In a surprising development, the California Privacy Protection Agency (CPPA) published proposed amendments to the CCPA regulations recently. The proposed amendments were initially made public on May 27 in a package of materials to be considered by the CPPA at its upcoming June 8 meeting. The proposed amendments—which in effect are the draft CPRA regulations—were issued without advance notice, ahead of the schedule previously announced by the CPPA.
The proposed regulations are broken into nine (9) substantive areas: General Provisions, Required Disclosures to Consumers, Business Practices for Handling Consumer Requests, Service Providers, Contractors and Third Parties, Verification of Requests, Special Rules Regarding Consumers Under 16 Years of Age, Non-discrimination, Training and Record Keeping, Investigations and Enforcement. Notably absent are regulations relating to automated profiling, cybersecurity audits, and privacy risk assessments—all areas where guidance was largely expected.
In general, the draft regulations are dense and highly technical, nearly doubling in length the current CCPA regulations. And, the regulations may actually grow if subsequent drafts incorporate new sections that are not in the first draft. In any event, if implemented in their proposed form, the CPRA regulations will require a substantial expansion of privacy compliance operations for many businesses subject to the law. The details, potential compliance problems, technical requirements, and unanswered questions are far too numerous to address in a single blog post. Over the next few weeks, we intend to analyze the proposed regulations in more detail, focusing on specific subject matter areas.
At this stage, here our initial take-aways.
The Proposed Regulations Are Highly Pro-Consumer
Even for a privacy law as expansive as the CPRA, the proposed regulations are strikingly pro-consumer, capturing an array of concerns and proposals that privacy advocates have been articulating for several years. The proposed regulations, for example, have detailed data minimization requirements that not only require businesses to collect, use, retain and share personal data in a manner consistent with the expectations of the average consumer, but would require businesses to obtain new consumer consent if they process personal data in a manner that isn’t consistent with these consumer expectations. This form of the consumer right is not explicitly provided by the CPRA, and it could create significant operational costs for businesses.
New Consumer Rights Will Require Big Compliance Changes
Not surprisingly, some of the most significant proposed regulations focus on the technical details surrounding the new rights the CPRA extends to consumers; specifically, the rights to opt out of the sharing of personal information, to limit the processing of sensitive personal information, and the right of correction. The regulations contains many pages of details explaining businesses’ options for enabling consumers to exercise these rights that are likely to trigger compliance headaches.
The new right of correction, for example, will require many U.S. based companies to build new intake and processing mechanisms. Whether a business must honor a correction request, the records that it may need to provide consumers to justify a decision not to honor a correction request, and the documentation to support a business decisions not to correct may require an adjudication process not dissimilar to FCRA correction mechanisms. For companies that rely on personal data provided by third parties – as opposed to its own records – the correction process is even more complex.
In one of the few pro-business amendments, the proposed regulations do introduce a “disproportionate effort” defense for companies facing overly burdensome consumer request. But in keeping with the general pro-consumer tilt of the CPRA, the standard for using this defense to a consumer request is high and requires companies demonstrate that the cost of compliance “significantly outweighs” the benefit to the consumer of honoring a request. Business that fail to establish adequate procedures for honoring consumer requests cannot claim a disproportionate effort.
Regarding the new opt out rights, the regulations contemplate that businesses can enable these rights via “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or via a “My Privacy Rights” link that combines these different opt out rights or by recognizing browser opt out signals. In fact, the proposed regulations make it mandatory for businesses to honor opt out signals when those signals become commonly used by businesses. The latter requirement appears to go beyond the text of the CPRA , which makes recognition of opt out signals optional. Notably, the proposed regulations explicitly reject the use of cookie banners as a mechanism for enabling opt outs for the sale or sharing of personal information on the grounds that the opt out only addresses collection of personal data, not sale or sharing.
One thorny operational issue involves the processing of browser opt out signals that conflict with specific privacy settings chosen by consumers, for example with loyalty programs where consumers consent to providing certain personal information. In many cases, these conflicts must be resolved in favor of maximizing opt out rights unless the business obtains additional consumer consent. The operational complexity of enabling opt out rights may trigger deeper consideration about what ad tech models businesses may want to utilize once the CPRA becomes effective.
