proposed rulemaking kicked off the formal comment period for the draft CPRA regulations, which concluded with the public hearing. Because the draft regulations contain many significant departures from the text of the CPRA, there were extensive comments, both in writing in advance of the hearing and during the hearing itself. In the coming months, the Agency will issue the final regulations, with any revisions resulting from the public comments.
As the July 1, 2022, statutory deadline to adopt regulations has passed, the Agency is seeking to move quickly, which is necessary to give businesses time to prepare for compliance by January 1, 2023. That said, the Agency has not promulgated rules on cybersecurity audits, risk assessments, or automated decisionmaking technology at this time, but has indicated that it will do so in the future.
Key Provisions in the Draft Regulations
The draft regulations provide insight into the Agency’s priorities and how it will evaluate a business’s privacy regime. There are a few important provisions particularly worthy of note:
- Data Collection: The CPRA added new limits such that the collection and use of data must be “reasonably necessary and proportionate” to the business purpose. The draft regulations adopt a “reasonable person” standard, based on “what is reasonably expected by the average consumer.” The draft regulations provide the example of a flashlight app that collects geolocation data (which is clearly not necessary for providing the light), stating that this would not be a reasonably necessary and proportionate collection or use of consumer data. However, an internet service provider may collect geolocation data from its consumers if it is using it to “maintain the health of the network.”
- New Consumer Rights: New to the CPRA are the consumer rights to correct personal information, to limit use of sensitive personal information, and to opt out of data sharing (in addition to data sales, which was included in the CCPA). The Agency’s draft regulations provide some guidance as to how to operationalize these new requests. One interesting development is that these rights may be limited to the extent that a “disproportionate effort” is necessary for a business to comply. This is essentially a balancing test that weighs the consumer’s right with respect to a given request against the burden that complying with the request could impose on the business. The regulations give some examples (e.g., consumer data that is not in a searchable format), but they also caution that a business’s claim of disproportionate effort cannot be based on a failure to create adequate processes to respond to a consumer request.
- Obtaining Consumer Consent: The CPRA added requirements for “symmetry of choice” in seeking consumer consent regarding the use of personal data. Businesses must avoid manipulative language and cannot make opting out more complicated than consenting. For example, it is not acceptable to defer the chance to opt out with options like “Ask me later” or “No, I don’t want to save money.” Providing a “Yes” button in a larger font or more appealing color or format than the “No” button would also constitute a lack of symmetry of choice. The draft regulations also provide that withdrawing consent must be as simple as giving it in the first instance.
- Increased Transparency: The draft regulations include new notice requirements designed to increase transparency for consumers. Privacy notices must specify the categories of sensitive personal information collected and data retention periods.
- Requirements for Working with Third Parties: Privacy policies will need to include notification of third-party data collection, including identifying the third parties. There are also expanded contractual requirements for third-party service providers and contractors. Agreements with third-party service providers would need to state the “specific” purpose for disclosing the personal information—a statement “in generic terms” is not sufficient. Therefore, many businesses may need to amend their existing service provider agreements.
- Enforcement: The Agency offers several mechanisms for enforcement of the newly amended CCPA. It will accept individual complaints, but they must be sworn under penalty of perjury. It may also initiate its own investigations, which could lead to probable cause proceedings that will be closed to the public. The Agency may also undertake audits, either announced or unannounced, to investigate possible violations, protect consumer privacy or security, or examine the practices of entities with a history of noncompliance with privacy laws.
Does This Proposal Differ from the Draft Rule?
The July 8 draft regulations do not vary materially from the draft rule the Agency released in May 2022.
Next Steps for Businesses
Businesses subject to the CPRA will face significant new privacy obligations, so they should begin laying the groundwork now by developing the broad strokes of a compliance program to meet the new requirements, even though the regulations remain a work in progress. The CPRA’s effective date of January 1, 2023, is fast approaching, with enforcement commencing on July 1, 2023.
For additional information on the CPRA and other data privacy legislation, visit our US Consumer Privacy Acts resource page.