Draft Proposed CCPA Regulations are Introduced and Explained – By Andrew Scott

On May 27th, the California Privacy Protection Agency’s Board announced that its next meeting would be on June 8, 2022.

The agenda included Item No. 3: “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California Privacy Rights Act of 2020, Including Possible Notice of Proposed Action.” The posted meeting materials include a copy of the “Draft Proposed CCPA Regulations” (Regulations).

The draft Regulations maintain pre-existing CCPA regulations while proposing to both modify and to propose new regulations.  As a result, many attorneys spent many hours over the Memorial Day holiday weekend pouring over the 66-page draft Regulations, trying to develop insight and analysis.

One week later on June 3, the Board provided insight and analysis, releasing more materials in preparation for the June 8th Board meeting: the Draft Initial Statement of Reasons (ISOR) and helpful FAQs, providing much needed insight into the proposed changes. 

This is short turnaround time to develop analysis and opinions, but 10 days notice is all that is required to post a meeting agenda per the Bagley-Keene Open Meeting Act.   

Takeaways

As a point of clarification, the ISOR makes clear that while it may be fashionable to call the draft regulations “CPRA regulations,” these regulations are draft amended “CCPA regulations” because the CPRA amends the CCPA: the “proposed regulations operationalize the CPRA amendments to the CCPA.”

Despite what the Regulations are called, they appear to take a prescriptive approach to many topics. Early public feedback has even called the proposed regulations too sweeping.  Perhaps they feel this way because the Board stated the regulations are intended to “build upon the development of privacy-forward products and services.”  It would appear that there will be a need for covered businesses to develop and invest in privacy technologies. 

Below, there are some examples provided of of how the Board proposed implementing its rules and procedures: 

Scope of Rulemaking

 In the  ISOR, the Board also lists its proposed scope for rulemaking:
 

• Notices:  Establish rules, procedures, and exceptions to provide notices;
• Audit Authority:  Define scope and process for the Agency’s audit authority;
• Filing Complaints:  Establish procedures for filing complaints with the Agency;
• Limitations on Use :  Identify purposes that service providers and contractors may use consumers’ personal information;
• Limitations on Purpose : Establish rules defining the notified purposes to collect, use, retain, and share consumer personal information;
• Limitations on Sensitive Personal Information:  Establish regulations governing the use or disclosure of a consumer’s sensitive personal information;
• Opt-Out Preference Signals: Define the requirements and specifications of the signal as well as establish how businesses respond to it; 
• Opt-Out Requests : Establish rules and procedures to facilitate and govern the submission of a consumer’s request to opt-out of sale/sharing;
• Opt-Out Harmonization: Harmonize regulations governing opt-out mechanisms, notices, and other operational mechanisms to promote clarity and functionality; and
• Access Requests:  Establish rules and procedures on how to facilitate the right to delete, correct, or obtain personal information; rules on how to both request (consumer) and to respond to requests (businesses); rules on concerns regarding accuracy; rules on how to prevent fraud; and establish procedures to extend the 12-month period of disclosure of information after a verifiable consumer request;

Benefits from Anticipated Regulatory Action

The ISOR states the proposed regulations “provide a number of significant benefits to Californians” and “provide comprehensive guidance to consumers, businesses, service providers, and third parties, on how to implement and operationalize new consumer privacy rights.”  Additionally, the Board states that “[w]ith the goal of strengthening consumer privacy, the regulations support innovation in pro-consumer and privacy-aware products and services and help businesses efficiently implement privacy-aware goods and services.”

Examples of Proposed Rules, Requirements, or Procedures

• Honoring a Consumer’s Request to Opt-Out:  Despite the CPRA’s text stating that it is optional to recognize Global Privacy Control opt-out signals, the new draft regulations propose that the recognition of the signals be mandatory; however, the technical specifications for opt-out preference signals are not mentioned.  Additionally, the first party would have to require a third party to check for and comply with a consumer’s opt-out preference signal (unless the user informs the business of their consent to the sale or sharing of their personal information). 
• User Opt-Out Controls:  The new draft regulations propose that cookie management tools (i.e., cookie banners) do not meet standards to constitute an opt-out request or request to limit the use of sensitive personal information;  Methods for submitting these requests must address the sale and sharing of personal information or the specific right to limit the use of sensitive personal information.
• User Notice at Collection: The proposed rules provide that when more than one party controls personal information collection, all such parties must provide a very detailed “notice at collection” that accounts for all parties’ business practices.  Additionally, the first party must either include “the names of all the third parties that the first party allows to collect personal information from the consumer,” or the information provided by the third party that would meet all of the requirements about its business practices.
• Data Privacy Addendums for Service Providers and Contractors: The addendums contain contract requirements that go beyond what most current privacy addendums look like.  The proposed regulations provide that CPPA can evaluate whether the business conducted any due diligence to support a reasonable belief of privacy compliance,
• Business obligations:  Businesses must notify service providers and contractors of a deletion request as well as all third parties with which the business has sold or shared that personal information.
• Dark Patterns: Any consent via the use of dark patterns will not be considered valid.  The proposed regulations provide examples of methods for obtaining valid user consent.  
• Audit Authority: There is a proposed right for the Agency to audit organizations to ensure compliance with the CCPA, including whether there is a possible violation, the collection or processing of personal data presents a significant risk to consumer privacy or security, or if there is a history of noncompliance with the CCPA or any other privacy protection law.  No notice is required. 
• Enforcement:  Consumers, the CPPA, and the California Attorney General’s Office are all empowered to take action against businesses for perceived non-compliance with privacy obligations.  Of note, the proposed provide a “probable cause” standard for a privacy violation as well as proposed requirements for filing a sworn complaint and Agency-initiated investigations.
• Key Omissions: The draft regulations do not cover all of the twenty-two regulatory topics set forth in Cal. Civ. Code § 1798.185(a). For example, childrens data is not included.  Will regulations on children’s data be included in the next round of proposed regulations, or will the agency wait for the outcome of Assembly Bill 2273, the California Age-Appropriate Design Code Act?   Topics such as automated decision making, cybersecurity audits, and privacy risk assessments are expected to be addressed in a second rulemaking package.
• New Terms: Some new terms to get comfortable with: frictionless manner, symmetry in choice, and choice architecture.

Next Steps

At this point, it is unclear when the additional proposed regulations may appear.  The Board indicated in its June 8th agenda that a potential Notice of Proposed Rulemaking may be announced at the upcoming Board meeting.  Once the notice has been issued, a comment period of at least 45 days will be triggered, which will allow stakeholders to provide feedback, coming in the form of thoughtful suggestions and responses. It is likely that several board meetings and public hearings will occur before the Board submits  the final rulemaking package.