If you have been relying on last year’s court order staying the ability of the California Privacy Protection Agency (CPPA) to enforce regulations promulgated under the California Privacy Rights Act (CPRA) to also stay your own CPRA compliance program --- time to ramp back up.
In a major win for the CPPA, California's Third District Court of Appeals vacated the lower court decision and held that the CPPA’s authority to enforce its amended regulations should have been effective on July 1, 2023. Although the CPRA intended for regulations to be final by July 1, 2022 – giving businesses a year to make operational changes – the CPPA did not issue final regulations on 7 out of 15 statutory areas until the end of March, 2023. Other regulations are still pending. The lower court agreed with the California Chamber of Commerce that the statutory intent was to give business a year to adjust, and thus the July 1, 2022 enforcement date should be stayed for a year until March, 2024.
The Appeals Court disagreed and reversed the lower court holding, giving the CPPA the power to enforce the regulations immediately. Further, the CPPA is still working on draft regulations to implement other parts of the CPRA and the Appeals Court decision will have the effect of enabling the CPPA (and the Attorney General) to enforce regulations immediately upon final enactment. This will require companies to pay close attention to the analysis of all draft regulations currently in process on important areas such as cybersecurity audits and automated decision-making in order to adapt quickly.
In a statement released by the CPPA, Michael Macko, Deputy Director of Enforcement said : “The California voters didn’t intend for businesses to pick and choose which privacy rights to honor. We are pleased that the court has restored our full enforcement authority, and our enforcement team stands ready to take it from here. This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”
As a reminder, the final regulations include important operational requirements that should be reviewed in order to ensure that your company is in compliance.
- Contracting Requirements. Your company must have minimum terms included in all contracts with all entities with all entities to which your company discloses personal information, including service providers, third parties, and a new category of entities called “contractors.” Article 4 (starting on page 47) highlights the specific contractual requirements and should be reviewed in context with your existing data processing agreements and templates (or it’s time to get those agreements in place!).
- Targeted Advertising. Companies that provide cross-contextual behavioral advertising are clarified in the final regulations as “third parties” under the CPRA and not service providers or contractors. If your business engages in cross-contextual behavioral advertising, you should consider adjusting your privacy notice and consumer rights processes because this “clarification” requires covered businesses to provide consumers with an opt-out of “sales” or “sharing” of personal information as a result of cross-contextual behavioral advertising.
- Modification to Notice Requirements. Article 2 of the final regulations modifies notice requirements to align the CCPA notice requirements with the CPRA. It sets out formatting and presentation requirements, including that disclosures must be easy to read and accessible to persons with disabilities under applicable industry standards. Also, conspicuous links for websites should appear in a similar manner as other similarly posted links, and for mobile apps, conspicuous links should be accessible in the privacy policy.
- Dark Patterns. The final regulations add context regarding what types of “dark patterns” could negate consent from users. See Section 7004 for details regarding these dark patterns and what the regulations prohibit.
- Requests to Correct. The final regulations add a requirement for businesses to provide data subjects with an ability to correct their information that the business maintains. The specific requirements are found in Article 3 and should be reviewed to ensure that your processes to respond to individual rights requests includes the appropriate methods of correction.
- Opt-Out Preference Signals. Under the CPRA, businesses are expected to treat opt-out preference signals as requests to opt out of the individual sale or sharing of personal information. This has been a controversial requirement and may take businesses some time to implement. According to Section 7026 in Article 3 of the final regulations, a business must process “any opt-out preference signal that meets the [requirements of this section] as a valid request to opt-out of sale/sharing.” Immediate attention should be directed to this section in order to ensure that your website complies.
There are proposed regulations in the comment period, and these should also be reviewed given that they will now be effective and enforced immediately upon the issuance of final regulations. Proposed regulations include cybersecurity audit requirements and risk assessments and automated decision-making technology. These regulations will require covered businesses to conduct new independent audits of cybersecurity programs, implement a process for privacy impact assessments, and impose broad rules around the use of automated decision-making technologies that could affect the development or the use of artificial intelligence systems.