On Monday, the CPPA released the modified text of proposed CPRA Regs (modified Regs) and an accompanying explanation of the modified text (EMT). We quickly reviewed the modified Regs and EMT, and have provided thoughts below. For our analysis on the original proposed Regs and accompanying statement of reasons, please visit our prior posts here and here.
Adoption of Regs is Imminent: The CPPA has scheduled public meetings for October 21-22 and October 28-29, where, per the agenda, it will discuss the modified Regs and “possible adoption or modification of the text.” Given that CPRA is set to take effect in less than three months, the CPPA is under a lot of pressure to adopt the Regs. Expect (some) finalized Regs by early to mid-November.
Partial Adoption is Possible: While some portions of the Regs are complete, others likely require further modification. The EMT identifies specific sections of the Regs (highlighted in gray and with an asterisk) that the CPPA intends to discuss at the upcoming meetings. Given the pressure to adopt Regs, the CPPA may decide to adopt certain portions of the Regs while further modifying others. This would allow businesses to start working on their compliance with the Regs prior to 2023 and provide the CPPA with additional time to finalize more controversial portions of the Regs. Partial adoption is already a virtual certainty to some extent given that the CPPA has yet to release its second package of Regs set to cover cybersecurity audits, privacy risk assessments, and automated decision making. Note that partial adoption does not guarantee a grace period for CPRA enforcement. We hope to hear about a grace period at the upcoming meetings.
Substantially Similar to the First Draft: Now that we have discussed procedural issues, let’s address the elephant in the room. The modified Regs are substantively substantially similar to the first draft. If you loved the first draft, you are going to love this one. But if you found a lot wrong with that draft (see our prior posts), you are still going to find a lot wrong here. For example, the modified Regs still impose highly technical contractual and disclosure obligations that differ fundamentally from other privacy laws and will confuse businesses and consumers. The modified Regs also do not clarify obligations around opt out preference signals, and give platforms huge discretion to make decisions that impact the entire online ecosystem. I am disappointed (but not surprised) that the CPPA did not take this opportunity to better address public comments submitted over the past several months.
What You See is What You Get: Given how little the Regs changed in the last round, the modified Regs are likely a good indicator of what the final version will look like. Businesses should, at a minimum, start addressing the less controversial requirements of the Regs.
What’s New: Below are some of the changes we identified in our initial review of the modified Regs:
Non-Substantive Edits. Many, if not most, of the changes to the Regs are non-substantive. The CPPA fixed typos, moved sections, and rephrased language to make the Regs more precise.
Definitions. The modified Regs add and clarify certain definitions, including “Alternative Opt-Out Link,” “Disproportionate effort,” “Information Practices,” “Nonbusiness”, and “Unstructured.” These definitions place further obligations on businesses.
Reasonably Necessary and Proportionate. Perhaps the biggest change to the Regs comes in Section 7002. Under CPRA, a business’s processing of personal information must be (1) reasonably necessary and proportionate to achieve (2) (a) the purposes for which the personal information was collected or processed, or (b) another disclosed purpose that is compatible with the context in which the information was collected. The Regs now dedicate multiple pages and establish three new factor tests to determine compliance with each element above. These factor tests are tied to the concept of the reasonable expectation of the consumer. Any use of personal information that does not meet these factor tests requires consent. I find these factor tests arbitrary and burdensome, and I am concerned that they potentially change CPRA’s Do Not Sell opt-out regime into an opt-in regime. The CPPA has designated Section 7002 as a topic of discussion, and I expect there will be push back from industry stakeholders on this language during the meetings.
Listing Third Parties. One good change from a practical perspective is that the modified Regs remove the requirement that businesses identify in their privacy policies the names of third parties that control the collection of personal information. The EMT lists this as an example of where the CPPA tried to simplify implementation.
Opt Outs and Notifying Third Parties. The modified Regs also remove certain obligations around opt outs and notifying third parties. For example, a business is no longer required to notify all third parties to whom the business makes personal information generally available that a consumer has opted out. Also, a business is not required to include language in its contracts for third parties to check for opt out signals. And it is optional for a business to display the status of whether the business has processed an opt out preference signal.
Dark Patterns. The modified Regs add language that may help businesses when claiming they do not engage in dark patterns. There is now a knowledge requirement - businesses are responsible for a nonfunctional email address or broken link if they knew about the issue and did not remedy it. Also, intent for creating dark patterns is a factor - the CPPA may consider intent in determining whether an interface is a dark pattern.
Requests to Delete. The modified Regs clarify that a service provider that offers a self-service deletion option meets the deletion requirement. This is helpful for service providers that enable their clients to delete personal information through a user interface.
Requests to Correct. The modified Regs remove some of the stringent requirements around ensuring personal information remains accurate.
Service Provider Contracts. The modified Regs allow service providers to use personal information for certain internal use or to prevent, detect, or investigate security issues even if the business purpose is not specified in the written contract. I think this is a great addition, and I wish the CPPA had added similar language to more generally address highly technical contractual obligations required by the Regs.
Non-Profits. The modified Regs clarify that an entity that provides services to a Nonbusiness (e.g., non-profit) could be subject to CPRA if it uses the personal information for its own purposes.
Frictionless Opt Out. The modified Regs now state that if a business asks an opted out consumer to opt back in to sales after 12 months, the business cannot rely on the frictionless opt out exception set out by the Regs.
Third Parties. The EMT reaffirms that a person can be a third party in one context and a service provider or contractor in another. This is helpful for ad tech purposes, as discussed in our prior posts.
What’s Missing: As noted above, the modified Regs do not cover cybersecurity audits, privacy risk assessments, or automated decision making. That being said, one of the factor tests discussed above incorporates language generally found in privacy risk assessments.
We will update as we know more.