Ready Set Go: California Privacy Protection Agency Previews Draft Regulations
Less than two months after the California Privacy Protection Agency (“CPPA” or “Agency”) formally took over rulemaking for the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), the Agency posted draft regulations on its website. The draft rules, posted on May 27, 2022, revise the final regulations previously issued by the California Attorney General (“CA AG”). The Agency will consider the draft regulations at its upcoming June 8, 2022 meeting.
The draft rules take some broad liberties interpreting the CCPA and impose highly prescriptive obligations on companies including limits on dark patterns; a right to correct (like the GDPR right to “rectification”); mandatory recognition of global opt-out signals for selling and sharing of personal information (“PI”); new enforcement powers and mechanisms, including “probable cause proceedings;” and Agency audits. Notably, the revisions omit hot-button issues like automated decision making, privacy risk assessments, and cybersecurity audits, to name a few. The CPPA anticipates concurrent and overlapping rulemaking packages to address these and additional issues, with no clear end date for concluding all rulemaking—despite the CPRA’s requirement that new regulations be finalized by July 1, 2022.
Further complicating the landscape, just days after the draft regulations were issued, the U.S. Congress released a draft bipartisan federal privacy bill that could pre-empt, in whole or in part, the CCPA and other recently enacted CCPA-like state privacy laws. The bill also offers an expansive private right of action. Rulemaking for the state laws must still take place, resulting in uncertainty for companies that are trying to manage the impacts of the emerging patchwork of privacy laws on product development and the pursuit of broader data driven business objectives.
This Dechert OnPoint highlights main elements of the draft regulations and offers key takeaways.
The CCPA was signed into law on June 28, 2018, becoming effective on January 1, 2020. The statute gave rulemaking and enforcement authority to the California Attorney General ("CA AG"). Pursuant to this authority the CA AG issued regulations that went into effect on August 14, 2020 and subsequently adopted amendments went into effect on March 15, 2021.
California voters later approved the CPRA in November 2020, which established the CPPA to enforce the CCPA. Rulemaking authority was formally transferred from the CA AG to the CPPA on April 21, 2022, and on May 5, 2022, California’s Office of Administrative Law formally approved the transfer.
Restrictions on Collection and Use of PI (Draft § 7002)
A business’s collection, use, retention, and/or sharing of a consumer’s PI must be reasonably necessary and proportionate to achieve the purposes for which it was collected or processed. This requirement, based on the average consumer’s expectations, is relatively subjective, and the draft regulations shed little light on how to implement this standard. Outside of the “necessary” and “proportionate” context, the collection, use, retention, and/or sharing of PI requires a consumer’s explicit consent.
Dark Patterns (Draft § 7004)
Paralleling the Federal Trade Commission’s initiative, the draft regulations target "dark patterns" (language and architecture intended to influence choice) by requiring that methods of consent offer “symmetry” in choice, avoid manipulative language and choice architecture, and are easily understood. The draft includes several examples of symmetrical choice. For instance, an “Accept All” option must be paired with a “Decline All” option, and a “yes” button must be displayed in the same manner as a “no” button. As to manipulative language and choice, a “Yes” cannot be paired with “No, I like paying full price” or “No, I don’t want to save money.”
Notice at Collection (Draft § 7012)
The CCPA requires businesses to provide consumers with a notice at or before collection of PI. The notice must detail the categories of PI to be collected, the purposes for which it is collected or used, and whether the information is sold or shared. The draft regulations refine these requirements. For instance:
- When multiple parties control the collection of PI (e.g., in the ad tech ecosystem), each must provide a detailed notice at collection. A first party that allows a third party to control the collection of PI must include in its notice the names of all such third parties. Alternatively, a third party controlling the collection of PI may provide the first party information about its practices for the first party to include in its own notice at collection.
In an example that will likely be of concern to publishers and similarly situated entities, the draft regulations explain that a first party company that has a third party analytics tag on its website would need to post a conspicuous link to its notice at collection which should either (i) identify the third party and state that it is authorized to collect PI from the consumer, or (ii) provide information about the third party’s information practices. The third-party analytics company would also need to post a notice at collection on its homepage.
Requests to Correct (Draft § 7023)
A business must determine the accuracy of the PI that is subject to a request to correct by considering the totality of the circumstances relating to the PI. This could involve considering such factors as whether the PI is objective, subjective, unstructured, sensitive, etc.; how the PI was obtained; and other documentation relating to the accuracy of the PI.
The business must also ensure that the PI remains corrected and instruct all service providers and contractors to correct the PI in their possession. Alternatively, businesses may unilaterally delete the PI if the deletion would not adversely impact the consumer. Consumers and businesses, however, may have differing opinions on what constitutes an adverse impact.
