California: California Privacy Protection Agency treads carefully in lead-up to CPRA rulemaking process
Many businesses continue to grapple with their privacy compliance in the wake of the California Consumer Privacy Act of 2018 ('CCPA'), which took effect in January 2020. On the heels of these compliance efforts, the California Privacy Rights Act of 2020 ('CPRA') was passed through a ballot initiative in November 2020. Caitlin Metcalf, Kris Ekdahl, and Max Blinder-Acenal, respectively U.S. Senior Associate, U.S. Senior Associate, and Associate at Linklaters LLP, summarise the CPRA rulemaking process and analyse three of the eight issues of the CPRA flagged by the California Privacy Protection Agency ('the Agency') for comment.
The CPRA not only amended and extended the CCPA, but also established the Agency to issue rules and regulations and enforce both the CCPA and CPRA.1 The Agency is focused on the CPRA's implementation, which will take effect on 1 January 2023, and is now in the midst of preparing to kick off the CPRA rulemaking process.
A look back at the CCPA rulemaking process
For comparison, the Attorney General's ('AG') Office began the preliminary CCPA rulemaking process a year ahead of the law's effective date, but with seven public forums and over 300 written comments received during the three rounds of public comments, the implementing regulations were not finalised until roughly eight months after the CCPA took effect. After extensive comments, the final regulations juggled the interests and practical concerns of multiple stakeholders and industry groups, but left certain questions unanswered. With a newly formed Agency at the helm, the CPRA's 1 July 1 2022 deadline2 for final implementing regulations seems ambitious. Applying lessons learned from the CCPA rulemaking process may help facilitate a streamlined process for the CPRA implementation guidelines that fills in any gaps. The mid-2022 deadline will also give businesses six months to prepare their compliance efforts before the law takes effect and will provide some buffer for the Agency to make any amendments as necessary.
Agency call for comments on the CPRA
On 22 September 2021, the Agency published an invitation for public comment on the proposed rulemaking under the CPRA, which highlighted eight issues about which the Agency would be most interested in receiving comments.3 All public comments were due 8 November 2021, and we expect it may take the Agency until the end of the calendar year (and beyond) to review the comments and officially kick-off the notice of proposed rulemaking. The rulemaking process will involve public forums and possibly multiple rounds of public comment before the Agency is in a position to ultimately issue implementation guidance in mid-2022.
In this article, we focus on three of the eight issues flagged by the Agency for comment, all three of which relate to provisions that confer rights to California residents:
- Topic 4: the consumers' right to delete, right to correct, and right to know;
- Topic 5: the consumers' rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information; and
- Topic 6: the consumers' rights to limit the use and disclosure of sensitive personal information.
The other topics on which the Agency solicited public comment include processing that presents a significant risk to consumers' privacy or security: cybersecurity audits and risk assessments performed by businesses, automated decision-making, audits performed by the Agency, information to be provided in response to a consumer request to know (specific pieces of information), and definitions and categories.
The abovementioned rights are novel in the US and provide consumers with a tremendous amount of control over their personal information; these rights also pose some of the largest risks to businesses who process large amounts of consumer personal information. Thus, it is critical for such businesses to pay close attention to how the Agency will implement the CPRA.
The consumers' right to delete, right to correct, and right to know
Under the CCPA and CPRA, California consumers have some control over the personal information held by businesses. These include, among others:
- the right to request deletion of personal information;
- the right to know what personal information is being collected, the right to know how that information was collected, the purposes or uses of that information, and the right to access the categories or specific pieces of personal information;
- the right to know what categories of personal information are being sold or shared, and to whom; and
- the right to request correction of inaccurate personal information.
This last one is a right which the CPRA added to the CCPA and pursuant to which the Agency is tasked with drafting the regulations.4
The invitation for comments highlights a list of specific sub-topics within this broader topic on which the Agency wants comments to focus. These sub-topics relate primarily to the CPRA's addition, the right to correct, and include prompts related to:
- new or changed rules and procedures for consumers to request that a business correct inaccurate personal information;
- the frequency at which consumers should be permitted to make requests and under what conditions they may do so;
- the manner in which a business should respond to such requests and what they should do to prevent fraud;
- under which circumstances a business should be exempted from responding to a request because it is 'impossible, or involve[s] a disproportionate effort'5 or because the allegedly inaccurate information is in fact accurate; and
- if the business rejects a request, when the consumer should be permitted to include an addendum to their record with the business.
It is apparent from these topics that the Agency is seeking to find a middle ground that best weighs the interests of consumers and businesses. Consumers have a clear interest in correcting inaccurate information kept by a business, and businesses should also want to make it easy for consumers to update their information, as more accurate information in a database translates to better insights, better targeting, and better outcomes for the business. But at the same time, businesses still want protections from fraudulent or disproportionately onerous correction requests.
The consumers' rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information
The CCPA conferred to California consumers the right to opt-out of companies selling their personal information. This requires that companies provide consumers an online mechanism (e.g. website form) to effectuate such opt-outs, which has already been the subject of much commentary as well as rulemaking by the AG last year. However, the CPRA now requires that the Agency establishes additional rules regarding the sale opt-out right as well as rules aimed at limiting the use and disclosure of 'sensitive personal information' (defined below).
