Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 8, the California governor signed two bills, AB 947 amending the California Consumer Privacy Act of 2018, and AB 1194 amending the California Privacy Rights Act (CPRA) of 2020. AB 947 amends the definition of “sensitive personal information” to include any personal information that reveals a consumer’s citizenship or immigration status. AB 1194 will ensure that when a consumer’s personal information relates to “accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services,” business are obligated to comply with CPRA, except in cases where the information is in an aggregated, deidentified form and is not sold or shared. CRPA already empowers consumers to request the deletion of their personal information, with some exceptions to accommodate a business's obligations to adhere to federal, state, or local laws, fulfill court orders, respond to subpoenas for information, or cooperate with government agencies in emergency situations involving potential risks to a person's life or physical well-being.
AB 947 is effective January 1, 2024 and AB 1194 is effective July 1, 2024.
Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8 open meeting held by the board. Draft regulations on automated decision-making remain to be published. More comprehensive comment and feedback is expected on these draft regulations, unlike regulations finalized in March that were presented in a more robust state. As previously covered by InfoBytes, the California Privacy Protection Agency cannot enforce any regulations until a year after their finalization, adding a ticking reminder to the finalization process for these draft regulations.
The draft cybersecurity regulations include thoroughness requirements for the annual cybersecurity audit, which must also be completed “using a qualified, objective, independent professional” and “procedures and standards generally accepted in the profession of auditing.” A management certification must also be signed certifying the business has not influenced the audit, and has reviewed the audit and understands its findings.
The draft risk assessment regulations require conducting a risk assessment prior to initiating processing of consumers’ personal information that “presents significant risk to consumers’ privacy,” as set forth in an enumerated list include the selling or sharing of personal information; processing personal information of consumers under age 16; and using certain automated decision-making technology, including AI.
The Superior Court for the County of Sacramento adopted a ruling during a hearing held June 30, granting the California Chamber of Commerce’s (Chamber of Commerce) request to enjoin the California Privacy Protection Agency (CPPA) from enforcing its California Privacy Rights Act (CPRA) regulations until March 2024. Enforcement of the CPRA regulations was set to begin July 1.
The approved regulations (which were finalized in March and took effect immediately) update existing California Consumer Privacy Act regulations to harmonize them with amendments adopted by voter initiative under the CPRA in November 2020. (Covered by InfoBytes here.) In February of this year, the CPPA acknowledged that it had not finalized regulations regarding cybersecurity audits, risk assessments, and automated decision-making technology and posted a preliminary request for comments to inform this rulemaking. (Covered by InfoBytes here.) The June 30 ruling referred to a public statement issued by the CPPA, in which the agency explained that enforcement of those three areas would not commence until after the applicable regulations are finalized. However, the CPPA stated it intended to “enforce the law in the other twelve areas as soon as July 1.”
In March, the Chamber of Commerce filed a lawsuit in state court seeking a one-year delay of enforcement for the new regulations. The Chamber of Commerce argued that the CPPA had finalized its regulations in March 2023 (rather than the statutorily-mandated completion date of July 1, 2022), and as a result businesses were not provided the required one-year period to come into compliance before the CPPA begins enforcement. The CPPA countered that the text of the statute “is not so straightforward as to confer a mandatory promulgation deadline of July 1, 2022, nor did the voters intend for impacted business to have a 12-month grace period between the [CPPA’s] adoption of all final regulations and their enforcement.”
The court disagreed, finding that the CPPA’s failure “to timely pass final regulations” as required by the CPRA “is sufficient to grant the Petition.” The court stated that because the CPRA required the CPPA to pass final regulations by July 1, 2022, with enforcement beginning one year later, “voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” The court added that it was “not persuaded” by the CPPA’s argument “that it may ignore one date while enforcing the other.” However, staying enforcement of all the regulations for one year until after the last of the CPRA regulations have been finalized would “thwart the voters’ intent.” In striking a balance, the court stayed the CPPA’s enforcement of the regulations that became final on March 29 and said the agency may begin enforcing those regulations on March 29, 2024. The court also held that any new regulations issued by the CPPA will be stayed for one year after they are implemented. The court declined to mandate any specific date by which the CPPA must finalize the outstanding regulations.
