App sale

California’s first draft privacy regulations focus on opt-out rights and disclosures | Holland & Knight LLP

The new California Privacy Agency (the Agency) has quietly released a preliminary report draft of its draft regulations on May 27, 2022, implementing the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). The 66-page draft includes seven full pages of detailed requirements for obtaining and implementing consumer guidelines for selling and sharing personal information, but it doesn’t cover a number of hot topics. of confidentiality mentioned in the granting of regulatory power to the Agency.

The Agency is required to conduct a formal notice and comment process on the proposed regulations, which creates a high likelihood of future changes. However, some of the more complex proposed obligations – particularly regarding the exclusion of sales and sharing – will require significant preparation, planning and budget to implement. Since the rules are unlikely to be finalized yet before the CPRA’s effective date of January 1, 2023, companies should start planning their overall vision now.

Range of topics covered

Enlarge image

The draft regulations do not set out any specific rules regarding the handling of personal information relating to privacy claims of employees or individuals who interact with a business in a business capacity. They also do not specify the new requirement for a company to disclose in its privacy policy its practices related to the retention of personal information or other matters set out in the grant of regulatory authority. [Civ. Code § 1798.185(a)]including cybersecurity audits, privacy risk assessments and automated decision making.

Key points to remember

It will take a long time for the business and legal teams to fully digest the implications of this long project and begin to strategize on a plan to operationalize the concepts while allowing room for inevitable changes before regulations become final. . On first reading, however, some themes and likely operational challenges emerge:

  • Emphasis on user-friendly presentation of privacy options. The draft rules offer a detailed view of how a consumer should experience the privacy choice process, including requiring the process to be “easy to understand”, prohibiting “dark patterns”, requiring a ” symmetry in choices” and prohibiting manipulative language. This would create significant leeway for the Agency to take action against companies based on subjective judgments on their websites. Additionally, companies are likely to encounter tensions between this principle and the complex requirements related to website disclosures and pop-ups described below.
  • Rules of the game guided by consumer expectations. Businesses would be limited to using personal information in a manner “consistent with what an average consumer would expect,” but the proposed rules shed little light on how average consumer expectations should be determined. Some illustrative examples suggest – but do not explicitly state – that expectations would be determined by the nature of the products and services that the company provides to the consumer, which means that the disclosure of a data processing practice in a privacy policy confidentiality would not be sufficient to create an expectation if the processing is not essential to the supply of the product and service.
  • Confusion over whether the law is opt-out or opt-in. The CCPA/CPRA is an opt-out law; consent is only required for the sale or sharing of personal information relating to consumers under the age of 16 or secondary use undisclosed at the time of collection. But, the proposed rule that would require that “the collection, use, retention and/or sharing” be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or otherwise processed” appears to require consent. voluntary for many collections of sensitive personal information and the sale of personal information. The examples offered to demonstrate the rule suggest that explicit consent would be required for the collection of geolocation information via a mobile application, the sale of geolocation information and the disclosure of a customer mailing list in a way that it would be used to market the products and services of other companies. This interpretation has significant implications; it is difficult to see how most, if not all, sales of personal information may be “necessary” to provide products and services.
  • The user experience of the website is likely to become clumsier. Various provisions would require new pop-ups, links, and disclosures that could significantly alter the user experience on websites and in stores — and many of these features push the legal framework toward opt-in. For example, although the CCPA/CPRA does not require a company to require a user to accept cookies, the proposed regulations state that, according to the rule of symmetry, cookie banners must offer both options of acceptance and refusal. See § 7004(A)(2)(C). The company must disclose in its privacy policy how a consumer can use an opt-out preference signal [§ 7011(e)(3)(F)] and display to a user whose browser sends such a signal whether it has been honored [§ 7025(c)(6)]. Requirements for providing privacy disclosures are also detailed. For example, the draft provides that the “notice of collection” provided at or before the point of collection cannot be satisfied by a link to the full privacy policy; a company should deep link to the specific section of its privacy policy that provides the relevant information [§ 7012(f)], and this link must be provided “near” the fields where the information is sought or the submit button. § 7012(c)(2). These website and disclosure requirements can effectively set national or global standards; it may not be possible for the Companies to comply with these obligations solely for visitors to the California Website.
  • Strengthening downstream accountability. Sections 7051 and 7053 outline the requirements that would apply to supplier contracts. It should be noted that the draft would apparently create a new obligation for companies to perform due diligence on service providers, contractors and third parties. 7051(e) (“[w]If a company exercises due diligence with respect to its service providers and subcontractors, it determines whether the company has reason to believe that a service provider or subcontractor is using personal information in violation of the CCPA and these regulations. “); § 7053(e) (similar). Contracts with service providers, contractors and third parties would also be required to state the “specific” purpose for disclosing personal information, and this statement cannot be “in generic terms”, which could mean that companies must undertake significant work to update § 7051(a)(1) contracts; § 7953(a)(1).

Other noteworthy provisions

  • The project would create new definitions for squishy terms such as “disproportionate effort” and “frictionless manner”. §§ 7001(h), (k). While perhaps useful in theory, these definitions seem to have little basis in actual business operations.
  • Deny sell and/or share requests do not need to be verifiable and must be disclosed to third parties. §§ 7026(d), (f).
  • Section 7050(c) would clarify that an entity that contracts with a company to provide targeted advertising, i.e. “cross-context behavioral advertising”, cannot be a service provider, but rather a third party, and this sharing is subject to the -outside option.
  • Similarly, a self-service cookie management control process alone would not be sufficient to make sell and/or share opt-out requests, because a cookie tool deals with the sharing and not selling. § 7026(a)(4).
  • Companies would be required to list in their privacy policies the names of all third parties that the company permits to collect personal information from the consumer, which would include the names of all third parties who place cookies on the website of the company. § 7012(g).
  • If a business receives a request to correct information it has received from a consumer data broker, it must both correct the information and ensure that it is not replaced with inaccurate information subsequently received. of the data broker. [See § 7023(c).] The business must also disclose the name of the data broker who provided the inaccurate information to the consumer. § 7023(i).

What happens next

Although CPRA requires CAPP to finalize the regulations by July 1, 2022, the state’s protracted efforts regulatory process means final regulations are unlikely before January 2023, if not later. The Agency’s next public meeting is scheduled for June 8, 2022, and she listed the discussion of the draft regulations on Agenda.

California's first draft privacy regulations focus on opt-out rights and disclosures

Enlarge image