On July 8, the California Privacy Protection Agency Board (CPPA, Agency or Board) announced the Notice of Proposed Rulemaking (NPRM), which begins the 45-day comment period for the draft regulations. As we previously reported, the California Privacy Rights Act (CPRA) draft regulations were released on May 27, and we had a heads-up about this rulemaking process. We have also reported previously the Road Map for CPRA Compliance. As the official 45-day comment period kicks off, this article covers what you need to know about the draft regulations as they were discussed by the Agency during its last public Board meeting and covered in the NPRM, including what we can expect in terms of enforcement. You can also access here the recording of the interview Jeewon Kim Serrato did on June 30 to hear Executive Director Ashkan Soltani and Acting General Counsel Brian Soublet discuss the rulemaking process and what the CPPA seeks to accomplish with the regulations.
On June 8, 2022, the Board voted to approve the draft regulatory text, authorized the initiation of the rulemaking process, and did a walk-through of the draft regulations to explain the goals and reasoning behind them. The following Board members were in attendance: Chairperson Jennifer M. Urban, Vinhcent Le, Angela Sierra and J. Christopher Thompson. Supervising Deputy Attorney General Stacey Schesser and Deputy Attorney General Lisa Kim assisted in putting together the draft regulations, acting as counsel for the Agency, and presented an overview of the draft regulatory text.
The Board explained that the rulemaking process is different for agencies that are not governed by boards. For an agency that is not governed by a board, the draft rules are published with the formal rulemaking process. However, the CPPA is an agency governed by a board, and the Bagley-Keene Open Meeting Act applies to CPPA’s board meetings. Therefore, all CPPA Board meetings are public and all the materials provided by the CPPA to the Board will also be released to the public, which is why the Board released the draft copy on May 27 in anticipation of its June 8 meeting.
The main agenda for the Board meeting was to consider the motion to start the formal rulemaking process. On June 8, the Board passed the motion to start the formal rulemaking.
The Board introduced the attorneys from the Office of the Attorney General of California who have been assisting it in putting together the draft proposed regulations and the Initial Statement of Reason (ISOR) and have been acting as counsels for the Agency. The Board specifically introduced Deputy Attorney General Lisa Kim and Supervisor Deputy Attorney General Stacey Schesser to present a walk-through of the draft regulations.
According to the CPPA, the draft regulations do the following three things:
- Update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA;
- Operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and
- Reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.
Deputy Attorney General Kim walked through the first eight articles of the draft proposed regulations and Supervising Deputy Attorney Schesser went through Article 9, which covers investigations and enforcements.
Walk-through of the Draft Proposed Regulations
The CPPA highlighted key definitional changes contained in the draft regulations. One of the most significant changes to note is that the draft proposed regulations have replaced the term “affirmative authorization” with “consent.” This was cited by the CPPA as an example of updating the CCPA regulations to align the regulations to the CCPA as amended by the CPRA.
Proposed Regulations § 7002 was provided as an example of how the Agency has restated and reorganized the law to aid in understating. Proposed Regulations § 7002 pertains to data minimization and purpose limitation, which are new requirements introduced in Civ. Code § 1798.100. According to the Agency, the provisions for data minimization and purpose limitation were brought over into the draft proposed regulations to help businesses understand what is required of them when it comes to collecting only information that is necessary and proportionate to the purpose. According to the Agency, CPRA amendments now restrict businesses from collecting, using, retaining, and sharing consumer personal information in a manner that is inconsistent with consumer expectations, unless they obtain the consumer’s explicit consent. This is significant as the CCPA, along with all of the other US privacy laws, have been characterized as requiring notice and opt-out but not consent. We expect the proposed regulations in this area to receive significant feedback from the industry and thought leaders.
As an example of introducing new concepts, the Agency also pointed to Proposed Regulations § 7004. Here, per the Agency, the draft proposed regulations have clarified that obtaining a consumer’s agreement through the use of dark patterns would not constitute “consent” within the meaning of the law. Further, the draft proposed regulations provide details about what is a “dark pattern” and sets forth some examples of “dark patterns.”
Per the Agency, Proposed Regulations § 7003 is another example of restating and reorganizing, which sets forth all the disclosure requirements to consumers in one place.
The draft regulations describe how businesses deliver disclosures to consumers. The Agency emphasized that disclosures should be easy to read and contain plain, straightforward language. Websites and mobile applications should contain conspicuous links pointing consumers to mandated disclosures. Further, the draft proposed regulations introduce the concept of “symmetry in choice”—the idea that a consumer’s exercise of a more privacy-protective option shall be no more difficult or lengthy than the exercise of a less privacy-protective option.
The CPPA also discussed changes to Article 2, which set forth the substance of consumer disclosures. Here, the Agency is proposing to update the CCPA regulations to align them to the new language of the law. The requirements for the notice at collection have been updated in the draft proposed regulations, especially as the requirements pertain to third parties collecting personal information (PI). The draft regulations require businesses to provide a notice at collection for third parties that are controlling collection and require a notice of collection informing consumers of their right to opt out of the selling or sharing of their PI. The Agency noted that some of the new concepts introduced in Article 2 are related to the right to “Limit the Use of My Sensitive Personal Information”. Per the Agency, the draft proposed regulations operationalize this requirement.
The Agency discussed the section on the privacy policies as an example of how the draft regulations reorganize and restate the law. Deputy Attorney General Kim said that while “it looks like a lot of red,” not much has changed substantively and it is mostly “reorganization to map out or to follow the organization in which most businesses put their privacy policies together currently so that it is easier for the public and businesses, in particular, to understand what is required to be in the privacy statement.”
