The California Privacy Protection Agency (“CPPA” or the “Agency”) published on November 3, 2022, a Public Notice of Proposed Modifications and Additional Materials Relied Upon, which starts what we hope is the last round of rulemaking to finalize the regulations for the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). The CPRA amendments to the CCPA go into effect on January 1, 2023. Enforcement of those new provisions under the CPRA will become enforceable starting July 1, 2023, and the Agency will be able to bring enforcement actions for violations that occurred on or after July 1. This article summarizes the changes in the Proposed Regulations, what businesses can do now to comply with the January 1 deadline, and what to expect in terms of forthcoming regulations and enforcement of the new California requirements in 2023.

Key Takeaways

  • SPI and Opt-Out Preference Signal: There was significant discussion by the Agency on two topics, and therefore businesses should continue to monitor updated regulations in these areas: (1) the use and disclosure of sensitive personal information (“SPI”) and (2) opt-out preference signals.
  • DPA and Notice Requirements: No material changes were made in the November 3 modified draft of the regulations for requirements relating to data protection agreements (“DPA”), notice and privacy policies. The Agency did discuss creating in the future a DPA template that businesses could incorporate by reference, similar to a standard contractual clause that businesses can use to comply with the EU General Data Protection Regulation. For businesses that went forward with updating DPAs and prepared notices and privacy policies to go live on January 1 based on regulations that were proposed this past July, it is our assessment that there should be no material changes needed, at least for the January 1 deadline. For businesses that did not update the service provider and third-party contract terms or review the adequacy of the notices and privacy policies in the past year, they should now review them based on the November 3 draft regulations.

California Rulemaking Process

On October 28 and 29, the board of the Agency held a two-day meeting to discuss action regarding the Proposed Regulations to the CCPA. The purpose of the meeting was to decide what modifications the board would propose for additional public comment, which will trigger a 15-day public comment period.

The 15-day public comment period closed on Monday, November 21, 2022. The Agency’s staff (the “Staff”) are now preparing a final set of Proposed Regulations that will then come before the board; if the decision is made to adopt, then Staff will prepare a final Statement of Reasons and submit it to the Office of Administrative Law (“OAL”). OAL will have 30 days to review and approve the final regulation package. Keeping in mind the holiday season, the board estimated that the regulations would be approved by late January 2023 at the earliest.

Board Meeting and the Modified Proposed Regulations

After a day and a half of discussion, the board moved to open the modified text of the Proposed Regulations for public comment. Staff’s revisions to these modifications were published November 3, 2022, and are excerpted below in relevant part. The initial Proposed Regulations (noticed on July 8, 2022) are illustrated by single underline for proposed additions and single strikethrough for proposed deletions. Changes made after the 45-day comment period are illustrated by double underline for proposed additions and double strikethrough for proposed deletions. Revisions made during the meeting are bolded.

Section 7011, subsection (d): Display of Privacy Policy. The board has walked back its requirement that mobile apps “shall” include a link to the privacy policy in the application’s settings menu. With the revisions, the Modified Regulations read as follows:

The privacy policy shall be posted online and accessible through a conspicuous link that complies with section 7003, subsections (c) and (d), using the word “privacy” on the business’s website hHomepage(s) or on the download or landing page of a mobile application. If the business has a California-specific description of consumers’ privacy rights on its website, then the privacy policy shall be included in that description. A business that does not operate a website shall make the privacy policy conspicuously available to consumers. A mobile application may shall may include a link to the privacy policy in the application’s settings menu.

Section 7025, subsection (c): Opt-Out Preference Signals. Three high-level themes arose from the board’s discussion that the businesses should be aware of: (1) the “known” user, (2) opt-out preference signals response obligations, and (3) revisiting items that were made optional to simplify implementation in a later rulemaking.

