California: Revised Proposed CCPA Regulations – key amendments
The California Privacy Protection Agency ('CPPA') released, on 3 November 2022, a revised version of the proposed regulations ('the Revised Proposed Regulations')1 under the California Consumer Privacy Act of 2018 ('CCPA'). In particular, the Revised Proposed Regulations make amendments in regard to the collection and use of personal information as well as sensitive personal information, requirements surrounding opt-out preference signals and the right to opt-out of sales, and obligations of service providers and contractors. OneTrust DataGuidance breakdowns the key amendments since the Draft Proposed Regulations were released on 8 July 2022.
The Revised Proposed Regulations amend and introduce definitions including disproportionate effort, Alternative Opt-Out Link, and 'non-business'. The explanation for the modified text of the Proposed Regulations ('the explanation')2 clarifies that disproportionate effort also applies to service providers, contractors, as well as third parties in addition to businesses, and provides more detail regarding the factors to be considered in evaluating whether responding to a consumer request would require disproportionate effort, including reasonably foreseeable impact to the consumer by not responding, taking into account applicable circumstances such as, the size of the business, service provider, contractor, or third party, the nature of the request, and the technical limitations impacting their ability to respond.
Furthermore, 'non-business' is defined as a person or entity that does not meet the definition of a 'business' as defined in §§1798.140(d) of the California Civil Code, highlighting that non-profits and government entities are non-businesses because 'business' is defined, among other things, to include only entities 'organised or operated for the profit or financial benefit of its shareholders or other owners.'
Restrictions on the collection and use of personal information
The Revised Proposed Regulations clarify that the purpose(s) for which personal information is collected or processed must be consistent with the reasonable expectations of the consumer whose personal information is collected or processed. This will be based on factors including:
- the relationship between the consumer and the business;
- the type, nature, and amount of personal information that the business seeks to collect or process;
- the source of the personal information and the business' method for collecting or processing it;
- the specificity, explicitness, prominence, and clarity of disclosures to the consumer(s) about the purpose for collecting or processing their personal information, such as in the notice at collection and in the marketing materials to the consumer(s) about the business' good or service; and
- the degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of personal information is apparent to the consumer(s).
In regard to further processing, the Revised Proposed Regulations provide that, where another disclosed purpose is compatible with the context in which the personal information was collected will be based on factors including:
- the consumer's reasonable expectations concerning the purpose for which the personal information will be collected or processed;
- the other disclosed purpose for which the business seeks to further collect or process the consumer's personal information; and
- the link between point one and two.
Importantly, the Revised Proposed Regulation establishes that a business' collection, use, retention, and/or sharing of a consumer's personal information must also be reasonably necessary and proportionate, which will be based on the minimum personal information that is necessary to achieve the purpose identified, the possible negative impacts on consumers posed by the business' collection or processing of the personal information, as well as the existence of additional safeguards for the personal information to specifically address the possible negative impacts on consumers considered by the business as outlined above.
Notice at collection of personal information
The Revised Proposed Regulations amend the information that must be provided to consumer when personal information is being collected. Specifically, the requirements for businesses to identify the names of the third parties that control the collection of personal information within its notice at collection has been removed. In addition, data brokers are not required to provide a notice at collection in instances when it collects personal information from a source other than the consumer. Moreover, the first party and third party may now provide a single notice at collection that includes the required information about their collective information practices.
Finally, in regard to notification for children, the Revised Proposed Regulations clarify that businesses do not need to notify, at a later date, consumers at least 13 years of age and less than 16 years of age of their right to opt-out of sale/sharing, noting that businesses must notify consumers, at the moment the opt-in request is received, that the consumer has an ongoing right to opt-out of sale/sharing at any point in the future.
Sensitive personal information
The Revised Proposed Regulations have made a number of amendments in regard to notifications associated with sensitive personal information. In particular, businesses are no longer required to provide a 'Notice of Right to Limit' or 'Limit the Use of My Sensitive Personal Information' link if the business only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer. In addition, where a business only uses or discloses sensitive personal information for specified purposes, provided that the use or disclosure is reasonably necessary and proportionate for those purposes, it will not be required to provide a 'Notice of Right to Limit' or provide a method for submitting a request to limit.
