There has been a whirlwind of activity over the past year as states enact and implement comprehensive consumer privacy laws. Starting with the passage of the California Consumer Privacy Act (CCPA) in 2018, which became effective in 2020, the US state privacy legal landscape has continued to develop rapidly. New comprehensive privacy frameworks are set to come into effect in California, Virginia, Colorado, Utah, and Connecticut in 2023. As we described in our Legal Update State Privacy Law Roundup: Developments in California, Virginia and Colorado, covered businesses, privacy advocates, and other interested spectators have been (patiently) waiting for regulations to be promulgated for guidance about how these laws will be enforced. Our latest state law roundup reviews what has been happening in our “laboratories of democracy.” Thanks to some particularly active state enforcement authorities in California and Colorado, we now have draft rules and regulations that clarify, and in some ways expand, the requirements under those states’ forthcoming privacy laws. Moreover, the California Attorney General’s office (CA AG) has announced the first public settlement of an enforcement action for violations of the CCPA. This Legal Update provides an overview of these recent developments.
I. California and the CPRA
The California Privacy Rights Act (CPRA), which amends the CCPA, is set to take effect on January 1, 2023. Enforcement is effective on July 1, 2023. Notably, the CPRA:
- Creates a new category of “sensitive personal information,” the use of which must be disclosed to consumers and limited at the request of consumers
- Enhances the consumer opt-out right, with an emphasis on targeted advertising
- Creates a new consumer right to correct inaccurate data
- Created the California Privacy Protection Agency (CPPA), which is charged with administering, implementing, and enforcing the law
On May 27, 2022, the CPPA released draft CPRA regulations. The 66-page draft CPRA regulations redline against the CCPA regulations from August 2020. Key takeaways from the draft CPRA regulations include:
- Adding a broad data minimization obligation that requires businesses to process consumers’ personal information in a way that is “reasonably necessary and proportionate” to the original purpose for collection based on what an “average consumer” would understand
- Enabling businesses to respond to consumers’ “opt-out preference signals” in a frictionless manner as an alternative to providing consumers with an opt-out link
- Modifying and supplementing the required contractual obligations for “service providers,” “contractors,” and “third parties” as related to their use of personal information
- Operationalizing new consumer rights to correct inaccurate personal information and to limit the use and disclosure of sensitive personal information
- Defining “dark patterns” and clarifying that businesses must present consumers with, among other things, “symmetry in choice” (which amounts to clear and not misleading choices related to the processing of their personal information)
On August 24, 2022, the CA AG announced the first public settlement of an enforcement action against a retail company for alleged CCPA violations. This $1.2 million settlement and injunction focused on the global beauty retailer’s alleged failure to disclose that it was “selling” consumers’ personal information via the use of third-party analytic cookies. The enforcement action makes clear to companies that the broad definition of “sale” under the CCPA and CPRA includes making personal information available to cookie and other tracker providers as part of digital advertising. (For more on the enforcement action, please see our Legal Update CA Attorney General Says ‘The Kid Gloves Are Coming Off’; Announces $1.2M Settlement with Retail Co. for CCPA Sales Violation.)
August 31, 2022, marked the end of the California legislative session. Much to the chagrin of many companies operating primarily in the business-to-business (B2B) space with a correspondingly limited universe of personal information collection, the California legislature failed to enact a bill to extend the partial exemptions of B2B and human resources (HR) personal information from the scope of the CCPA and CPRA. Accordingly, on January 1, 2023, the partial exemptions will lapse, and B2B and HR personal information will be subject to the same strict requirements that regulate the personal information of other consumers under California privacy law. Therefore, companies have just a few months to amend their data collection and processing policies and procedures to account for employees, contractors, job candidates, and B2B contacts.
II.Colorado and the CPA
The Colorado Privacy Act (CPA) is set to take effect on July 1, 2023. (For more on the CPA, please see our Legal Update Colorado’s New Data Privacy Law: Comparing to Other States and Looking Ahead.) As a refresher, the CPA notably requires opt-in consent for the processing of sensitive data, allows district attorneys—in addition to the Colorado Attorney General (CO AG)—to enforce the statute, and requires data controllers to implement a “universal opt-out mechanism” by July 1, 2024, similar to the CPRA.
On September 30, 2022, the CO AG’s office published draft CPA rules. The 38 pages of proposed rules touch on many of the novel concepts discussed in the draft CPRA regulations, such as dark patterns and opt-out preference signals. The draft CPA rules also clarify a number of requirements that will be familiar to followers of the US state privacy laws in Virginia, Utah, and Connecticut that, like the CPA, share similarities with the EU General Data Protection Regulation (GDPR), including the nomenclature of “data controllers” and “data processors.” Key takeaways from the draft CPA rules include:
- Explaining prescriptive requirements for privacy notices, requirements that the notices specifically describe the controllers’ purposes for processing consumers’ personal data and the categories of personal data tied to each purpose
- Providing technical and other specifications for the universal opt-out mechanism, which controllers must operationalize by July 1, 2024
- Expanding the category of sensitive data, for which controllers must obtain consumer consent to process, by creating the concept of “sensitive data inferences” (essentially, inferences that a controller makes based on other personal data that can reveal sensitive data about the consumer)
- Describing the minimum content requirements for data protection assessments, which controllers must conduct before initiating data processing that presents a heightened risk of harm to consumers, including for profiling
- Defining and prohibiting the use of “dark patterns” (similar to the draft CPRA regulations)
The draft CPA rules became open for public comment on October 10, 2022. The CO AG’s office will hold three stakeholder meetings on November 10, 15, and 17 of this year, as well as a public hearing on February 1, 2023.