California: CPPA revises draft proposed CCPA regulations
The California Privacy Protection Agency ('CPPA') released, on 17 October 2022, a revised version of the draft proposed regulations under the California Consumer Privacy Act of 2018 ('CCPA') as a part of its board meeting materials. In particular, the board meeting agenda details that the CPPA will discuss and take possible action on the proposed CCPA regulations under Sections 7000 to 7304 Title 11, Division 6 of the California Code of Regulations to implement, interpret, and make specific the CCPA, including possible adoption or modification of the draft proposed CCPA regulations.
Some of the key changes include:
- a revised definition of 'disproportionate effort' clarifying that it applies to service providers, contractors, and third parties in addition to businesses, and more details regarding the factors to consider in evaluating whether responding to a consumer request would require disproportionate effort;
- the reinstating of the requirement that a business' collection, use, retention, and sharing of a consumer's personal information be reasonably necessary and proportionate to achieve the purposes for personal information collection or processing, or for another disclosed purpose that is compatible with the context of the personal information collection;
- clarification on how to determine whether an additional 'disclosed purpose' is compatible with the context in which the personal information was collected;
- the removal of the requirement that the business identify the names of the third parties that control the collection of personal information within its Notice at Collection;
- clarification that a business does not need to provide a 'Notice of Right to Limit' or the 'Limit the Use of My Sensitive Personal Information' link if it only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer;
- amendments to requirements associated with the use of sensitive personal information, including its use to prevent and investigate security incidents;
- clarification that personal information may be used to 'prevent' and 'investigate' security incidents, even if this business purpose is not specified in the written contract required by the CCPA and the regulations;
- removal of the contractual requirement for third parties to check for and comply with a consumer's opt-out preference signal; and
- making it optional for the business to display the status of whether the business has processed the opt-out preference signal as a valid request to opt-out of sale/sharing on its website.
The board meeting will take place on 28 October 2022.