Use of sensitive personal information
The Revised Proposed Regulations further clarify instances in which sensitive personal information can be used. For example, the Revised Proposed Regulations establish that sensitive personal information may be used to 'prevent' and 'investigate' security incidents, noting that the security incidents to be prevented, detected, or investigated do not need to meet all the descriptive qualifications.
Opt-out preference signals and right to opt-out of sales
More generally, the Revised Proposed Regulations highlight that businesses that do not sell or share personal information do not need to process an opt-out preference signal as a valid request to opt-out, allowing businesses to optionally notify the consumer when an opt-out preference signal conflicts with the consumer's participation in a financial incentive program. In line with the above, the Revised Proposed Regulations have also made it optional for the business to provide a means by which the consumer can confirm that their request to opt-out of sale/sharing has been processed. Importantly, however, where the consumer is known to the business, the business must not interpret the absence of an opt-out preference signal as consent to the opt-in to the sale or sharing of personal information as this would not meet the requirements §§ 1798.120(d) and 1798.140(h) of the Civil Code.
The Revised Proposed Regulations outline that, in regard to correction, for example, of Social Security numbers and driver's license numbers, a business must not disclose such information, but instead may provide a way to confirm that the personal information it maintains is the same as what the consumer has provided.
In regard to compliance with consumer requests it is now optional for businesses to provide a means by which the consumer can confirm their request to limit processing.
More importantly, the Revised Proposed Regulation establishes that compliance with a consumer's CCPA request by an entity that provides services to a non-business will depend upon whether the entity is a 'business', as defined by §§1798.140 of the California Civil Code.
The Revised Proposed Regulations amend several requirements associated with the design requirements for the methods of submitting CCPA requests and obtaining consumer consent. For instance, the Revised Proposed Regulation clarifies that the path for a consumer to exercise a more privacy-protective option must not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option. Furthermore, the Revised Proposed Regulations explain that businesses should not design their methods in a manner that would impair the consumer's ability to exercise their choice as consent must be freely given, specific, informed, and unambiguous, using the example of a consumer having to click through disruptive screens before they are able to submit a request to opt-out of sale/sharing as a choice architecture that impairs or interferes with the consumer's ability to exercise their choice.
Service providers, contractors, and third parties
The Revised Proposed Regulations stipulate that third parties are contractually required to treat personal information that businesses make available to them in the same manner the business is required to treat it under the CCPA. Indeed, third parties may use a contractor or service providers to provide advertising and marketing services. However, the Revised Proposed Regulations prohibit the combining of personal information for advertising and marketing services by those defined as contractors or service providers. In such cases, the Revised Proposed Regulations confirm that these would instead constitute a third party and not a service provider or contractor with respect to cross-contextual behavioural advertising services.
The Revised Proposed Regulations also provide the exception that service providers or contractors can retain, use, or disclose personal information collected pursuant to its written contract with the business to prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity, even if the business purpose is not specified in the written contract required by the CCPA and Proposed Regulations. In addition, the Revised Proposed Regulations remove the five day timeframe for service providers or contractors when notifying a business that it can no longer meet its obligations under the CCPA and the regulations.
Finally, in relation to deletion request, the Revised Proposed Regulations remove the requirements that providers and contractors provide an explanation to the business when it is impossible or would require disproportionate effort to notify other service providers, contractors, or third parties of a consumer request to delete.
The Revised Proposed Regulations are open for public comment until 21 November 2022.
OneTrust DataGuidance confirmed, on 1 November 2022, with David Stauss, Partner at Husch Blackwell, that the Board's General Counsel explained that the California Privacy Protection Agency ('CPPA') hopes to have final rules submitted to the Office of Administrative Law for review by the end of the year. If that timeframe holds, the regulations will become effective in late January or early February.
Keshawna Campbell Manager - Privacy Research
1. Available at: https://cppa.ca.gov/meetings/materials/20221021_22_modtext.pdf
2. Available at: https://cppa.ca.gov/meetings/materials/20221021_22_item3_expmodtext.pdf