In an unexpected move, the California Privacy Protection Agency (the “Agency”) issued draft regulations (“Regs”) mandated by the California Privacy Rights Act (“CPRA”), on Friday May 27 (a day before the Memorial Day weekend, and a day after a public stakeholder meeting in which it gave no indication that the Regs would be issued the next day). The Agency has placed consideration of the draft Regs on its Board’s June 8 meeting agenda. If approved, they will then be subject to public comments, which must be considered before the Regs can be finalized.
The Regs contain detailed guidance regarding many highly-anticipated topics, such as:
-
Global Privacy Control requirements—or the “Opt-Out Preference Signal” ( “OOPS”) under the Regs—but unfortunately no technical specifications with respect to implementation of the OOPS. The Agency interprets the CPRA to make the opt-out link optional if OOPS are “frictionlessly” implemented, but not to make honoring OOPs optional if an opt-out link is provided.
-
General principles regarding the handling of consumer requests.
-
Detailed requirements regarding implementation of the rights to access, delete, correction, limit (the use of my sensitive information), and do not sell / do not share.
-
Notices to consumers, including special notice requirements for job applicants, employees and contractors.
-
Financial incentive notice requirements are relaxed.
-
Service provider, contractor, and third party agreements and obligations.
-
Complaint and enforcement procedures.
While the Regs leave various hot-button issues for a later draft (like automated decision-making, profiling, cybersecurity audits, and risk assessments), they certainly provide detailed guidance on the issues addressed. Even so, implementation will present many challenges for businesses, service providers, contractors, and even third-parties. As a result, we can expect spirited debate and comment from industry and consumer protection groups alike before the draft Regs are finalized.