On May 27, 2022, the California Privacy Protection Agency (CPPA) released draft regulations (though still not yet part of a formal rulemaking process) that include what would be seismic changes to California Privacy Rights Act (CPRA) requirements that businesses have been preparing for. Below, we summarize the significant changes that would be ushered in by the CPPA’s draft regulations:
-
“Symmetry in Choice”: Newly added Section 7004 requires that affirmative consent have “symmetry in choice.” The proposed rule would clearly prohibit the use of certain language that the CPPA has expressly identified as asymmetric (g., “Yes” versus “Ask me later” for an opt-in) but avoids prescriptive rules that define exactly when choices are asymmetric.
-
Notification of Third-Party Collection: In the new Section 7012(g), if a first party allows a third party to control the collection of personal information from the first party’s website—say, through an analytics cookie—then the first party must notify the consumer of all the third-party collection methods enabled on its website or provide the consumer with information about the third party’s information handling practices. The draft regulations also apply to third parties collecting data from another business’s physical location. For example, if a coffee shop is providing Wi-Fi to its customers, the coffee shop must have signage directing consumers to the Internet service provider’s (ISP) privacy policy.
-
Introduction of Right to Limit Use of Sensitive Personal Information: CPRA grants consumers the right to limit the use of their sensitive personal information in certain circumstances. Section 7027 puts some meat on the bones as to how the CPPA expects this limitation right to work, including granting businesses 15 business days to comply with a specific limitation request.
-
Building the Process around Right to Correct: Likewise, draft regulation Section 7023 operationalizes how a business needs to handle a consumer’s correction request. Once the consumer submits documentation to support their correction, the business can comply, deny or delete the contested data based on the business’s need for the data or if correcting the data creates disproportionate effort. Critically, this draft regulation appears to balance the burden and risks imposed on businesses by providing safeguards in the event of duplicative or fraudulent correction requests.
-
Embracing Do Not Track Signals: Section 7025 of the draft regulations may catch many by surprise because it attempts to make it mandatory for businesses to recognize and act on some form of a global opt-out signal, despite what many had thought was the CPRA’s express language to the contrary.
-
Notice of Disproportionate Effort: The new proposed regulations would require a business that is responding to requests to delete (Section 7022) or correct (Section 7023) to provide a “detailed explanation” that “gives a consumer a meaningful understanding as to why” a business cannot notify every third party to whom personal information may have previously been disclosed of a consumer’s right to delete or correct. While the draft regulations attempt to define “disproportionate effort,” it fundamentally leaves the consumer to decide whether they think a business’s explanation is good enough.
-
Going Beyond the 12-Month Lookback: In Section 7024 (related to requests to know), businesses would now be required to provide “all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including, beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort.”
-
Be Precise with Your Hyperlinks: One new proposed regulation that may cause businesses trouble and could benefit from additional clarification is Section 7012(f), which provides in relevant part that when information is collected online, “the notice at collection may be given to the consumer by providing a link that takes the consumer directly to the specific section of the business’s privacy policy that contains the information required in subsection (e)(1) through (e)(6).” And “directing the consumer to the beginning of the privacy policy…so that the consumer is required to scroll through…does not satisfy this standard.” Subsections (e)(1) through (e)(6) require the disclosure of:
-
What information is collected
-
The purpose for collection
-
Whether personal information is sold or shared
-
The retention period for personal information
-
Opt-out rights for sales and sharing of personal information
-
Disclosures concerning third-party privacy practices.
-
In privacy policies, each of these disclosures is typically its own section. So, it is unclear just how a business might comply with this new regulation without further clarification from the CPPA.
The above “highlights” only scratch the surface of the proposed rules. The good news is that these are draft regulations, so there is time for further development of the regulations before they become final. While there is still no word on when formal rulemaking will begin, these draft regulations demonstrate that public comments from businesses will be imperative to make sure that CPRA regulations are both practical and reasonable.