Happy Friday before a holiday weekend! This afternoon the California Privacy Protection Agency (CPPA) issued a notice that it will be holding a public meeting on June 8, 2022. Hidden within that notice was a link to meeting materials that contains the first draft of the CPPA’s Proposed Regs to CPRA. We quickly reviewed the Regs (so you don’t have to before the holiday weekend), and have provided our immediate thoughts below:
- Only Part of the Story. Earlier this week, the CPPA clarified that it is releasing the Regs in two packages. This appears to be the first package. The second package (which has not yet been released), is set to cover cybersecurity audits, privacy risk assessments, and automated decision making.
- Not Final. To be clear, these are only the Proposed Regs. They must still go through the rulemaking process, so we expect them to change considerably.
- Much of the Same. The Regs are essentially a revised version of the California Attorney General’s CCPA Regs. While there are a lot of redlines, a lot has stayed the same. For example, little has changed regarding verification, authorized agents, children/minors, non-discrimination/financial incentives, training, and record keeping. We are a particularly surprised by lack of changes to financial incentives and children/minors.
- Codifying CPRA Obligations. The Regs dedicate a lot of space to codifying express CPRA obligations. For example, the Regs add language around the right to correct, the right to limit the use and disclosure of sensitive personal information (LUDSPI), and the obligation of a business to notify its service providers or contractors to delete personal information.
- Investigation and Enforcement. As promised by the CPPA, the Regs add language around investigation and enforcement, including relating to audits. This information is pretty high level, and, at least upon first review, doesn’t provide much insight into the process.
- Lots of Examples. One thing we appreciate is that the Regs provide many examples. This gives us better insight into what the CPPA is thinking with respect to enforcement.
- What’s a Contractor? The Regs don’t clarify what constitutes a contractor versus a service provider. We still don’t understand why we needed this fourth term.
- Many New Obligations. Let’s get to the good stuff. You’re here to see what the Regs added with respect to CPRA requirements. There’s a lot, and we are still digesting everything. Below are some additions that jumped out at us:
- Opt-Out Signals Are Mandatory. As expected, the Regs clarify that businesses must recognize Do Not Sell or Share (DNS) opt-out preference signals. While some privacy professionals have argued that businesses have a choice between posting a DNS link or honoring an opt-out preference signal, the Regs expressly state that interpretation is incorrect.
- No Clarification About Which Signals Qualify. Unfortunately, the Regs fail to clarify what constitutes a valid opt-out signal. They didn’t even formally recognize GPC as the de facto signal. As written, businesses arguably must respond to any signal, which will create compliance hurdles. Further, unlike Connecticut, the Regs don’t state that an opt-out signal cannot be set to “on” by default by a browser.
- Opt-Out Status. The Regs state that a business should display through an icon on its website whether or not it has processed an opt-out signal. Interestingly, this is a suggestion rather than a requirement.
- Frictionless Opt-Out. There is a new concept of a “frictionless” opt-out. Where a business only sells or shares information that meets the frictionless standard and the business responds to opt-out signals, the business is not required to include a DNS button on its site. However, most businesses will not qualify for this exception as the business must be able to facilitate an opt-out without requiring any further information from the consumer. This means the exception essentially only applies to businesses that use tracking technologies (like cookies or pixels) for cross-contextual advertising, and not those that also upload data files (like hashed audiences for matched audiences) or sell data offline.
- Opt-Outs Downstream. Per the Regs, where a person receives an opt out request, not only do they need to stop selling or sharing personal information, but they must also notify any third parties downstream to stop selling or sharing the information. This appears to be a higher burden than currently required under CCPA or the CPRA text, and reemphasizes the need for a signal that can be read by downstream parties. Contracts with third parties must also expressly require the third party to check for opt-out signals.
- Cookie Banners are Not Sufficient. The Regs find that a cookie banner is not itself sufficient to meet DNS obligations. This is a good clarification as too many companies still rely on cookie banners alone.
- Your California Privacy Choices. The Regs allow for a combined opt-out link for DNS and LUDSPI called “Your California Privacy Choice.” We appreciate the homage to older California privacy law.
- Not Qualifying as a Service Provider. The Regs state that a person who contracts with a business to provide cross-contextual behavioral advertising is a third party and not a service provider or contractor. The Regs provide an example that non-personalized advertising based on aggregated or demographic information is okay, but using a customer list to identify users and serve them ads is not okay. This example appears to be aimed at certain social media platforms, and positions they have taken around matched audiences.
- Third Party to Service Provider. While matched audiences may not have received favorable treatment, there is some good news in general for the advertising industry. For the first time, the Regs recognize that a third party can become a service provider after receiving an opt-out request if the third party complies with the obligations of a service provider. This supports the position of the advertising industry, in particular the Limited Service Provider Agreement (LSPA) issued by IAB, where a signatory third party becomes a limited service provider upon receiving an opt out.
- Losing Protections of a Service Provider. Per the Regs, a person who does not have a contract that complies with the Regs is not a service provider or a contractor under the CCPA. While we’ve known this for a while, the express statement reemphasizes the importance of including the relevant language in your contracts. Also, the Regs provide that if a person doesn’t conduct due diligence, and it turns out the recipient violated the law, the person may not be protected under the law even if the contract technically met CPRA contractual requirements. Do your due diligence!
- Specifying Services in Contracts. The Regs require a contract between a business and a service provider, contractor, or third party to expressly identify the specific service for which the recipient processes information. This brings CPRA contractual requirements closer in line to GDPR and other comprehensive state privacy laws which require a controller to set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
- Access Requests Beyond 12 Months. Under the Regs, when a business receive an access request, it must by default provide the consumer all their personal information dating back to January 1, 2022. This contradicts the CPRA text where a business is only required to provide personal from the prior 12 months unless otherwise expressly requested by the consumer.
- Retaining Corrections. For a correction request, where a business receives a correction request and subsequently receives outdated personal information, the business has an obligation to retain the correction and not use outdated personal information.
Disclosures and Consent:
- Consent for Incompatible Purposes. Where a business processes information for a purpose incompatible with the original collection, it must obtain consent for the new purpose.
- Dark Patterns. The Regs state that a business cannot make it tougher to exercise consumer rights than to not exercise them. The Regs then provide a list of examples of what not to do, which is quite helpful. Any failure to comply will be considered a dark pattern.
- Third Party Obligations. The Regs include language regarding third parties that control the collection of personal information, and obligations for providing notice. This appears to be similar to the concept of a controller to controller relationship, although the obligations are not quite as robust.
That’s it for now. As we learn more, we will be sure to keep you informed.