By Laura Lemire
Here we go, privacy friends. On Friday, July 8, the California Privacy Protection Agency (CPPA) released a notice of proposed rulemaking to adopt regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), the law that amends the California Consumer Privacy Act (CCPA) (the “Proposed Regulations”). The Proposed Regulations were previously made available on May 27, 2022, and those remain unchanged. What’s new in the materials released with the notice of proposed rulemaking is rich context on the CPPA’s positions, particularly from the Economic Impact Statement and its supporting Notes.
As part of the rulemaking process, the CPPA will now receive public comments until August 23, 2022. It’s likely the CPPA will receive feedback in two key areas: (1) the scope of the Proposed Regulations, and (2) its methodology for estimating the financial impact of this regulatory action.
1. The scope of the Proposed Regulations.
Though the redlines to the proposed regulations look extensive, the CPPA states there are only three net new compliance obligations arising from this rulemaking. These changes, outlined in Appendix 3 of the Notes on Economic Impact Estimates for Form 399, are as follows:
§7012(e)(6) generates a new requirement for any business that allows third parties to control the collection of personal information on its website or on its premises. Such businesses must include the names of the third parties in its notice; or, in the alternative, information about the third parties’ business practices.
§7023(d) introduces an additional documentation requirement for businesses that decide to delete personal information as an alternative to correcting information.
§7026(g) creates a new option for businesses to use existing GDPR compliant opt-out buttons to comply with the CCPA rather than requiring a second separate CCPA-specific opt-out button; this section also clarifies that "cookie banners" are an unacceptable solution to the pre-existing "opt-out" button requirement.
When we looked at the proposed changes in May, we identified expanded or updated requirements, as well as edits that may raise questions around key issues we thought were settled in previous rulemakings. Particularly noteworthy are the areas where the CPPA provides examples and additional details in the Proposed Regulations. We have summarized a few of these key areas below:
Service Providers, Contractors, and Third Parties: Agreements. In addition to language previously required under the CCPA, businesses must have contracts in place with service providers and contractors that:
specifically describe the purpose(s) and service(s) the service provider or contractor provides;
prohibit the service provider or contractor from retaining, using, or disclosing personal data received for any commercial purpose, including the servicing of a different business, or combining or updating personal information it receives with personal data it received from another source; and
grant the business a right to audit and monitor.
The Proposed Regulations also provide the following specific obligations and restrictions:
An organization can’t be a service provider or contractor unless there is a compliant contract in place. The Proposed Regulations describe the language that must be included in contracts with service providers, contractors, and third parties in more detail than what is in the statute.
A business that offers services to another entity not subject to the CPRA (such as a non-profit) can still be a “service provider” (or contractor) if the service provider (or contractor) requirements under CPRA are met; and
A company acting as a service provider or contractor cannot contract with a business to provide cross-contextual behavioral advertising; such advertising services must be papered by a third-party contract.
Purpose Limitation. Businesses may only collect, use, retain, and/or share personal information that is reasonably necessary and proportionate, consistent with consumer expectations, to achieve the stated purpose(s). Businesses must obtain the consumer’s explicit consent prior to collecting, using, retaining, and/or sharing personal information for any purpose that is unrelated or incompatible with the purpose(s) previously disclosed.
Dark Patterns. Businesses must avoid confusing (yes/no, on/off, double negatives), asymmetric, manipulative, or shaming privacy choices (yes/“no, I want to pay full price”), particularly in the context of Financial Incentives (more below). Further, businesses cannot bundle consents where it subverts consumer choice.
Right to Know. Businesses must provide all personal information collected and maintained about the consumer in response to a request to know, including beyond the 12-month period preceding, unless doing so proves impossible or would involve “disproportionate effort.” To use “disproportionate effort,” the business (or their service provider or contractor) would have to (1) demonstrate that the time and/or resources needed would be significantly higher than the benefit to the consumer, and (2) explain to the consumer why the information cannot be provided.
