The California Privacy Rights Act (CPRA) established the California Privacy Protection Agency (CPPA), and requires the CPPA to adopt, amend, and rescind regulations on 22 topics — including, among other things, definitions, exemptions, technical specifications for opt-out preference signals, automated decision-making, cybersecurity audits and risk assessments, record keeping, and monetary thresholds for “business” eligibility — to carry out the purposes and provisions of the CCPA. Final regulations must be adopted by July 1 or within six months of the CPPA providing the attorney general with notice that it is prepared to assume rulemaking responsibilities, which the CPPA did on October 21, 2021.
On May 27, the CPPA issued a selection of the draft regulations to be discussed at an upcoming meeting scheduled for June 8. This initial draft does not cover the entirety of the 22 topics the CPPA must address. In this initial draft, the regulations address the following:
Right to Correct
Under the draft rules, a business may consider the “totality of the circumstances relating to the contested personal information” when determining if the contested personal information is more likely than not to be accurate. Businesses that comply with a consumer’s request must instruct all service providers and contractors that maintain the personal information to correct the personal information as well. Consumers may provide documentation relating to the accuracy of their personal information.
Opt-Out Preference Signals
Under the draft rules, businesses must abide by opt-out preference signals. If a business posts “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links, then the business can respond to opt-out preference signals in a nonfrictionless manner. Otherwise, the business must process opt-out preference signals in a frictionless manner. “Frictionless” means not charging a fee, not changing the consumer’s experience, and not displaying a notification, pop up, text, graphic, video, or any interstitial content in response to the opt-out preference signal.
Notice at Collection
The draft regulations require businesses to enhance existing Notice at Collection requirements to provide a list of categories of sensitive information collected, whether personal information is sold or shared, the length of time a business intends to retain each category of personal information, a link to the notice of right to opt out of sale/sharing, and any names of third parties that control the collection of personal information.
Consumer Consent
The draft regulations require a business to design and implement methods for submitting CCPA requests and obtaining consumer consent that incorporates certain principles. These principles include that the process is easy to understand, may not require more steps than that business’s process for a consumer to opt in to the sale of personal information after having previously opted out, requires symmetrical choice, avoids confusing language or interactive elements, avoids manipulative language or choice architecture, and must be easy to execute. The draft regulations state that a method that does not comply with these principles may be considered a dark pattern, and any agreement obtained through the use of dark patterns shall not constitute consumer consent.
Sensitive Information
The CPRA introduced the concept of sensitive personal information. Under the CPRA, consumers may limit how their sensitive personal information is processed. A business must provide notice of such processing and allow consumers to restrict the businesses’ processing to the permissible purposes through a “Limit the Use of My Sensitive Personal Information” link. The draft regulations provide requirements on these notice and link requirements.
Troutman Pepper will closely monitor any CPPA developments in the coming weeks, as things will surely change within the coming months.
