California: CPPA draft proposed regulations – what you need to know
On 21 April 2022, rulemaking authority under the California Consumer Privacy Act of 2018 ('CCPA') had been formally transferred to the California Privacy Protection Agency ('CPPA'). Shortly after, on 5 May 2022, the existing CCPA Final Regulations were transferred to Title 11, Division 6 of the California Code of Regulations, bringing them within a part of the Code of Regulations under the jurisdiction of the CPPA. Finally, on 27 May 2022, the CPPA announced that it will hold a board meeting on 8 June 2022 in which it will discuss, among other things its own draft proposed regulations under the CCPA ('the CPPA Draft Proposed Regulations') which were released alongside the meeting notice and agenda.
In this article, OneTrust DataGuidance provides an overview of the CPPA Draft Proposed Regulations, key additions and deletions compared to the original CCPA Final Regulations, and what businesses can anticipate next.
The new CPPA Draft Proposed Regulations address various key areas, including, among others, transparency and matters around notices, consumer rights, service provider and third party contracts, and a clarification on additional themes such as financial incentives. Notably, however, this set of CPPA Draft Proposed Regulations is only one set of the expected package of regulations. Additional regulations are anticipated on further topics such as Data Protection Impact Assessments, automated processing, and profiling, among a few other topics.
Transparency and notice to consumers
One addition within the CPPA Draft Proposed Regulations includes a provision on the requirements for disclosures and communications to consumers. This requires that disclosures to consumers be easy to read and understandable, using plain, straightforward language and avoiding technical or legal jargon. In addition to this general requirement, the CPPA Draft Proposed Regulations note that disclosures should also:
- use a format that makes the disclosure readable, including on smaller screens, if applicable;
- be available in the languages in which the business, in its ordinary course, provides contracts, disclaimers, sale announcements, and other information; and
- be reasonably accessible to consumers with disabilities.
- a comprehensive description of online and offline practices regarding the collection, use, sale, sharing, and retention of personal information, including:
- identifying the categories of personal information collected in the preceding 12 months;
- identifying the categories of sources from which personal information is collected;
- identifying, in a meaningful way, the specific business or commercial purpose for collecting any personal information, as well as the purpose for any sale or sharing of personal information;
- identifying the categories of personal information, if any, that the business has sold or shared to third parties in the preceding 12 months, and the categories of third parties to which this information was sold or shared, as well as disclosing if no such sale or sharing has occurred;
- a statement on whether the business has actual knowledge that it sells or shares personal information of consumers under 16 years of age, the categories of personal information involved, and categories of third parties to which information is disclosed; and
- a statement on whether the business discloses sensitive personal information, the categories of personal information involved, and categories of third parties to which information is disclosed;
- an explanation of consumers' rights under the CCPA, which includes:
- the right to know;
- the right to delete;
- the right to correct;
- the right to opt-out of the sale or sharing of personal information;
- the right to limit the use or disclosure of sensitive personal information; and
- the right not to receive discriminatory treatment;
- an explanation of how consumer rights can be exercised and the process that can be expected;
- if subject to the data reporting requirements under the CPPA Draft Proposed Regulations, the information which is required to be provided in this regard or a link to the required information.
With respect to contracts, the CPPA Draft Proposed Regulations include contractors and third parties, alongside service providers, in the requirements, and detail certain prohibited actions with respect to retaining, using, or disclosing personal information obtained in the course of providing services.
Additionally, the CPPA Draft Regulations provide, in detail, contract requirements for contractors and service providers, noting that such contracts must, among other things:
- prohibit the sale or sharing of personal information received from, or on behalf of, the business;
- identify the specific business purpose(s) and service(s) for which processing is carried out on behalf of the business, and prohibit the retaining, usage, or disclosure of personal information received from, or on behalf of, the business for:
- purposes other than those specified in the contract or as otherwise permitted by the CCPA and the CPPA Draft Proposed Regulations;
- commercial purposes; and
- purposes outside the direct business relationship unless expressly permitted;
- specify that the business is disclosing personal information only for the limited and specified business purpose(s) outlined within the contract;
- grant the business the right to take reasonable and appropriate steps to ensure that personal information is used in a manner consistent with the business's obligations;
- require notification to the business no later than five business days, after it is determined that obligations can no longer be met;
- grant businesses the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorised use of personal information; and
- require businesses to inform the service provider or contractor of any consumer requests that they must comply with, and provide service provider or contractor with the necessary information to ensure compliance with the request.
