The new California Privacy Agency (the Agency) has quietly released a preliminary report draft of its draft regulations on May 27, 2022, implementing the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). The 66-page draft includes seven full pages of detailed requirements for obtaining and implementing consumer guidelines for selling and sharing personal information, but it doesn’t cover a number of hot topics. of confidentiality mentioned in the granting of regulatory power to the Agency.
The Agency is required to conduct a formal notice and comment process on the proposed regulations, which creates a high likelihood of future changes. However, some of the more complex proposed obligations – particularly regarding the exclusion of sales and sharing – will require significant preparation, planning and budget to implement. Since the rules are unlikely to be finalized yet before the CPRA’s effective date of January 1, 2023, companies should start planning their overall vision now.
Range of topics covered
Key points to remember
It will take a long time for the business and legal teams to fully digest the implications of this long project and begin to strategize on a plan to operationalize the concepts while allowing room for inevitable changes before regulations become final. . On first reading, however, some themes and likely operational challenges emerge:
- Emphasis on user-friendly presentation of privacy options. The draft rules offer a detailed view of how a consumer should experience the privacy choice process, including requiring the process to be “easy to understand”, prohibiting “dark patterns”, requiring a ” symmetry in choices” and prohibiting manipulative language. This would create significant leeway for the Agency to take action against companies based on subjective judgments on their websites. Additionally, companies are likely to encounter tensions between this principle and the complex requirements related to website disclosures and pop-ups described below.
- Confusion over whether the law is opt-out or opt-in. The CCPA/CPRA is an opt-out law; consent is only required for the sale or sharing of personal information relating to consumers under the age of 16 or secondary use undisclosed at the time of collection. But, the proposed rule that would require that “the collection, use, retention and/or sharing” be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or otherwise processed” appears to require consent. voluntary for many collections of sensitive personal information and the sale of personal information. The examples offered to demonstrate the rule suggest that explicit consent would be required for the collection of geolocation information via a mobile application, the sale of geolocation information and the disclosure of a customer mailing list in a way that it would be used to market the products and services of other companies. This interpretation has significant implications; it is difficult to see how most, if not all, sales of personal information may be “necessary” to provide products and services.
- Strengthening downstream accountability. Sections 7051 and 7053 outline the requirements that would apply to supplier contracts. It should be noted that the draft would apparently create a new obligation for companies to perform due diligence on service providers, contractors and third parties. 7051(e) (“[w]If a company exercises due diligence with respect to its service providers and subcontractors, it determines whether the company has reason to believe that a service provider or subcontractor is using personal information in violation of the CCPA and these regulations. “); § 7053(e) (similar). Contracts with service providers, contractors and third parties would also be required to state the “specific” purpose for disclosing personal information, and this statement cannot be “in generic terms”, which could mean that companies must undertake significant work to update § 7051(a)(1) contracts; § 7953(a)(1).
Other noteworthy provisions
- The project would create new definitions for squishy terms such as “disproportionate effort” and “frictionless manner”. §§ 7001(h), (k). While perhaps useful in theory, these definitions seem to have little basis in actual business operations.
- Deny sell and/or share requests do not need to be verifiable and must be disclosed to third parties. §§ 7026(d), (f).
- Section 7050(c) would clarify that an entity that contracts with a company to provide targeted advertising, i.e. “cross-context behavioral advertising”, cannot be a service provider, but rather a third party, and this sharing is subject to the -outside option.
- Similarly, a self-service cookie management control process alone would not be sufficient to make sell and/or share opt-out requests, because a cookie tool deals with the sharing and not selling. § 7026(a)(4).
- Companies would be required to list in their privacy policies the names of all third parties that the company permits to collect personal information from the consumer, which would include the names of all third parties who place cookies on the website of the company. § 7012(g).
- If a business receives a request to correct information it has received from a consumer data broker, it must both correct the information and ensure that it is not replaced with inaccurate information subsequently received. of the data broker. [See § 7023(c).] The business must also disclose the name of the data broker who provided the inaccurate information to the consumer. § 7023(i).
What happens next
Although CPRA requires CAPP to finalize the regulations by July 1, 2022, the state’s protracted efforts regulatory process means final regulations are unlikely before January 2023, if not later. The Agency’s next public meeting is scheduled for June 8, 2022, and she listed the discussion of the draft regulations on Agenda.