On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately. The CPPA noted that the approved regulations update existing CCPA regulations to harmonize them with amendments adopted under the California Privacy Rights Act (CPRA), which was approved by ballot measure in November 2020 to amend and build on the CCPA. In February, the CPPA voted unanimously to adopt and approve the regulations, which have not been substantively changed since the CPPA voted on modifications last year (covered by InfoBytes here). The final regulations and supporting materials are now available on the CPPA’s website.
The CPPA has already begun additional rulemaking. The agency issued a preliminary request for comments on cybersecurity audits, risk assessments, and automated decision-making to inform future rulemaking in February. Comments were due at the end of March.
On February 3, the California Privacy Protection Agency (CPPA) Board voted unanimously to adopt and approve updated regulations for implementing the California Privacy Rights Act (CPRA). The proposed final regulations will now go to the Office of Administrative Law, who will have 30 working days to review and approve or disapprove the regulations. As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July 2022, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here).
According to the CPPA’s final statement of reasons, the proposed final regulations (which are substantially similar to the version of the proposed regulations circulated in November) address comments received by stakeholders, and include the following modifications from the initial proposed text:
- Amending certain definitions. The proposed changes would, among other things, modify the definition of “disproportionate effort” to apply to service providers, contractors, and third parties in addition to businesses, as such term is used throughout the regulations, to limit the obligation of businesses (and other entities) with respect to certain consumer requests. The term is further defined as “when the time and/or resources expended to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding to the request,” and has been modified “to operationalize the exception to complying with certain CCPA requests when it requires ‘disproportionate effort.’” The proposed changes also introduce the definition of “unstructured” personal information, which describes personal information that could not be retrieved or organized in a predefined manner without disproportionate effort on behalf of the business, service provider, contractor, or third party as it relates to the retrieval of text, video, and audio files.
- Outlining restrictions on how a consumer’s personal information is collected or used. The proposed changes outline factors for determining whether the collection or processing of personal information is consistent with a consumer’s “reasonable expectations.” The modifications also add language explaining how a business should “determine whether another disclosed purpose is compatible with the context in which the personal information was collected,” and present factors such as the reasonable expectation of the consumer at the time of collection, the nature of the other disclosed purpose, and the strength of the link between such expectation and the nature of the other disclosed purpose, for assessing compatibility. Additionally, a section has been added to reiterate requirements “that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be ‘reasonably necessary and proportionate’ for each identified purpose.” The CPPA explained that this guidance is necessary for ensuring that businesses do not create unnecessary and disproportionate negative impacts on consumers.
- Clarifying requirements for consumer requests and obtaining consumer consent. Among other things, the proposed changes introduce technical requirements for the design and implementation of processes for obtaining consumer consent and fulfilling consumer requests, including but not limited to “symmetry-in-choice,” which prohibits businesses from creating more difficult or time consuming paths for more privacy-protective options than paths to exercise a less privacy protective options. The modifications also provide that businesses should avoid choice architecture that impairs or interferes with a consumer’s ability to make a choice, as “consent” under the CCPA requires that it be freely give, specific, informed, and unambiguous. Moreover, the statutory definition of a “dark pattern” does not require that a business “intend to design a user interface to have the substantial effect of subverting or impairing consumer choice.” Additionally, businesses that are aware of, but do not correct, broken links and nonfunctional email addresses may be in violation of the regulation.
- Amending business practices for handling consumer requests. The revisions clarify that a service provider and contractor may use self-service methods that enable the business to delete personal information that the service provider or contractor has collected pursuant to a written contract with the business (additional clarification is also provided on a how a service provider or contractor’s obligations apply to the personal information collected pursuant to its written contract with the business). Businesses can also provide a link to resources that explain how specific pieces of personal information can be deleted.
