CPRA Regulations: Key Takeaways from the First Draft

The California Privacy Protection Agency (CPPA) released draft California Privacy Rights Act (CPRA) regulations on Friday (in true form), May 27. While these proposed regulations attracted PLENTY of attention, the bi-partisan federal privacy bill proposed in Washington the following Friday took some energy out of the room.

The CRPA draft regulations are significant, so we wanted to share some insight.

Just as a quick refresher on key dates:

• The CPRA goes into effect on January 1, 2023
• Enforcement is effective on July 1, 2023

The CPRA will be enforced by the CPPA, and we believe there will be an increased focus on enforcement given the agency’s reason for existence. Therefore, it’s important for covered organizations to understand their obligations and the additional obligations the CPRA lays out.

New and Clarified Definitions & Concepts

First and foremost, there are several new and/or clarified definitions. Terms such as “authorized agent,” “disproportionate effort,” “frictionless manner,” and “first party” just to name a few. While these new definitions provide clarification regarding the requirements, they also provide little excuse not to understand how to comply with the CPRA. For example, “disproportionate effort” is tied directly to consumer rights and provides a business with the ability to decline a consumer right request should the time and/or resources expended by the business to honor the request significantly outweigh the benefit provided to the consumer. With this, specific examples are provided that could be applied and the regulations also state this cannot be relied upon if a business has failed to put in place adequate processes and procedures to comply with consumer requests in accordance with the CCPA.

There are also new concepts like “symmetry in choice” which places requirements on a business to ensure that when a consumer is presented with certain choices surrounding the use, collection, and disclosure of their data that the options are clear and not misleading. Upon first review, this appears to be tied extremely closely to the prohibition on dark patterns and we are sure these terms will cross paths down the road in enforcement actions.

A More Holistic Approach

The CPRA features concepts that we have seen in long standing privacy laws such as the collection of personal information being reasonably and proportionate to achieve the purpose(s) for which it was collected or processed. This concept applies broadly to collect and even touches on data retention, use, disclosure, and destruction. We view this as a cornerstone privacy principal that makes sense but can be challenging for organizations to implement given its impact on the various functions of the business. Further, operationalizing this requirement is often overlooked and/or under-scoped leading to policies collecting dust with no evidence from procedures to prove meaningful compliance. With this in mind, organizations must review this requirement and consider how it impacts existing collection, processing, and storage practices.

Even MORE Disclosures

First, the draft regulations provide guidance and clarification regarding how the disclosures should be displayed to consumers, including where on the web page and in a readily accessible and easy to understand format.

The draft regulations also spell out additional disclosures businesses will be required to make, including consumer rights, sharing, categories of data, etc. These also entail things such as a description of the categories of sources from which personal information is collected, the categories of data disclosed to third parties, the categories of third parties shared with, and much more.

While we understand the goal of the agency in providing more transparency to consumers about how their personal information is used by businesses, we worry some of these terms and disclosures may lead to confusion to any consumers not well-versed in the intricacies of the CCPA. While the format requirements and how to communicate these disclosures to consumers will help, we think there is work to be done here to ensure consumers have a true picture of what businesses are doing with their personal information.

Opt-out Signals

We believe this is an area in the draft regulations sure to garner plenty of attention and comments during the commentary period. While the California AG outlined that Global Privacy Control (GPC) signals must be honored under the CCPA as “Do Not Sell” requests, the CPPA takes the approach that “Opt-out Preference Signals” generally must be honored as a “Do Not Sell/Share” request and/or a “Limit the use of My Sensitive Personal Information” request. Businesses that do this in a “frictionless manner” may choose to not include links for do not sell/share and limit the use of my sensitive data requests.

This is where we believe we will see many of the comments and well as general confusion. Businesses may not always be capable of honoring these types of requests via an opt-out signal. For example, the selling of data can occur through the sharing of information with third parties or other businesses that are not AdTech. Therefore, an organization may still be required to request additional information from consumers. While this is allowed, it will not be as hassle free or frictionless as the regulators would like.

Further, in the privacy policy, businesses are required, even if accepting opt-out preference signals in a frictionless manner, to disclose how the consumer can opt-out of the sale/sharing of their personal information. If a business is selling via AdTech, and the consumer does not have the technical ability to set up/send opt-out preference signals, the only option may be to place the Do Not Sell/Share link at the footer of the page that directs to the options to opt-out of the AdTech that is considered selling under the CCPA, thus making the ability to remove those links pointless.

Nonetheless, and mentioned briefly above, the onus of opt-out signals will not only be on businesses. Consumers will be required to do some leg work in order to send these signals. For example, GPC signals must be set up by the end user and are only available in certain browsers. Consequently, while a business may be set up and ready to receive and honor signals, it will ultimately be up to the consumer to set up and utilize a browser that sends such signals.

Additional Consumer Rights

Consumer rights are the foundation of any privacy law and provide consumers with the ability to exert control around their personal information and how businesses are processing it. In the draft regulations, we learn more about the right to correct inaccurate personal information and the limits a consumer may have. Most businesses are already incentivized to maintain accurate information about consumers, I mean who wants to send a package to the wrong address or get zero bites on that perfect email campaign, right? Regardless, it does happen, and this right should fill in a gap that the CCPA did not previously explicitly have. Businesses will need to ensure they have formal procedures and documentation surrounding how they honor the right to correct and make sure they don’t fall into any pitfalls the CPRA draft regulations prohibit around this right.  

The draft regulations further spell out how businesses should handle opt-out requests surrounding the selling/sharing of personal information as well as when a consumer requests that a business limit the use of their sensitive personal information. For example, and mirroring the current requirements, a business may not be required to verify a “Do Not Sell” request from consumers unless it cannot honor the request without additional information.

Contract Requirements

Give a heads up to your procurement team, the CPRA draft regulations currently contain new contract requirements for third parties, service providers, and contractors. While at it, ensure you plan for new due diligence requirements which will likely add to the time it takes to onboard or work with new organizations in the future. Not only will these contract requirements apply to new organizations a business is looking to engage, but also current contracts. Hopefully by now, organizations have a data inventory which should contain a list of organizations (I hesitate to use the term vendor here but you should get the point) data is shared with as well as the location of the contract that it can refer to in order to make the necessary contract updates as seamless as possible.

In Summary

Overall, these draft regulations are much appreciated by privacy professionals and shared much earlier than we anticipated. The CPPA also provided an Initial Statement of Reasons (ISOR) which provides additional insight into the CPPA’s goals and rationale around the first draft of these regulations. With that in mind, the draft regulations did not cover every topic like risk assessments and there will be additional topics in future drafts. We expect there to be several changes and recommend viewing this as a starting point. Stay tuned for additional changes and updates as the CPRA draft regulations progress through the rulemaking process.

If you have any questions about the CPRA, CCPA, or any other state data privacy regulations, contact CompliancePoint at connect@compliancepoint.com to speak with one of our privacy experts.