Practices for Handling Consumer Requests
Article 3 is about the business practices for handling consumer requests. Per the Agency, this was previously the section that set forth the methods, timelines and specifications with regard to the CCPA requests made to the businesses under the CCPA. According to the Agency, the draft proposed regulations have been extended to include the right to opt out of sharing of PI in addition to the right to opt out of sale of PI and have updated the methods by which the consumers can submit their CCPA requests to align with the changes that were made to the law.
Per the Agency, the draft proposed regulations also clarify that the right to know and right to delete no longer apply to household information because of the change made by the CPRA amendments to the CCPA.
Article 3 also operationalizes the new rights introduced by the CPRA, specifically the right to correct as well as the “right to limit the use of sensitive information.” The draft proposed regulations have noted the methods that can be offered by the businesses with regard to submitting those requests as well as the timelines for the response(s).
The Agency cited the opt-out preference signal as an example of how the regulations operationalize the requirements in the statute. The Agency referenced the authority given under Civ. Code §§ 1798.185(a)(19) and (a)(20) to set forth the requirements for the opt-out preference signal. According to the Agency, this section has often been misunderstood. Proposed Regulations § 7025 clarifies existing opt-out requirements and sets forth the requirement for businesses to honor the opt-out preference signal. The draft regulations clarify that not only must businesses process opt-out preference signals as a valid request to optout of a sale/share, but they must also explain how an opt-out preference signal will be processed and how the consumer can use it.
With regard to the reorganization that was made in Article 3, the Agency cited the “right to limit the use of sensitive personal information” as an example of how those concepts were consolidated in the draft regulations.
Contract Requirements for Service Providers, Contractors and Third Parties
Article 4 deals with service providers, contractors and third parties. According to the Agency, the draft proposed regulations update the CCPA regulations to align with the CPRA amendments to the CCPA as they relate to service providers, contractors and third parties. Significantly, the draft proposed regulations clarify the requirements that apply to contractors. “Contractors” is new group of persons that has been introduced via Proposition 24 (the CPRA amendments to the CCPA).
The draft proposed regulations introduce, reorganize and restate, as applicable, all the contractual requirements for service providers, contractors and third parties, and put them all in one place.
One of the most significant changes clarified by the Agency is the requirement that businesses enter into contracts, not only with their service providers and contractors but also with third parties to which they sell or share PI. These contracts must identify the specific purpose for which PI is sold and must limit the third party’s ability to use the PI for any other purpose. These contracts also must grant the business the right to ensure the third party’s CCPA compliance and remediate any authorized uses of PI. The draft proposed regulations further clarify that a service provider or contractor cannot contract with a business to provide cross-contextual behavioral advertising.
Verification, Special Rules for Consumers Under the Age of 16, Nondiscrimination, and Training and Record Keeping
According to the Agency, the edits to Articles 5 through 8 are to align the draft proposed regulations with the CPRA amendments to the CCPA.
Investigations and Enforcement
Article 9 was covered by Supervising Deputy Attorney General Schesser.
According to the Agency, these provisions outline what is required in the public complaint to the Agency that leads to an investigation, as governed by Civ. Code § 1798.199.45. The Agency described additions to the draft proposed regulations relating to requirements for sworn complaints submitted to the Agency. Notably, a complaint must (1) identify the entity or person who allegedly violated the CCPA, (2) state the facts and evidence in support, (3) allow the alleged violator and the Agency to communicate regarding the complaint, (4) provide the name and contact information of the complainant, and (5) be signed under penalty of perjury.
Article 9 then goes on to outline how the Agency can open its own investigations based on its own determinations. The draft proposed regulations set forth the probable cause proceedings that will take place following the submission of a sworn complaint. A probable cause hearing is a threshold procedural requirement before the administrative enforcement process may begin, which is codified in the CPRA amendments to the CCPA in Civ. Code § 1798.199.55 and is a requirement for the Agency’s administrative enforcement process. A probable cause determination is not a final decision on the merits of the entire investigation. This is a preliminary hurdle that must be cleared to proceed with the enforcement action. The process for conducting an administrative hearing that follows a probable cause finding is found in the California Administrative Procedure Act starting at the Government Code § 11500. Since the process for conducting an administrative hearing is highly detailed, per the Agency, there is no need for further regulations in this area. These informal proceedings are generally closed to the public. Following the proceeding, Agency staff shall issue a written decision with their probable cause determination and serve it on the alleged violator.
Article 9 also establishes regulations for how the Agency resolves an investigation through the filing of a stipulated order entered by the court (e.g., if the parties were to reach a resolution without an administrative hearing).
Article 9 lays out the Agency’s audit authority pursuant to 1798.185(a)(18). Audit is an investigatory tool similar to an administrative subpoena and covers how the subject is selected for audit and how any PI shall be protected under an existing legal framework for a state agency.
Notice of Proposed Rulemaking
As outlined in the NPRM, the 45-day public comment period begins on July 8. All written comments must be submitted to the Agency for consideration by August 23 and public hearings will be held on August 24 and 25. The NPRM includes a summary of the CCPA and the CPRA amendments to the CCPA, which includes a list of what the businesses must do to comply. It also outlines the areas where the regulations will promulgate new rules and confirms that rules relating to cybersecurity audits, risk assessments or automated decision-making technology are not within scope in this round of rulemaking.
Interesting to note in the NPRM is the cost impact to the business, as calculated by the Agency. The Agency estimates that the proposed regulations will have a cost impact of $127.50 per business. According to the Agency, this represents the labor cost of updating certain website information to comply with the proposed regulations.
Interested parties can sign up for the CPPA email list here to receive notifications regarding the rulemaking. The FAQ that is also published on this page answers some of the most commonly asked questions about the rulemaking process.
Our Digital Assets and Data Management Practice Group will continue to follow the rulemaking.