  1. Subparagraph (1): “Known” User. Staff indicated that while logged-in users have always been considered “known” users, some businesses may also use probabilistic identifiers, including pseudonymous profiles, to link anonymous users with certain browsers and devices, thereby making them “known” to the business to a certain extent. Therefore, Staff indicated that an opt-out preference signal for a user linked by such probabilistic identifiers should still be honored for that device and any consumer profile associated with that device. Subparagraph (1), as well as an example under subsection (c), subparagraph (7)(E), was revised as follows to reflect these sentiments:

(1) The business shall treat the opt-out preference signal as a valid request to opt-out of sale/sharing submitted pursuant to Civil Code section 1798.120 for that browser or device, and any consumer profile associated with that browser or device, including pseudonymous profiles.and, iIf known, the business shall also treat the opt-out preference signal as a valid request to opt-out of sale/sharing for the consumer. This is not required for a business that does not sell or share personal information.

(7) (E) Ramona clears her cookies and revisits Business P’s website with the opt-out preference signal enabled. Business P no longer knows that it is Ramona visiting its website. Business P shall honor Ramona’s opt-out preference signal as it pertains to her browser or device and any consumer profile the business associates with that browser or device.

What was not discussed, however, is the problem of multiple anonymous users on the same device and browser. For example, if User 1 is associated with Device A and Browser B, but User 2 opts out using Device A and Browser B, then that opt-out request would be incorrectly tied to User 1 based on reliance on probabilistic identifiers. Requiring businesses to assume an anonymous user is always associated with certain devices and browsers seems antithetical to the CCPA’s purpose of providing greater transparency to consumers; hopefully, the board will address this inconsistency in its later review.

  • Subparagraphs (2) and (4): Response to Opt-Out Preference Signals. board members expressed concern over how a business should respond to opt-out preference signals, particularly where (1) a business does not ask or (2) the signal conflicts with a financial incentive. As to the first concern, the Modified Regulations indicate that businesses must process opt-out preference signals as valid opt-out requests, regardless of whether the consumer responds to the business’s confirmation that the consumer would like to opt-out. This also extends to pseudonymous users, as such users are considered “known” under the most recent iteration of the Modified Regulations.

(2) The business shall not require a consumer to provide additional information beyond what is necessary to send the signal. However, a business may provide the consumer with an option to provide additional information if it will help facilitate the consumer’s request to opt-out of sale/sharing. Any information provided by the consumer shall not be used, disclosed, or retained for any purpose other than processing the request to opt-out of sale/sharing. For example, a business may give the consumer the option to provide information that identifies the consumer so that the request to opt-out of sale/sharing can apply to offline sale or sharing of personal information. However, if the consumer does not respond, the business shall still process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or device and any consumer profile the business associates with that browser or device including pseudonymous profiles. Any information provided by the consumer shall not be used, disclosed, or retained for any purpose other than processing the request to opt out of sale/sharing.

As to the second concern, the most recent modification of the Regulations shifts the language in subparagraph (4), subsection (c) of section 7025 from “shall” to “may” when referring to a business’s responsibility to notify a consumer of such a conflict. While Staff indicated that this modification was made to ease implementation at this time, significant discussion was had over a business’s ability to ignore the opt-out preference signal should a consumer not affirm their intent to withdraw, specifically in situations where a business does not ask. In the most recent version of the Modified Regulations, Staff added language that if an opt-out preference signal conflicts with a financial incentive and a business does not ask if the consumer would like to remain enrolled in the financial incentive, the business is to process the opt-out preference signal as a valid request to opt-out of sale and share.

(4) If the opt-out preference signal conflicts with the consumer’s participation in a business’s financial incentive program that requires the consumer to consent to the sale or sharing of personal information, the business shall may notify the consumer that processing the opt-out preference signal as a valid request to opt-out of sale/sharing would withdraw the consumer from the financial incentive program and ask the consumer to affirm that they intend to withdraw from the financial incentive program. If the consumer affirms that they intend to withdraw from the financial incentive program, the business shall process the consumer’s request to opt-out of sale/sharing. If the business asks and the consumer does not affirm their intent to withdraw, the business may ignore the opt-out preference signal with respect to that consumer’s participation in the financial incentive program for as long as the consumer is known to the business, but the business must display in a conspicuous manner the status of the consumer’s choice in accordance with section 7026, subsection (f)(4). If the business does not ask the consumer to affirm their intent with regard to the financial incentive program, the business shall still process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or device and any consumer profile that the business associates with that browser or device.

