On the Friday afternoon heading into the U.S. Memorial Day Weekend, the California Privacy Protection Agency (CPPA or Agency)–the new state privacy agency established under the California Privacy Rights Act (CPRA)–published draft proposed regulations (Draft Regulations) ahead of its June 8, 2022, Board meeting.
The Draft Regulations would make significant number of changes to the CCPA regulations. We focus here on five of the most notable observations:
- Mandatory Global Privacy Controls
- Enhanced Expectations to Prevent Dark Patterns
- Burdensome Requirements vis-à-vis Third Parties, Service Providers, and Contractors
- Broad Agency Enforcement Authority
- Operationally Significant Items Remain Unaddressed
Mandatory Global Privacy Controls
The Draft Regulations take a clear position on the debate of whether the CPRA requires businesses to accept opt-out preference signals: § 7025 of the Draft Regulations would specifically require businesses to accept any “opt-out preference signal” that is in a format commonly used and recognized by businesses (such as an HTTP header field) and that makes clear to consumers that it has the effect of opting the consumer out of sale and sharing of personal information. The opt-out preference signal would not need to mention California or be specific to California.
Businesses would be able to choose whether to process opt-out preference signals in a “frictionless manner.” The Draft Regulations define “frictionless manner” to mean that the business does not (i) charge a fee to use the opt-out preference signal; (ii) change the consumer’s experience on account of the opt-out preference signal; and (iii) display a message in response to the opt-out preference signal other than whether an opt out has occurred or other permitted message.
Businesses that respond to opt-out preference signals in a frictionless manner would be able to omit the “Do Not Sell or Share My Personal Information” and “Limit Use of My Sensitive Personal Information” links if they meet certain conditions, including that the opt-out preference signal fully effectuates the consumer’s request to opt-out across the entire business’s operations, both online and offline.
The CPPA did not expressly state which signals need to be accepted.
Enhanced Expectations to Prevent Dark Patterns
The Draft Regulations establish five principles with which methods to submit CCPA requests and to obtain consumer consent must comply. These principles include “easy to understand,” “symmetry in choice,” “avoidance of language or interactive elements that are confusing to the consumer,” “avoidance of manipulative language or choice architecture,” and “easy execution.” The Draft Regulations would treat a violation of these five principles as a “dark pattern.”
- “Easy to understand” means using language that is easy to read and understand.
- “Symmetry in choice” means the path for a consumer to exercise a more privacy-protective option must not be longer than the path to exercise a less privacy-protective option. The Draft Regulations specifically mention cookie banners that include first-layer choices of “accept all” and “preferences” as not being equal or symmetrical because acceptance requires one step and denial requires at least two. Similarly, the Draft Regulations would consider a “yes” button that is more prominent than a “no” button as not symmetrical.
- “Avoidance of language or interactive elements that are confusing to the consumer” means not using double negatives and using toggles or buttons that clearly indicate the consumer’s choice.
- “Avoidance of manipulative language or choice architecture” means that businesses should avoid language that guilts or shames the consumer, such as including language such as “no, I enjoy paying full price” in the context of a financial incentive. The Draft Regulations would also prohibit bundling consents such that a consumer would need to consent to the business’s use of personal information in incompatible ways in order to use a service.
- “Easy execution” means avoiding unnecessary burden or friction to CCPA request processes.
These proposed principles may require businesses to carefully evaluate on an ongoing basis the design elements and interfaces presented to users across an array of interfaces and user experiences. This could include, for example, interfaces relating to financial incentives and consumer requests and the methods through which the business seeks consent for any number of processes.
Burdensome Requirements vis-à-vis Third Parties, Service Providers, and Contractors
The Draft Regulations would introduce new obligations on businesses, service providers, contractors, and third parties that, if adopted without change, may substantially disrupt existing commercial relationships and operations and require significant investment in new compliance technologies and processes.
In the context of service providers and contractors (“Processors”), the Draft Regulations would expressly prohibit Processors from providing cross-context behavioral advertising: entities that provide these services are third parties as a matter of law. For other services, the Draft Regulations would require businesses to convey requests to know, delete, and correct to their Processors, which would then be obligated to cooperate with the business to respond to the request (including providing specific pieces of personal information for requests to know) and otherwise comply with the requests (subject to certain exceptions). Processors would also be required to convey requests to their sub-Processors. If a Processor or sub-Processor retains personal information pursuant to an exception, a detailed explanation needs to be provided up the chain to the business so that the business can provide that explanation to the requestor.
