For the second week in a row, the CPPA has dropped a bombshell on a Friday afternoon. Last week, the CPPA released a 66 page first draft of its Proposed Regs to CPRA (you can read our initial analysis here) and announced that it will be holding a public meeting on June 8, 2022. This afternoon, the CPPA released a CPRA FAQ along with another 66 page document – an Initial Statement of Reasons (ISR) that provides further insight into the Regs. We quickly reviewed the FAQ and ISR, and have provided thoughts below on what these documents add to our analysis from last week. If you haven’t read our prior analysis, check it out first.

Public Comment Period Is Imminent: The FAQ states that the 45 day public comment period starts when the CPPA files and posts a Notice of Proposed Rulemaking Action (NOPA), the Regs, and the ISR. We have the Regs and the ISR, and a public meeting is scheduled for June 8th. Get your pens and keyboards ready for public comments.

Intent to Harmonize: The introduction to the ISR states that the CPPA took into consideration GDPR and other state privacy laws when crafting the Regs, and that the Regs will help simplify compliance for business and unnecessary confusion for consumers. After spending time with Regs over the past week, I disagree that the Regs will have this impact. The Regs, as written, impose highly technical contractual and disclosure obligations that differ fundamentally from other privacy laws and will confuse businesses and consumers. I hope the CPPA will reduce many of these technical requirements in the next round, or clarify that meeting GDPR standards for a DPA will suffice. 

Broad Opt-in Consent Obligations: The ISR doubles down on language in the Regs that a business must obtain explicit consent in order to process personal information in a manner inconsistent with consumer expectation. Per the ISR, in such instances, a business must obtain explicit consent regardless of how it gives notice. The Regs provide examples of sales or shares as not fitting within consumer expectation. This position seems to flip Do Not Sell or Share (DNS) from an opt-out to an opt-in regime, and threatens many business models. I expect industry to push back significantly.

Do Not Sell or Share (DNS):

  • Global Privacy Control (GPC) Lives: While GPC doesn’t appear in the Regs, the ISR references GPC as a technical mechanism for opt-out signals. The ISR also states that a business is not required to process requests that are in an unusable or unfamiliar format. I anticipate significant confusion around which signals must be recognized, and it would be preferable for the Regs to expressly name GPC as the universal recognized mechanism.
  • Opt-Out Preference Signals Can Be On By Default:  One concern I mentioned in my original post is that, unlike Connecticut, the Regs do not expressly restrict a platform or browser from setting an opt-out preference signal on by default, which effectively would make DNS opt-in. The ISR goes further in the wrong direction, stating that a consumer’s selection of a privacy-by-design product is an affirmative step sufficient to express the consumer’s intent to opt-out. What qualifies as a privacy-by-design product? If a global technology company advertises its browser or operating system as privacy safe, does that qualify? This could result in antitrust issues.
  • Opt-Out Preference Signals Not Required for LUDSPI: The ISR clarifies that the Regs only require companies to address opt-out preference signals for sales or sharing. The Regs do not require companies to address signals for limiting the use of sensitive personal information or specific opt-in for minors 13 to 15 or parents or guardians of minors.

Automated Decisionmaking: As previously discussed, the CPPA is releasing the Regs in two packages. The second package (not yet released) will address automated decisionmaking. The ISR notes that the CPPA changed certain terms in the Regs to reduce confusion between DNS opt outs and automated decisionmaking opt outs. Expect automated decisionmaking opt outs to be a big part of the second package.

Financial Incentives

  • Valuing Data. While the Regs didn’t change much around financial incentives at first glance, the ISR states that the CPPA’s edits were intended to clarify that only certain financial incentives require a business to provide a valuation of data. Financial incentives where there is a price or service difference require a valuation of data while financial incentives that involve a monetary or specific benefit (such as a free shirt or gift card) do not require a valuation. This is a helpful clarification.
  • Discriminatory Practices.  The ISR explains that financial incentives and discriminatory practices have been moved to separate sections because the two often get mixed up. Per the ISR, financial incentives do not inherently invoke a discrimination analysis because there is a separate negotiation taking place for a specific incentive. Again, this is a welcome explanation.

Naming Third Parties. The Regs require a business that allows a third party to control the collection of personal information to include the name of the third party in its notice or information about the third party’s business practices. Upon first reading the Regs, I wasn’t clear if the second option means a business needs to expressly incorporate a third party’s privacy policy into its own privacy policy or if a business could more generally disclose information about the third party’s business practices. The ISR clarifies that the CPPA considered requiring the express disclosure of names as the only option, but decided against that requirement. Based on this new information, I interpret the provision to mean that disclosures around a third party’s business practices can be more general in nature.

Probable Cause and Administration Hearing Process. Since the Regs were released, I’ve seen various posts voicing concern that the CPPA’s probable cause determination is not subject to appeal. The ISR clarifies that the probable cause determination precedes an administrative hearing. Based on my reading, the CPPA must first consider whether it has probable cause to bring an administrative hearing, and it can only bring an administrative hearing once it determines there is probable cause. While the probable cause determination is not subject to appeal, I don't see any indication that the administrative hearing itself is not subject to appeal. 

We will update as we know more.