- Amending requests to correct/know. Among other things, the revisions add language to allow “businesses, service providers, and contractors to delay compliance with requests to correct, with respect to information stored on archived or backup systems until the archived or backup system relating to that data is restored to an active system or is next accessed or used.” Consumers will also be required to make a good-faith effort to provide businesses with all necessary information available at the time of a request. A section has also been added, which clarifies “that implementing measures to ensure that personal information that is the subject of a request to correct remains corrected factors into whether a business, service provider, or contractor has complied with a consumer’s request to correct in accordance with the CCPA and these regulations.” Modifications have also been made to specify that a consumer can request that a business disclose their personal information for a specific time period, and changes have been made to provide further clarity on how a service provider or contractor’s obligations apply to personal information collected pursuant to a written contract with a business.
- Amending opt-out preference signals. The proposed changes clarify that the requirement to process opt-out preference signals applies only to businesses that sell or share personal information. Language has also been added to explain that “the opt-out preference signal shall be treated as a valid request to opt-out of sale/sharing for any consumer profile, including pseudonymous profiles, that are associated with the browser or device for which the opt-out preference signal is given.” When consumers do not respond to a business’s request for more information, a “business must still process the request to opt-out of sale/sharing” to ensure that “a business’s request for more information is not a dark pattern that subverts consumer’s choice.” Additionally, business should not interpret the absence of an opt-out preference signal as a consumer’s consent to opt-in to the sale or sharing of personal information.
- Clarifying requests to limit use and disclosure of sensitive personal information. The regulations require businesses to provide specific disclosures related to the collection, use, and rights of consumers for limiting the use of personal sensitive information in certain cases, including, among other things, requiring the use of a link to “Limit the Use of My Sensitive Personal Information” and honoring any limitations within 15 business days of receipt. The regulations also provide specific enumerated business uses where the right to limit does not apply, including to ensure physical safety and to prevent, detect, and investigate security incidents.
The proposed final regulations also clarify when businesses must provide a notice of right to limit, modify how the alternative opt-out link should be presented, provide clarity on how businesses should address scenarios in which opt-out preference signals may conflict with financial incentive programs, make changes to service provider, contractor, and third party obligations to the collection of personal information, as well as contract requirements, provide clarity on special rules applicable to consumers under 16-years of age, and modify provisions related to investigations and enforcement.
Separately, on February 10, the CPPA posted a preliminary request for comments on cybersecurity audits, risk assessments, and automated decisionmaking to inform future rulemaking. Among other things, the CPPA is interested in learning about steps it can take to ensure cybersecurity audits are “thorough and independent,” what content should be included in a risk assessment (including whether the CPPA should adopt the approaches in the EU GDPR and/or Colorado Privacy Act), and how “automated decisionmaking technology” is defined in other laws and frameworks. The CPPA noted that this invitation for comments is not a proposed rulemaking action, but rather serves as an opportunity for information gathering. Comments are due March 27.
On January 27, the California attorney general announced an investigation into mobile applications’ compliance with the California Consumer Privacy Act (CCPA). The AG sent letters to businesses in the retail, travel, and food service industries who maintain popular mobile apps that allegedly fail to comply with consumer opt-out requests or do not offer mechanisms for consumers to delete personal information or stop the sale of their data. The investigation also focuses on businesses that fail to process consumer opt-out and data-deletion requests submitted through an authorized agent, as required under the CCPA. “On this Data Privacy Day and every day, businesses must honor Californians’ right to opt out and delete personal information, including when those requests are made through an authorized agent,” the AG said, adding that authorized agent requests include “those sent by Permission Slip, a mobile application developed by Consumer Reports that allows consumers to send requests to opt out and delete their personal information.” The AG encouraged the tech industry to develop and adopt user-enabled global privacy controls for mobile operating systems to enable consumers to stop apps from selling their data.
As previously covered by InfoBytes, the CCPA was enacted in 2018 and took effect January 1, 2020. The California Privacy Protection Agency is currently working on draft regulations to implement the California Privacy Rights Act, which largely became effective January 1, to amend and build upon the CCPA. (Covered by InfoBytes here.)