The Draft Regulations would also affirmatively require businesses to convey deletion and opt-out requests to third parties. Deletion requests would need to be conveyed to third parties to which the business sold or shared personal information (unless impossible or involves disproportionate effort). Opt-out requests would need to be conveyed to all third parties (i) to which the business sold or shared personal information after receiving an opt out request; and (ii) to which it makes available the personal information of the consumer who submitted a request. Third parties who receive notification of an opt-out request would be required to comply with the request and to also forward the request to any third parties that received the personal information from the third party. A similar requirement exists for requests to limit use and disclosure of sensitive personal information.
Compliance with these flow-down requirements are likely to pose novel technical and commercial challenges for organizations and may raise other legal questions where third parties are located outside of California.
The Draft Regulations would also require a business to contract with a third party to which it discloses or makes available personal information. The contract would need to include specific requirements, including a requirement that third parties authorized to collect personal information through the business’s website would need to check for and comply with opt-out preference signals unless the business indicates that the consumer consented to the sale or sharing of personal information.
Businesses could also inadvertently waive their liability shield for violations by Processors or third parties: the Draft Regulations would consider a business’s efforts to monitor compliance with the CCPA and contractual obligations when determining whether the business had reason to believe the third party intended to use personal information in violation of the CCPA. According to the Draft Regulations, a business that never enforces its contract or exercises its right to audit or review compliance might be unable to rely on the liability shield.
The proposed provisions relating to relationships between businesses, Processors, and third parties would create a highly complex framework involving third-party risk management, new commercial contracting requirements, and ongoing cooperation between businesses, Processors, and third parties with respect to consumer requests.
Broad Agency Audit and Enforcement Authority
The Draft Regulations would provide the CPPA broad powers to audit and enforce the CPRA. The CPPA would be permitted to audit any person to ensure compliance with the CPPA and initiate proceedings by sworn consumer complaint or on its own volition. It would also be able to select targets if the subject’s processing “presents significant risk to consumer privacy or security” or “if the subject has a history of noncompliance with the CCPA or any other privacy protection law.”
The CPPA would also be able to perform audits “announced” or “unannounced.” The Draft Regulations do not provide clarity on what types of activities are permitted by “unannounced compliance audits.”
The Draft Regulations also authorize businesses and the Agency to agree to stipulated orders. Stipulated orders must be approved by the CPPA Board, and they then would be made public.
Operationally Significant Items Remain Unaddressed
The items that the Draft Regulations do not address are almost as significant as what it does address. The CPPA Board recently announced that it intends to issue rules on automated decision-making, cybersecurity audits, and risk assessments in future rulemaking packages.
The Draft Regulations also do not address other important questions. For example, the CPRA allows the CPPA to define “specific pieces of personal information,” which is directly tied to the consumer’s request to know. The current definition covers all personal information except for personal information that is prepared for “security and integrity” purposes. But other categories
of personal information might warrant exemption from the request to know, such as workplace misconduct records. The Draft Regulations do not seem to address this issue.
Similarly, the Draft Regulations do not cover the different privacy interests in the employment context from the consumer context. Starting January 1, 2023, the requirements provided in the Draft Regulations would take full force for candidates and employees despite the varying interests at play and existing legal frameworks (such as employee rights to access personnel records under the California Labor Code).
Organizations that do business in California and will be subject to the CPRA may wish to:
- Consider whether and how to engage in the rulemaking process. It may be possible to speak to the CPPA Board during the June 8, 2022, Board meeting or at future meetings to express concerns regarding the Draft Regulations or other topics relating to the CPRA. In addition, organizations should consider preparing comments for submission during the public comment period or preparing testimony for the public hearing during the rulemaking process.
- Evaluate the time and effort required to align operations with key items in the regulations. We anticipate that a number of the requirements described in the Draft Regulations may take significant time and significant effort to operationalize. With the January 1, 2023, effective date of the CPRA quickly approaching, it may be worth taking stock of which of the requirements need immediate attention to be ready year-end.