First Party Obligations Are Now Third Party Obligations
One of the more notable ways in which the CPRA broadens consumer privacy rights is through the expansion of obligations on third parties. Whereas the CCPA required that businesses push certain privacy obligations onto service providers through required contractual language, the CPRA goes even further by introducing “contractors” as a new category of service provider and expanding the provisions that must be included in a contract with a service provider or contractor to avoid vicarious liability. The proposed regulations does allow a service provider or contractor to use personal data of consumers to improve its own applications.
The proposed regulations also modify the safe harbor afforded to businesses that meet the contractual requirements for service provider and contractor agreements by noting that businesses that don’t conduct any due diligence or auditing of their service providers or contractors may not be able to argue that they were unaware of a contractual violation.
The proposed regulations also impose new obligations on third parties in a number of different ways. Third parties that collect personal data on first party platforms are required under the proposed regulations to provide a notice at collection to these consumers, which is a wholly new obligation. Businesses must also forward opt out requests, as well as consumer deletion requests to third parties processing that consumer’s personal data. Third parties, in turn, must honor opt out requests unless they become a service provider or contractor and honor deletion requests. Third parties that recognize browser opt out signals on first party sites must also honor the opt-outs. In addition, the proposed regulations impose new contractual requirements for third parties subject to the CPRA.
The combined effect of these expanded obligations on service providers, contractors and third parties is to broadly share compliance obligations across the entire ecosystem in which a consumer’s data flows. Businesses thus must analyze their own obligations as first parties as well as obligations they may face as third parties receiving consumer data through sharing arrangements. Among other things, these expanded obligations will require improved data tracking and communication with third parties.
Use of Third Parties Tools May Be Unavoidable For Some Companies
There are numerous provisions in the proposed regulations that incentivize, make easier or essentially require the use of third party tools. For example, the regulations remove a requirement that authorized agents be registered in the state of California, opening the door for more third party services to serve as agents to help Californians exercise their consumer rights. This change, coupled with the expansion of consumer rights under the CPRA – as well as four other state privacy laws – makes it quite likely that businesses will experience a significant surge in consumer requests once the CPRA becomes effective.
Perhaps the most impactful proposed regulation, as noted, is the requirement that businesses honor opt out signals when they become commonly used. When the technology evolves to that point, it is likely businesses will need to utilize new tools to process browser opt out signals. The proposed regulations appear to incentivize businesses to recognize these signals by allowing businesses who do so in a “frictionless” manner (a newly defined term) to avoid the need to separately provide Do Not Sell or Share and similar links on the website, provided that personal data is not sold or shared off-line.
The new requirements imposed on third parties will require enhanced data tracking, documentation, and communication with first parties. For many business, it may not be possible to meet these enhanced technical requirements without the use of third party privacy compliance tools.
CPRA Regulations May Complicate Plans for a Singular Approach to Privacy Compliance
Even before the release of the proposed regulations, California was arguably the most pro-consumer privacy law in the U.S. The proposed regulations, as noted, moves the law in a decidedly more pro-consumer way. Other states laws, particularly Utah and Virginia, are more business friendly and will not be subject to the same kind of detailed rule-making as California. It is therefore a distinct possibility that when the CPRA regulations are finalized, they will impose significantly more onerous requirements than other states.
The complexity of the proposed CPRA regulations may cause companies to think twice about plans to adopt a singular “most restrictive law” approach to complying with the five new U.S. state privacy laws that become effective in 2023. Much will depend on what shape the final CPRA regulations take and how closely other states hew to the CPRA model. Colorado is also going through a rule-making process for the Colorado Privacy Act (CPA) and if the state lands somewhere close to California in its rule making, the calculus may again shift toward a singular model for businesses that are subject to multiple state privacy laws. If other states pass Utah-style privacy laws in 2022 or 2023, businesses may begin to balkanize their privacy compliance programs. The potential for this schism may push Congress to pass a federal privacy law.
Needless to say, there is more to come. As businesses fully digest the proposed CPRA regulations, we are likely to see a significant push by the business community for relaxation of the proposed regulations. We will provide more analysis about particular proposed regulations in the near future.