On October 17, 2022, the California Privacy Protection Agency (“CPPA” or “Agency”) published Modified Text of Proposed Regulations (“Modified Regs”) and Explanation of Modified Text of Proposed Regulations (“Explanation of Modified Regs”). The documents were published alongside an agenda for an upcoming public meeting on October 21 and 22 to be held by the Agency, where it will be discussing (and possibly taking action on) the Modified Regs.
Recall that earlier this year, on May 27, 2022, the CPPA published the first draft of the proposed CPRA Regs and initial statement of reasons. The Agency commenced the formal rulemaking process to adopt the Regs on July 8, 2022, and the 45-day public comment period closed on August 23, 2022. The comments submitted in response to the first draft of the Regs are available here.
Importantly, per California Administrative Law and Procedure, if the CPPA Board approves the rulemaking file for the Modified Regs for submission to the California Office of Administrative Law (“OAL”), a new public comment period will begin, calculated from the day the CPPA Board approves the proposed modifications. Depending on whether the Modified Regs are interpreted to introduce “major changes” vs. “substantial or sufficiently related” changes, a 45-day or 15-day comment period may commence. It is possible that the Agency Board will not approve the Modified Regs, in whole or in part, which could further delay the rulemaking process. It should also be remembered that the Agency is rulemaking in stages and the regulations on some of the more complex issues, like automated decision-making technology, including profiling and cybersecurity standards, are yet to even be proposed.
We use the term “CPRA” and “Act” to mean the CCPA as amended by the California Privacy Rights Act, and capitalized terms not defined in this post have the definition given in the Act or regulations. In applying the Modified Regs, keep in mind that the limitations on the Act’s application to PI collected in the context of B-to-B communications and Human Resources activities sunset on December 31 of this year. In other words, the use of Consumer to refer to data subjects will no longer be limited to traditional consumers but refer to California residents regardless of the Collection context.
Modified Regs Highlights:
Reasonable Expectations of the Consumer. The CPRA requires a Business’s Information Practices (i.e., collection, use, disclosure, sale, sharing, and retention of Personal Information (“PI”) (see 11 CCR § 7001(o)), to be “compatible with the context in which the [PI] was collected” and “reasonably necessary and proportionate to achieve the purposes for which the [PI] was collected….” The Modified Regs apply a reasonable expectations of the Consumer standard and set forth factors to be considered in determining whether Information Practices are compatible with a Consumer’s reasonable expectations given the context in which the PI was collected, and are reasonably necessary and proportionate. 11 CCR § 7002(b), (c) and (d). There is a lot to unpack here, including that a Notice at Collection may be insufficient to establish a Consumer’s reasonable expectations depending on the intrusiveness of the practice and the Collection context. The implications on the scope of permitted Selling and Sharing of PI, and especially Sensitive Personal Information (“SPI”) (e.g., precise location, sexual orientation, etc.), are implicated by the weighing of these factors and need careful consideration.
Dark Patterns. Revisions to § 7004 in the Modified Regs, such as regarding symmetry in choice and obligations not to impair or interfere with a Consumer’s ability to exercise their choices, emphasizes the CPPA’s focus on curbing the use of dark patterns in Information Practices. Relatedly, revisions to 11 CCR § 7009 clarify how a business’s intent will be evaluated to assess whether an Information Practice is a dark pattern.
Notice at Collection. The Modified Regs propose to permit First Party and Third Party collectors of PI on on a website to “provide a single Notice at Collection that includes the required information about their collective Information Practices,” streamlining the First and Third Party online collection notice requirements previously proposed. See 11 CCR § 7012(g).
Your Privacy Choices. The Modified Regs at § 7015 do not propose material changes to what was already proposed regarding the alternative “Your Privacy Choices” / “Your California Privacy Choices” opt-out links, but clarify where the associated opt-out icon should be placed and the appropriate size for the opt-out icon.
Sensitive Personal Information. The Modified Regs at § 7027(a) clarify that SPI that is not Collected or Processed to infer characteristics about a Consumer is not subject to requests to limit. The Modified Regs provide examples of instances when SPI may be collected but not used to infer characteristics about a Consumer, such as when a Business allows Consumers to search for sensitive content (e.g., articles about a health condition) via a search feature without other use of the data. The Modified Regs also eliminate the requirement for Businesses to provide notice of a conflict between uses of SPI requested by a Consumer and a prior limitation request.
Contracts Between the Business and its Service Providers or Contractors. The Modified Regs were revised at § 7050 to align more closely with the Act’s statutory text and set forth more precisely what must be included in a written contract between Businesses and their Service Providers and Contractors. The Modified Regs also clarify that the permitted Business Purposes for which a Service Provider / Contactor may use PI apply even if not specifically enumerated in the underlying services agreement with the Business. However, they also clarify that a vendor will not qualify as a Service Provider or Contractor unless it has a written agreement with the Business that includes the contracting requirements set forth in the regulations.
Vendors to “Nonbusiness” Entities. The provisions regarding a Business acting as a processing vendor (e.g., cloud services) for a non-profit have been changed to treat the vendor as a Business controlling the PI for purposes of receiving and acting on Consumer requests (e.g., deletion) to the extent the vendor makes use of the PI for its own purposes (e.g., improving the vendor’s products or services). See former Section 7051(a) and new Section 7050(g).
Third Parties. New Section 7052 (b) provides that Third Parties (including Non-Business Entities) that do not have a contract with a Business that Sells or Shares PI with it, meeting the contracting requirements of Section 7053, are prohibited from using the PI received from the Business. Proposed Section 7053(b)’s obligation that contracts between First Parties and Third Parties permitted to collect PI on the First Party’s online service require them to look for and honor online preference signals was deleted “to simplify implementation.” There are also material modifications to originally proposed First Party Do Not Sale / Share and Limit SPI pass-through notice obligations to Third Parties (but no change to the deletion request pass through).
Opt-Out Preference Signals. The Modified Regs no longer require Businesses to display the status of the Business’ Processing of the Consumer’s opt-out preference signal. Businesses may still optionally display whether it has processed the Consumer’s opt-out preference signal as a valid request to opt-out of Sale/Sharing on the Business’ website. See 11 CCR § 7025(c)(3) and (6).
Financial Incentives. The Modified Regs strike out the term “Financial Incentive” throughout Article 7 (regarding non-discrimination), indicating that data valuation requirements do not apply to all Financial Incentive programs, but only to those activities that result in a price or service difference based on the Consumer’s exercise or non-exercise of a Consumer right (e.g., Do Not Sale/Share).
For more information on the impact of the Modified Regs, contact the authors or your SPB relationship partner. CPW will continue to cover the CPRA rulemaking process and other state privacy law developments, as well as federal legislative and regulatory efforts.