Opt-out rights and methods. Businesses must recognize certain global opt-out signals, even when such signals conflict with a consumer’s existing preference. Additionally, businesses can provide consumers with a single, clearly labeled link that allows consumers to easily exercise both their right to opt-out of sale/sharing and right to limit use of sensitive personal information, instead of posting the two separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links. The alternative opt-out link can be titled either “Your Privacy Choices” or “Your California Privacy Choices” and would direct the consumer to a webpage that would: (1) inform them of both their right to opt-out of sale/sharing and right to limit, and (2) provide them with the opportunity to exercise both rights, such as an interactive form or mechanism where the consumer may submit their request.
Sharing opt-out signals with third parties. When a consumer exercises its rights to opt-out of sale/sharing or to limit use, a business must notify all third parties with whom the business makes personal information available of such request and direct the third parties to comply, including by notifying any other third parties who may have had access to the data. As noted above, the Proposed Regulations also specify that a cookie banner is “not by itself an acceptable method” as it doesn’t address the sale or sharing of personal information.
Financial Incentives. The Proposed Regulations added “price or service differences” as specific types of financial incentives, and the financial incentive notice requirements have been updated to reflect this.
2. The CPPA’s calculation of the financial impact of the Proposed Regulations.
In the Economic and Financial Impact Statement, the CPPA concludes that the Proposed Regulations will cost a small population of businesses $127.50 to comply, which equates to an hour and a half of work by a team comprised of a computer programmer and computer engineer. To reach this conclusion, it bases its Economic Impact Assessments on the following:
The “baseline legal environment.” The CPPA benchmarks the Proposed Regulations against what it considers the existing legal environment, which includes existing California law, as well as other relevant privacy compliance obligations (such as the European Union’s General Data Protection Regulation or GDPR). It concludes that if a business is already subject to the GDPR and in compliance, it will incur no compliance costs with the Proposed Regulations.
A limited view of the number of businesses impacted. To calculate the number of businesses impacted, the CPPA looks at (1) data brokers registered in CA and (2) businesses with HQs in CA, according to 2019 census data. It minimizes the expected financial impact to those doing business in CA, who are not HQ’d in CA. It states, “While the data is not available to isolate the number of out of-state headquartered firms with California business enterprises that are covered by the CCPA, we expect this group to represent a small subset of total impacted businesses (and of total economic impacts).”
A simplified view of compliance work. According to the CPPA, businesses with compliance work to do in light of the Proposed Regulations will need one hour of a computer programmer’s time to make a drop-down menu on its website, and .5 hours of a computer engineer’s time to add a user link to existing documentation related to data deletion.
What should businesses consider in light of this rulemaking?
First, consider taking part in the process. Anyone can participate in the formal rulemaking process by submitting written comments by 5:00 pm PDT on August 23, 2022, via email or by snail mail to the CPPA. Keep in mind any materials submitted will become part of the public record. Alternatively, or in addition to written comments, anyone can attend the public hearings in-person or online which will be held August 24 and 25, 2022, at 9:00 am PDT.
Next, take stock of your overall compliance efforts, including with respect to your employee and B2B personal information (areas where applicability hasn’t been explicitly clear but are nonetheless in scope). Ensure your documentation (records of processing) are up to date. Having a clear view of the personal information you collect, and how it is used, will help you determine where opt-in consent or additional disclosures may be required. Review your processes, policies, and agreements. If you’ve been thinking about retooling your privacy policy, your cookie consent manager or similar tool, or making your disclosures more robust, now is the time to prioritize the effort. That goes for data retention and deletion policies and practices too. Sharpening your data deletion and retention practices will make compliance with various aspects of the regulations easier.
Finally, keep in mind that the current Proposed Regulations are not comprehensive. Be on the lookout for additional proposed CPRA regulations covering automated decision-making, risk assessments, and cybersecurity audits. The CPPA will release these additional proposed regulations separately in the months ahead.
Laura Lemire is Of Counsel at Hintze Law PLLC.
About Hintze Law Hintze Law PLLC is a boutique privacy firm that provides counseling exclusively on global data protection. The firm’s attorneys and privacy analysts support technology, health, biotech, advertising, social networking, media, gaming, ecommerce, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.