The specific topics on which the Agency is most interested in stakeholder feedback include:
- the rules and procedures that would best permit consumers to limit the use of their sensitive personal information;
- the requirements and technical specifications for an opt-out preference signal sent by a platform, technology, or mechanism, indicating that a consumer wishes to opt-out of the disclosure of their personal information or wishes to limit the use or disclosure of their sensitive personal information;
- the technical specifications for an opt-out preference signal permitting consumers or their guardians to specify that they are under 13 years old or between 13 and 16 years old;
- the way a business should process preference signals invoking a consumer's right to opt-out of sales of their personal information; and
- the way businesses should provide consumers who have previously opted out through a preference signal the opportunity to consent to the sale or disclosure of their personal information or the use and disclosure of their sensitive personal information.
The right to opt-out of sales of personal information is one of the most powerful tools that the CCPA and the CPRA have provided consumers. Unlike the rights to delete, know, and correct, which require that consumers make requests, it allows consumers to quickly and easily invoke their right to opt-out by clicking on a conspicuous button or link on a business' website and mobile app.
Moreover, there are potential inconsistencies between the CCPA and the CPRA as it relates to opt-out requests made through a Global Privacy Control ('GPC'), which has led to a great deal of confusion. Namely, the CCPA regulations under §999.315(c)) of Title 11 require businesses to 'treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer's choice to opt-out of the sale of their personal information as a valid request'. That sounds like a mandatory requirement to honour opt-outs made through GPCs, an interpretation that is supported by the fact that in July 2021, the AG updated its CCPA Frequently Asked Questions instructing businesses to honour GPC opt-outs.6
However, §1798.135(b)(1) of the CPRA suggests that a GPC may be merely discretionary if businesses provide other compliant methods for sale opt-outs, i.e. an opt-out preference signal. The Agency will likely see comments reflecting these inconsistencies and will hopefully then seek to clear up the confusion.
The consumers' rights to limit the use and disclosure of sensitive personal information
The CPRA amended the CCPA to include an additional category of information called sensitive personal information. The CPRA further directs the Agency to issue new rules and regulations and amend existing ones to enforce the newly conferred right to limit the use and disclosure of this sensitive personal information. Sensitive personal information includes:
- consumers' social security, driver's license, state identification card, or passport number;
- consumers' account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- consumers' precise geolocation;
- consumers' racial or ethnic origin, religious or philosophical beliefs, or union membership;
- the contents of consumers' mail, email, and text messages unless the business is the intended recipient of the communication; and
- genetic data.7
This new right establishes several obligations on businesses, including providing notice to consumers that the business is using such information and may disclose it to third parties, and that the consumer has the right to limit the business' use and/or disclosure of the sensitive personal information, except where such information is necessary for the business to provide the goods or services requested by the consumer.8
Regarding this new right, the Agency asked for comments on:
- when sensitive personal information should be considered 'collected or processed without the purpose of inferring characteristics about a consumer'9, an exception that puts the collection of sensitive personal information outside the scope of the right; and
- when a business may use or disclose sensitive personal information even though a consumer has already invoked their right to limit its use or disclosure.
The Agency's focus on the exceptional situations in which the consumer's right to limit the use or disclosure of their sensitive personal information may signal that the Agency acknowledges that the collection and use of this information is critical to the success of many businesses. In particular, the Agency's focus on the exception that businesses may still collect and use sensitive personal information that is 'collected or processed without the purpose of inferring characteristics about a consumer', demonstrates that the Agency is concerned about businesses using the information to target individuals based on particular sensitive characteristics. At the same time, this may signal that the Agency may not intend to focus its enforcement on those businesses that collect and use sensitive personal information for other purposes.
A look ahead
Based on comments made by the Chair of the Agency's Board, Jennifer Urban, a notice of proposed rulemaking can be expected by January 2022 once the Agency has had an opportunity to digest the initial comments received by the 8 November 2021 deadline. Public hearings should follow shortly thereafter, and the final regulations are targeted to be delivered to the California Office of Administrative Law likely in May 2022 in advance of the July deadline. As the rulemaking process commences over the coming months, businesses should closely watch how the Agency addresses the feedback received and what new issues may come to light. Even if you missed the 8 November 2021 deadline, businesses and stakeholders should participate in the upcoming process and ensure their voice is heard.
Caitlin Metcalf U.S. Senior Associate
Kris Ekdahl U.S. Senior Associate
Max Blinder-Acenal Associate
Linklaters LLP, New York, London, and Washington D.C.
1. Under §1798.199.10(a) of the California Civil Code ('Cal. Civ. Code').
2. Under Cal. Civ. Code §1798.185(d).
3. Available at: https://cppa.ca.gov/regulations/pdf/invitation_for_comments.pdf
4. Under Cal. Civ. Code §§1798.105, 1798.106, 1798.110, 1798.115, and 1798.130.
5. Under Cal. Civ. Code §1798.185(a)(8)(A).
6. Available at: https://oag.ca.gov/privacy/ccpa
7. Under Cal. Civ. Code §1798.140(ae).
8. Under Cal. Civ. Code §1798.121.
9. Under Cal. Civ. Code §1798.121(d).