CPPA Releases Draft Regulations of CPRA
On May 27, the California Privacy Protection Agency (CPPA) Board announced that it will hold a public meeting on June 8, 2022 to discuss proposed changes to, and enforcement of, the California Consumer Privacy Act of 2018 (CCPA)—as amended by the California Privacy Rights Act of 2020 (CPRA). A draft proposal of the proposed changes to CCPA/CPRA reflects information gathered by the CPPA via several stakeholder listening sessions held in late 2021 through early 2022. Analysis by IAPP notes that the draft proposal cover only “a handful of the 22 regulatory topics the CPPA set out to address[.]” Here are the changes to watch:
Restrictions on the Collection and Use of Personal Information
Under draft § 7002, when a business collects, uses, retains, and/or shares a data subject/consumer’s personal information, it must be for a “reasonably necessary” purpose. This requires that data controllers’ activities be consistent with the purposes given to data subjects at the time of collection.
If the collection, use, retention, and/or sharing does not fit within this defined category of information, then the business must obtain consumers’ express consent to collect or process their information.
Requirements for Disclosures and Communications to Consumers
Under draft § 7002, the CPPA requires that any disclosure or communication given by the business to a consumer be “easy to read and understandable.” In pursuit of this requirement, the draft further requires businesses consider smaller screens, the language that is used, and potential consumer disabilities.
Additionally, the business must provide a “conspicuous link” for disclosures or communications—one that is substantially similar in size and color to other links on their website or mobile application.
Requirements for Opt-Out Requests
Under draft § 7004, businesses must “design and implement methods for submitting CCPA requests and obtaining consumer consent,” that:
Are easy to understand, in accordance with draft § 7002;
Present equal, or simpler, steps for the process of opting-out of a business’s engagement or collection of their personal information as those presented for opting-in to the collection of their data;
Avoid language that can be confusing, such as “Do Not Sell or Share My Personal Information[,]” or “interactive language[,]” like toggles or “on” or “off” buttons;
Avoid “manipulative language[,]” such as “No, I like paying full price, and avoid manipulative choice architecture, like requiring consumers to click through reasons for not opting out; and
Are easy to execute, and avoid “unnecessary burden or friction to the process by which the consumer submits a CCPA request.”
Privacy Policy
Under draft § 7011, the initial requirements of a privacy policy are expanding to require:
A “comprehensive description” of organizations’ online and offline practices for collecting, using, selling, or retaining a consumer’s personal information;
An explanation of consumers’ rights as conferred by the CCPA;
An explanation of how consumers can exercise those rights; and
The date that the privacy policy was last updated.
Notice of Right to Limit Sensitive Personal Information
Under draft § 7014, data controllers must provide consumers with two separate links to a “Notice of Right to Limit” the use and disclosure of their sensitive personal information. Data controllers may also decide to instead provide consumers with a compliant opt-out link, as governed by draft § 7015.
Under draft § 7027, a business which collects a consumer’s sensitive personal information must only use it for purposes that are “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services[.]” If the business uses or discloses sensitive personal information for purposes other than this, it must provide the consumer with “two or more designated methods for submitting requests to limit[,]” the access to such uses.
Requests to Delete
Under draft § 7022, following receipt of a verifiable request to delete from a data subject/consumer, businesses are required to notify their service providers, contractors—and all third parties that have purchased or received the data subject’s data—of their duty to delete the data subject’s personal information.
Requests to Correct
Under draft § 7023, following receipt of a verifiable consumer request to correct their personal information collected or retained by a business, the business is instructed to “consider the totality of the circumstances” relating to the personal information that is the subject of the request. If the business determines that the contested personal information is more than likely not accurate, then the business may deny this request.
However, if a business determines that a correction is warranted, the business must make the correction in their system, as well as notify all service providers or contractors, as well as all third parties that have purchased or received, of their requirement to correct the consumer’s personal information
Opt-Out Preference Signals
Under draft § 7025, businesses must comply with the section’s requirements, intended to provide “a simple and easy-to-use method by which consumers interacting with businesses online can automatically exercise their right to opt-out of sale/sharing.”
Contract Requirements for Third-Parties
Under draft § 7051, the CCPA outlined requirements for the contracts that businesses enter into with service providers and contractors. Amongst the requirements, the CCPA requires identification of the “specific business purpose(s) and service(s) for which the service provider or contractor is processing personal information on behalf of the business[,]” and a prohibition on these parties from “retaining, using, or disclosing the personal information received from, or on behalf of, the business for any purposes other than those specified in the contract.”
Under draft § 7053, businesses are required to enter into a contractual agreement with third-parties to which they sell or share consumers’ personal information. The draft notes that third-parties must “comply with all applicable sections of the CCPA[,]” and “[g]rants the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.”
Investigations and Enforcement
According to this Mondaq article, the draft amendments establish “a new, increased, and fast tracked form of compliance monitoring and action that could be surprising to many companies—and costly.” Although the draft does not establish a private right of action, under draft § 7300, a consumer who believes a covered organization has violated the CCPA would be permitted to file a complaint with the CPPA that identifies, among other things, the offending entity and stated facts of the allegation.
Upon receipt of a consumer complaint, the CPPA must notify the consumer in writing of the actions the CPPA has taken—or intends to take—in response to the complaint. This creates a requirement that each complaint be reviewed, considered, and addressed by the agency—regardless of the merit of the claims. This may result in increased investigative efforts by the agency and increased response requirements by organizations that have become the subject of such consumer complaints.
Additionally, draft section § 7301 provides that the CPPA may pursue any sworn, unsworn, or anonymous consumer-filed complaints at their discretion. Therefore, organizations may be faced with response requirements from complaints which have not even been verified by the CPPA.
Under draft section § 7302, if the CPPA believes that a violation of the CCPA has occurred, the CPPA may initiate a proceeding against the alleged violator. Alleged violators may make a written request to the CPPA–within 10 days of the proceeding–that it be made public.
As the Mondaq article points out, in this proceeding, “the CPPA serves as prosecutor and arbiter, and the draft rules do not define how the agency preserves its neutrality in its latter role.” Despite this, the CCPA outlines that the CPPA may assess an alleged violation of the Act under the “probable cause” standard — requiring that the “evidence supports a reasonable belief that the CCPA has been violated.” The draft further provides that “[t]he Agency’s probable cause determination is final and not subject to appeal.”
The draft does not address the penalties that may be assessed, so it can be assumed that those permissible under the CCPA will be applied to the draft—including an administrative fine of no more than $2500 per violation and no more than $7500 for each intentional violation, including those involving a minor.
Although the announcement only states that the draft regulations will be discussed at the next meeting, the Mondaq article points out that this draft release “puts companies doing business in California in a difficult position.” The CPRA requires a final version of the CPPA be issued by July 1, 2022. However, the state’s rulemaking process indicates that “final regulations are unlikely until January 2023, if not later.” Therefore, businesses must decide whether or not they should initiate compliance efforts now, or wait for a final version of the regulation to be released.
* * * * * * *
To read our coverage on our Polymorphic Encryption explainer and how businesses can utilize this technique for data security, click here.
For ADCG’s Breach Report and more news updates discussing: Cybersecurity and Infrastructure Agency’s alert to federal agencies to 75 new additions to its new Known Exploited Vulnerabilities Catalog; Verizon’s release of its annual Data Breach Investigations; Mexico’s National Institute for Transparency, Access to Information and Personal Data Protection releases an ethical guide for using AI to process personal data; and VPN providers leave India over new law, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Stay tuned for this week’s in-depth discussion on Cybersecurity and Data Governance. Our Podcasts are released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!