Opt-Out Preference Signals (Draft § 7025)
The draft regulations require businesses to treat global opt-out signals as opt outs of selling and sharing. A business cannot require a consumer to provide additional information beyond what is necessary to send the signal. Furthermore, a business should indicate whether or not it honored the opt-out preference.
Requests to Opt-Out of Sale/Sharing (Draft § 7026)
The draft regulations would continue to require a business to provide at least two methods for exercising the right to opt-out of sales, adding sharing to the choice. One method must reflect how the business primarily interacts with consumers. After a request is received, businesses have 15 business days to comply. Consumers must be able to confirm that their request was processed.
Request to Limit Use and Disclosure of Sensitive PI (Draft § 7027)
A business must also provide at least two methods for exercising this right, one of which must reflect the way the business primarily interacts with consumers. Businesses will have 15 business days to comply, and a consumer must be able to confirm that their request was processed.
There are seven instances where a business may use or disclose sensitive PI without offering a right to limit disclosure. These carve outs include, among others, performing services or providing goods that an average consumer would reasonably expect (e.g., precise geolocation may be used by a mobile app that directs a consumer to a specific location), detecting certain security incidents, ensuring someone’s physical safety, and for short-term, transient use.
Data Processing Agreements (Draft §§ 7050-7053)
The draft regulations also add obligations regarding data processing agreements (“DPAs”) for service providers, contractors, and third parties. The non-exhaustive list of contract terms includes:
- Prohibiting selling or sharing of business customer PI;
- Identifying specific business purpose(s) and service(s) justifying the processing of the business’s PI. Descriptions must be precise and specific rather than generic;
- Prohibiting combining or updating PI received from, or on behalf of, a business with PI that is received from other sources (potentially impacting AI and ad tech providers);
- Audit rights for businesses to ensure CCPA compliance, which may include “ongoing manual reviews and automated scans . . . and regular assessments, audits, or other technical and operational testing;” and
- Notification to a business if a service provider, contractor, or third party determines that it can no longer meet its obligations.
Investigations and Enforcement (Draft §§ 7300-7303)
The draft regulations offer several enforcement tools. Consumers can allege violations of the CCPA by filing a sworn affidavit with the Agency. In response, the Agency must notify the complainant in writing of any action that the Agency takes or plans to take and the reasons for its action or non-action.
These sections also authorize the Agency to initiate a “Probable Cause” proceeding by issuing a notice of probable cause if there is a reasonable basis to believe that the CCPA was violated. The notice must be given “at least 30 days prior to the Agency’s consideration of the alleged violation” and contain a summary of the evidence. The subsequent proceeding will be closed to the public unless the alleged violator requests in writing at least 10 business days before the proceeding that it be made public; it may be conducted in whole or in part by telephone or video (in-person proceedings are only available if it is open to the public). Thereafter, a written decision will issue, which is “final and not subject to appeal.” Violations can result in an administrative fine of up to $2500 per violation or up to $7500 per intentional violation.
Audits (Draft § 7304)
While thin on details regarding the audit process, draft regulations explain that the CPPA may conduct an audit in three circumstances: (1) to investigate possible violations of the CCPA; (2) if the subject’s collection or processing activities present significant risk to consumer privacy or security; and (3) if the subject has a history of noncompliance with the CCPA or any other privacy protection law.
The draft regulations did not address risk assessments, cybersecurity audits, or automated decision-making technology. CPPA Board member Vincent Le previously stated that these topics “require more work” and could be addressed in future rulemaking.
The draft regulations will be taken up at the June 8 meeting, giving businesses the chance to see what the final rules may look like. However, it is unclear if the Agency will meet the statutory deadline for finalizing the rules. The Agency must still issue a Notice of Proposed Rulemaking to trigger the formal rulemaking process. Time will tell if the draft regulations will remain intact following what is likely to be a robust comment period. Presently, there are several issues to watch out for:
- Builds on CCPA Emphasis on Consumer Empowerment through Prescriptive Obligations. The draft regulations reflect a consumer empowerment “2.0” vision of transparency and consumer choice. The Agency appears to be distributing responsibility for processing consumer PI among stakeholders in the commercial data ecosystem. Restrictions on dark patterns could give the Agency significant leeway to act against businesses based on the application of subjective concepts about the user experience.
- Mandatory Opt-Out Preference Signals. The Agency wants to mandate the honoring of opt-out preference signals, even though the CPRA’s text indicates that this is optional. Industry will likely challenge the CPPA’s interpretation, and therefore, this issue will need to be closely monitored as the rulemaking process unfolds.
- Increased Compliance Requirements for Data Processing Agreements. The draft regulations do not match statutory language regarding data processing agreement requirements. If this divergence continues, businesses will need to consult both the statutory text and regulations when drafting DPAs.