On December 16, the California Privacy Protection Agency (CPPA) Board held a public meeting to discuss the ongoing status of the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here). The CPPA stated it anticipates conducting additional preliminary rulemaking in early 2023. After public input is received, the CPPA will discuss proposed regulatory frameworks for risk assessments, cybersecurity audits, and automated decisionmaking.
During the board meeting, the CPPA introduced sample questions and subject areas for preliminary rulemaking that will be provided to the public at some point in 2023, and finalized and approved at a later meeting. The questions and topics relate to, among other things, (i) privacy and security risk assessment requirements, including whether the CPPA should follow the approach outlined in the European Data Protection Board’s Guidelines on Data Protection Impact Assessment, as well as other models or factors the agency should consider; (ii) benefits and drawbacks for businesses should the CPPA accept a business’s risk assessment submission that was completed in compliance with GDPR’s or the Colorado Privacy Act’s requirements for these assessments; (iii) how the CPPA can ensure cybersecurity audits, assessments, and evaluations are thorough and independent; and (iv) how to address profiling and logic in automated decisionmaking, the prevalence of algorithmic discrimination, and whether opt-out rights with respect to a business’s use of automated decisionmaking technology differ across industries and technologies. The CPPA said it is also considering different rules for businesses making under $25 million in annual gross revenues.
On November 3, the California Privacy Protection Agency (CPPA) Board officially posted updated draft rules for implementing the Consumer Privacy Rights Act of 2020, which amends and builds on the California Consumer Privacy Act of 2018. The draft rules were previously released in advance of a CPPA Board meeting held at the end of October (see previous InfoBytes coverage here for a detailed breakdown of the proposed changes). A few notable changes between the versions include:
- A requirement that a business must treat an opt-out preference signal as a valid request to opt out of sale/sharing for not only that browser or device but also for “any consumer profile associated with that browser or device, including pseudonymous profiles.”
- A requirement that if a business does not ask a consumer to affirm their intent with regard to a financial incentive program, “the business shall still process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or devise and any consumer profile the business associates with that browser or device.” However if a consumer submits an opt-out of sale/sharing request but does not affirm their intent to withdraw from a financial incentive program, the business may ignore the opt-out preference signal with respect to the consumer’s participation in the financial incentive program.
- The addition of the following provision: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
Comments on the amended draft rules are due November 21 by 8 am PT.
In advance of an upcoming meeting of the California Privacy Protection Agency Board (CPPA) scheduled for October 28-29, the agency posted updated draft rules for implementing the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here).
The proposed changes to the draft rules respond to comments received during the 45-day comment period, in which several businesses expressed concerns that the requirements were confusing and complying would be costly. (See also Explanation of Modified Text of Proposed Regulations.) Key clarifying modifications include:
- Outlining restrictions on how a consumer’s personal information is collected or used. The revisions propose criteria for how a business should evaluate the “reasonable expectation” of consumers concerning the collection or processing of their personal information, including how to determine the purpose for which the personal information is collected, whether it is reasonably necessary and proportionate for achieving the stated purposes, and whether it is a “business purpose” under the CCPA/CPRA. According to the CPPA’s explanation of the modified text, the “factors consider relevant GDPR principles for harmonization while articulating the statutory requirements and intent of the CCPA.”
- Providing disclosure and communications requirements. The proposed changes clarify that conspicuous links for websites should appear in a similar manner as other similarly-posted links, and provide guidance on the placement of conspicuous links in a mobile environment.
- Clarifying requirements for obtaining consumer consent. The revisions explain how different user interfaces and “choice architecture” can impair or interfere with a consumer’s ability to make a choice, and thus fail to meet the definition of consent. The revisions further address provisions related to dark patterns, explaining that “[i]f a business did not intend to design the user interface to subvert or impair user choice, but the business knows of and does not remedy a user interface that has that effect, the user interface may still be a dark pattern. Similarly, a business’s deliberate ignorance of the effect of its user interface may also weigh in favor of establishing a dark pattern.”
