The California Privacy Protection Agency (“the Agency”) announced October 17, 2022, proposed modifications to the draft regulations for the California Privacy Rights Act (CPRA) that were published on July 8, 2022. The draft regulations expanded on the text of the CPRA setting out a number of additional requirements regarding obtaining consumer consent, supporting the exercise of consumer rights, contracting with service providers, contractors and third parties to share data, and increasing transparency in privacy notices provided to consumers.
This legal update summarizes a few key changes from the initial proposed CPRA regulations. While the CPRA regulations are still not final, the latest revisions will be valuable as businesses prepare for the CPRA’s effective date of January 1, 2023, and enforcement start date of July 1, 2023.
Among other changes, key modifications to the draft regulations include:
Simplified privacy notice requirements when collection involves third parties.
As initially proposed, the draft regulations added potentially cumbersome and duplicative disclosure requirements when a third party is involved. The latest version walks back a few of these obligations.
First, the Agency removed the requirement that a business’s privacy notice list all third-party names. This change aligns with the CPRA, which only requires a business to disclose the categories of third parties.
Second, the Agency aligned requirements for parties providing notice to harmonize with the joint controller approach under the GDPR. This allows the first-party and third-party controller to allocate responsibility for compliance amongst themselves, rather than having each party provide a separate notice. Assuming this change is adopted as is, companies that already comply with the GDPR may already have processes in place to help comply with this CPRA requirement.
Clarified expectations for the size of the alternative opt-out logo to better align with website designs.
The initial draft of the regulations set out a series of specifications on the format for presenting opt-out options to consumers. This included a requirement that an alternative opt-out link be an icon that is the same size as all other logos on the business’s website.
Recognizing that this proposed regulation would create a challenge for businesses that use icons of all different sizes and, as a result, would require tailoring each logo for each page, the Agency revised the draft regulation to set the size requirement as approximately the same other icons used in the “header or footer” of the business’s webpage.
Removed the proposed “average consumer” standard and added factors for determining the reasonableness of the collection of personal information.
A significant area of commentary on the draft regulations has been the “average consumer” standard. Deviating from the CPRA text that evaluates collection based on the reasonableness of a business’s processing activities and transparency, the Agency proposed in the draft CPRA regulations that a business’s collection and use of consumer personal information be consistent with what “an average consumer would expect.”
The new revisions remove this standard and in its place set out factors for evaluating the collection or processing. These factors include the business’s relationship with the consumer, the source and method for collecting or processing personal information, the type, nature and amount of personal information collected or processed, the nature of disclosures provided to the consumer, and a consumer’s likely awareness of the involvement of other parties.
The examples accompanying the factors also indicate the Agency’s interest in data sharing that it believes a consumer would consider unexpected. For instance, proposing that a consumer may not expect a business to use information it received for a product or service offered by a business’s subsidiary.
Expanded on the standard for assessing when a business does not have to honor consumer requests.
With the latest revisions, the Agency has added on to its proposed definition of “disproportionate effort,” which is used throughout the regulations to address when a business may not have to honor a consumer’s request to exercise their rights under the CPRA.
To start, the Agency has clarified that the standard applies to service providers, contractors, or third parties requiring that these entities report back to a business when they cannot respond to a request. The Agency also has proposed factors that weigh into the evaluation of whether a “disproportionate effort” is present, such as size of the business, nature of the request, and technical limitations.
These changes align with modifications elsewhere in the draft regulations that limit obligations on companies to restore archived data to honor right to correct requests.
Removed the five-business-day notice requirement for third-party and service provider contracts.
As businesses begin to reassess their third-party, service provider, and contractor agreements, a key change to consider is the removal of the requirement that contracts mandate that these entities notify a business within five business days if the entity cannot comply with relevant CPRA obligations. This change should give businesses flexibility when setting deadlines in their contracts.
However, as the Agency did not propose modifications to the other proposed contractual requirements, it may be advisable for companies to begin evaluating their existing contracts and changes that could be needed should the regulations go into effect as they are.
Added an exception to limits on use of sensitive personal information.
The draft regulations lay out a series of exceptions to when a business need not offer consumers a right to limit the use of their sensitive personal information (e.g., precise location, government identification numbers, and health data). The revisions propose a new exception for when the sensitive personal information is used for purposes “that do not infer characteristics about the consumer.”
The draft gives the example of using information about a person’s medical condition when the person searches for it. However, if the company uses such information for a purpose beyond performing the search, the company would be expected to comply with right to limit requests.
The Agency has not yet announced an opportunity for additional comments on these modifications. But an opportunity may develop in the coming weeks as the Agency plans to discuss and take action on these modifications during a scheduled board meeting on October 28 and 29. As such, businesses should continue to monitor for further changes.
Even though the regulations continue to be a work in progress, businesses subject to the CPRA should begin evaluating next steps for their compliance program, taking into account these latest modifications, which look like they are close to final.