Regarding third parties, the CPPA Draft Proposed Regulations separate the provisions applicable to third parties and contracts from those applicable to service providers and contractors. However, the applicable provisions for third parties are similar to those for service providers and contractors, although slightly different and limited in certain circumstances.
The CPPA Draft Proposed Regulations contain several additions regarding requirements to comply with consumer rights, such as direct obligations for businesses and explanations on processes and what these should look like.
For example, the CPPA Draft Proposed Regulations outline that businesses need to design and implement methods for submitting consumer requests, and for obtaining consumer consent, that incorporate the certain principles. Specifically, they must be easy to understand, there needs to be symmetry in choice (meaning that a consumer's path to exercise more privacy-protective options should not be longer than the path to exercise other less privacy-protective options), they must avoid confusing language or interactive elements as well as manipulative language or choice architecture, and must be easy to execute.
Moreover, and as outlined above with respect to privacy policies needing to provide an explanation of how consumer rights can be exercised and the process that can be expected. This includes:
- an explanation of the methods by consumers can exercise their rights;
- instructions for submitting a request, including links to online request forms or portals;
- a general description of the process used by the business to verify consumer requests to know, delete, and correct their personal information, as well as describing the information to be provided by the consumer;
- explaining how opt-out preference signals are processed for the consumer and how such an opt-out preference signal can be used;
- explaining how authorised agents can make consumers requests on behalf of the consumer; and
- contact details to which the consumer can submit questions or concerns about the business's privacy policies and practices.
Finally, the CPPA Draft Proposed Regulations also include various amendments for the different consumer rights on topics such as timelines for responding to requests, and additional details and clarifications regarding the specific consumer rights.
Final CCPA Regulations versus CPPA Draft Proposed Regulations
Therefore, we can see from the above that the CPPA Draft Proposed Regulations have made some changes, additions, and reshuffling of provisions and wording compared to the original CCPA Final Regulations from the California Attorney General ('AG'). In this regard, Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild LLP, outlined that the main differences to the AG's CCPA Final Regulations include:
- "Fulsome provisions regarding how 'relevant and proportionate', [namely] 'data minimisation', will work in practice, which is tied to the reasonable expectations of the consumer and is very similar to the GDPR.
- Details with respect to the various required notices and how they work. It is clear that notices at collection will require more detail than they had to date, and may involve additional parties (due to controlling the collection). [Changes also include a]dditional detail regarding the notice of opt out (of sale/sharing), and the alternative frictionless method.
- Big emphasis on dark patterns in disclosures and in the consumer request process. This is in line with the Federal Trade Commission approach on this issue.
- Additional provisions regarding the contracts with service providers and third parties. It seems that the absence of a contract can change the status of a service provider or make processing prohibited by a third party. [It m]ay be an independent obligation on service providers to have these agreements.
- Much needed clarification that a financial incentive is when the incentive is really for the data, and not just somehow involving the collection of data".
This first set of CPPA Draft Proposed Regulations have been greatly anticipated, and it will remain to be seen what the CPPA further clarifies in meetings on further rulemaking, particularly with additional regulations expected on other topics not addressed within this first set. This gives business much to consider, and Kagan effectively noted that "[t]he [CPPA Draft Regulations] clearly show that, as the old saying goes: 'The time is short and the work is great'. There are a lot of things to do for the [California Privacy Rights Act of 2020]. Some we know about, [while for] others, some of us suspected we would need but were hoping that was not the case, and still others are new requirements from the CPPA Draft Proposed Regulations. The time to start tackling this is now".
Iana Gaytandjieva Lead Privacy Analyst
Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy
Fox Rothschild LLP, Philadelphia