- Amending requirements related to a business’s privacy notice. The revisions eliminate requirements for a business to either disclose the names or business practices of third parties that the business allows to collect personal information from the consumer in the business’s notice at collection. Additionally, a business and third party may provide a single notice at collection that outlines the required information about their collective information practices.
- Amending the right to limit the use/disclosure of sensitive personal information. The proposed changes clarify that a business does not need to provide a notice of right to limit the use of sensitive personal information if the business only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer. Additionally, the revisions would make it optional for businesses to provide a means by which consumers can confirm their request to limit in order to simplify implementation at this time.
- Clarifying request to delete provisions. The revisions confirm that a business’s service provider or contractor may delete collected personal information pursuant to the written contract that it has with the business. Additionally, businesses will be permitted to provide a link to a support page or other resource that explains a consumer’s data deletion options.
- Amending requests to correct/know. The proposed changes clarify that businesses, service providers, and contractors may delay compliance with requests to correct with respect to information stored on archived or backup systems. The amendments also, among other things, clarify that consumers should make good-faith efforts to provide businesses with all relevant information available at the time of the request, provide flexibility and discretion to a business concerning whether it will provide the consumer with the name of the source from which the business received the alleged inaccurate information, and clarify that a business only needs to disclose specific pieces of personal information that it maintains and has collected about the consumer in order to confirm that the business has corrected the inaccurate information that was the subject of the consumer’s request to correct. With respect to a consumer’s right to know, the proposed changes would allow a consumer to request a specific time period for which their request to know applies.
- Amending opt-out preference signals. The proposed changes specify that a business that does not sell or share personal information is not required to process an opt-out preference signal as a valid request to opt-out. However, for businesses that do sell or share personal information, processing the opt-out preference signal means that the business is treating it as a valid request to opt-out of sale/sharing. The revisions also address when a business can ignore an opt-out signal to allow a consumer to continue to participate in a financial incentive program, and explain that when a consumer is known to the business, the “business shall not interpret the absence of an opt-out preference signal after the consumer previously sent an opt-out preference signal as consent to opt-in to the sale or sharing of personal information.” Moreover, a business may choose to display whether it has processed the consumer’s optout preference signal as a valid request to opt-out of sale/sharing on its website.
- Clarifying requests to limit use and disclosure of sensitive personal information. The revisions clarify how sensitive personal information may be used to “prevent, detect, and investigate” security incidents “even if this business purpose is not specified in the written contract required by the CCPA and these regulations.”
The proposed changes also delete examples concerning notices of the right to opt-out of the sale/sharing of personal information through connected devices and augmented or virtual reality to simplify implementation at this time. Additionally, the proposed changes further clarify provisions related to requirements for service providers, contractors, and third parties, specifying, among other things, that businesses must contractually require these entities to provide the same level of privacy protection as is required of businesses by the CCPA and these regulations.
Temporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023
The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1, 2023. The legislature proposed several bills throughout the legislative session that would have extend the exemptions, but all of them stalled. In a last-ditch effort, a California assembly member proposed amendments to AB 1102 that would have extended the exemptions to January 1, 2025 if adopted during the August 31 floor session.
According to the amendments, the CPRA recognized that various rights afforded to consumers under the CCPA and CPRA are not suited to the employment context, and as such, clarified that the CPRA “does not apply to personal information collected by a business about a natural person in the course of the natural person acting within the employment context, including emergency contact information, information necessary to administer benefits, or information collected in the course of business to business communications or transactions.” The amendments attempted to extend the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” Although the amendments did not address the reason for the extension for the business exemption, they stated that while the legislature and advocates continue to engage in discussions concerning the enactment of “robust and implementable privacy protections tailored to the employment context,” extending the exemptions would provide temporary protections around worker monitoring while giving businesses more time to enact these protections. However, the amendments were not adopted, and the exemptions will expire as originally intended on January 1, 2023.
As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the CCPA. In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here). CPPA Executive Director Ashkan Soltani said he expects the rulemaking process to extend into the second half of the year.