  • Revisiting optional items. Staff acknowledged that they had heard the public comments from businesses concerned over the feasibility of the technical specifications required by law and shifted certain portions under subsection (c) of Section 7025 (which is about what a business should do when it receives or detects an opt-out preference signal) from “should” to “may.” Though board members agreed that moving forward with the CCPA Modified Regulations was paramount, members also expressed the desire to address these items in the future. Therefore, businesses should be aware that items such as the opt-out display signal contemplated in subparagraph (6), subsection (c) of Section 7025, which the CPPA made optional for ease of implementation, may come back into discussion in a later rulemaking.

Section 7026, subsection (a): Requests to Opt-Out of Sale/Sharing; subsection 7027, subsection (b): Requests to Limit Use and Disclosure of Sensitive Personal Information. The board had lengthy discussions about “friction” and what level of friction is permissible under the Regulations and what level of friction is not. In particular, the board revisited subparagraph (1), subsection (a) of section 7026, and the board revised this provision to indicate that only businesses that process opt-out preference signals in a frictionless manner can link to the privacy notice as a method of receiving consumer opt-out requests.

(1) (c) If a A business that collects personal information from consumers online, the business shall, at a minimum, allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through at least one of the following methods—an interactive form accessible via the “Do Not Sell or Share My Personal Information” link, the aAlternative oOpt-out lLink, or the business’s privacy policy if the business processes an opt-out preference signal in a frictionless manner. treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer. (1) Any privacy control developed in accordance with these regulations shall clearly communicate or signal that a consumer intends to opt-out of the sale of personal information. (2) If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.

The board similarly revised subparagraph (1), subsection (b) of section 7027 to remove a business’s privacy policy as an option effectuating a right to limit request:

(1) A business that collects sensitive personal information from consumers online shall, at a minimum, allow consumers to submit requests to limit through an interactive form accessible via the “Limit the Use of My Sensitive Personal Information” link or the aAlternative oOpt-out lLink or the business’s privacy policy.

Section 7027, subsection (m): Use and Disclosure of SPI. The board raised concerns over subsection (m) of section 7027 regarding the right to limit with respect to cross-context behavioral advertising—in particular, that not all use cases may correlate with the list promulgated in subsection (m). The specific example that was discussed at length was employee data, such as when employees volunteer racial and ethnic original data for diversity, equity, and inclusion initiatives. The board concluded this discussion by agreeing that adoption of the Regulations should not be delayed by these concerns, but that further rulemaking may be necessary at a later date to address the gaps. This is to say that businesses may see flexibility with respect to SPI usage and disclosure in subsequent rulemakings, but that there are no material changes to a business’s SPI obligations at this time.

Staff also recommended nonsubstantive modifications to the following sections (including for typos, grammar, and mechanics):

  • 7001(b)
  • 7001(gg)
  • 7002(a)
  • 7002(a)(1)
  • 7002(d)
  • 7004(a)(2)
  • 7004(c)
  • 7012(g)(3)(a)
  • 7022(b)(2)
  • 7023(d)(1)
  • 7028(a)
  • 7050(a)
  • 7050(e)
  • 7050(g)
  • 7051(a)(3)

Businesses should keep in mind that the enforcement of these regulations as well as the CPRA amendments to the CCPA begin on July 1, 2023. The board noted that in practice, an enforcement action can take months to bring and added new language under section 7301, subsection (b), recognizing the industry’s concern that the regulations are still in draft form: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.” This appears to signal that some amount of discretion will be applied to enforcing the new regulations and the CPRA amendments and that businesses should make good faith efforts now to comply, even while the rulemaking process is ongoing.