Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

California’s privacy agency amends draft privacy rules ahead of meeting

Privacy, Cyber Risk & Data Security State Issues California CPPA CPRA CCPA Consumer Protection Agency Rule-Making & Guidance

Privacy, Cyber Risk & Data Security

In advance of an upcoming meeting of the California Privacy Protection Agency Board (CPPA) scheduled for October 28-29, the agency posted updated draft rules for implementing the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here).

The proposed changes to the draft rules respond to comments received during the 45-day comment period, in which several businesses expressed concerns that the requirements were confusing and complying would be costly. (See also Explanation of Modified Text of Proposed Regulations.) Key clarifying modifications include:

  • Adding, amending, and striking certain definitions. The proposed changes would, among other things, revise the definition of “disproportionate effort” to clarify that it applies to service providers, contractors, and third parties as well as to businesses. The revisions also provide additional details concerning factors that should be considered when evaluating whether responding to a consumer request would require disproportionate effort. The changes also add and amend terms such as “first party,” “information practices,” “nonbusiness,” “privacy policy,” and “unstructured.”
  • Outlining restrictions on how a consumer’s personal information is collected or used. The revisions propose criteria for how a business should evaluate the “reasonable expectation” of consumers concerning the collection or processing of their personal information, including how to determine the purpose for which the personal information is collected, whether it is reasonably necessary and proportionate for achieving the stated purposes, and whether it is a “business purpose” under the CCPA/CPRA. According to the CPPA’s explanation of the modified text, the “factors consider relevant GDPR principles for harmonization while articulating the statutory requirements and intent of the CCPA.”
  • Providing disclosure and communications requirements. The proposed changes clarify that conspicuous links for websites should appear in a similar manner as other similarly-posted links, and provide guidance on the placement of conspicuous links in a mobile environment.
  • Clarifying requirements for obtaining consumer consent. The revisions explain how different user interfaces and “choice architecture” can impair or interfere with a consumer’s ability to make a choice, and thus fail to meet the definition of consent. The revisions further address provisions related to dark patterns, explaining that “[i]f a business did not intend to design the user interface to subvert or impair user choice, but the business knows of and does not remedy a user interface that has that effect, the user interface may still be a dark pattern. Similarly, a business’s deliberate ignorance of the effect of its user interface may also weigh in favor of establishing a dark pattern.”
  • Amending requirements related to a business’s privacy notice. The revisions eliminate requirements for a business to either disclose the names or business practices of third parties that the business allows to collect personal information from the consumer in the business’s notice at collection. Additionally, a business and third party may provide a single notice at collection that outlines the required information about their collective information practices.
  • Amending the right to limit the use/disclosure of sensitive personal information. The proposed changes clarify that a business does not need to provide a notice of right to limit the use of sensitive personal information if the business only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer. Additionally, the revisions would make it optional for businesses to provide a means by which consumers can confirm their request to limit in order to simplify implementation at this time.
  • Clarifying request to delete provisions. The revisions confirm that a business’s service provider or contractor may delete collected personal information pursuant to the written contract that it has with the business. Additionally, businesses will be permitted to provide a link to a support page or other resource that explains a consumer’s data deletion options.
  • Amending requests to correct/know. The proposed changes clarify that businesses, service providers, and contractors may delay compliance with requests to correct with respect to information stored on archived or backup systems. The amendments also, among other things, clarify that consumers should make good-faith efforts to provide businesses with all relevant information available at the time of the request, provide flexibility and discretion to a business concerning whether it will provide the consumer with the name of the source from which the business received the alleged inaccurate information, and clarify that a business only needs to disclose specific pieces of personal information that it maintains and has collected about the consumer in order to confirm that the business has corrected the inaccurate information that was the subject of the consumer’s request to correct. With respect to a consumer’s right to know, the proposed changes would allow a consumer to request a specific time period for which their request to know applies.
  • Amending opt-out preference signals. The proposed changes specify that a business that does not sell or share personal information is not required to process an opt-out preference signal as a valid request to opt-out. However, for businesses that do sell or share personal information, processing the opt-out preference signal means that the business is treating it as a valid request to opt-out of sale/sharing. The revisions also address when a business can ignore an opt-out signal to allow a consumer to continue to participate in a financial incentive program, and explain that when a consumer is known to the business, the “business shall not interpret the absence of an opt-out preference signal after the consumer previously sent an opt-out preference signal as consent to opt-in to the sale or sharing of personal information.” Moreover, a business may choose to display whether it has processed the consumer’s optout preference signal as a valid request to opt-out of sale/sharing on its website.
  • Amending requests to opt-out of sale/sharing. The revisions, among other things, clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods—an interactive form accessible via the “Do No Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy. The revisions also make various changes related to service provider, contractor, and third-party obligations.
  • Clarifying requests to limit use and disclosure of sensitive personal information. The revisions clarify how sensitive personal information may be used to “prevent, detect, and investigate” security incidents “even if this business purpose is not specified in the written contract required by the CCPA and these regulations.”

The proposed changes also delete examples concerning notices of the right to opt-out of the sale/sharing of personal information through connected devices and augmented or virtual reality to simplify implementation at this time. Additionally, the proposed changes further clarify provisions related to requirements for service providers, contractors, and third parties, specifying, among other things, that businesses must contractually require these entities to provide the same level of privacy protection as is required of businesses by the CCPA and these regulations.