As we previously discussed, the California Privacy Protection Agency (“CPPA”) recently released updated rules implementing the California Privacy Rights Act (“CPRA”). Here are some of the key changes from those rules. While the changes are modest, they are directionally helpful in addressing some of the concerns industry raised during the rulemaking process.
- Clarification on when a business must collect consent to process personal information. The previous draft rules contained language that required businesses to obtain “explicit” consent before processing personal information for “any purpose that is unrelated or incompatible with the purpose(s) for which the personal information is collected or processed.” The updated regulations now provide a business must collect consent to process personal information in a way that is not reasonably necessary and proportionate to achieve either:
- The purpose for which the personal information was collected or processed, when that purpose is consistent with the reasonable expectations of the consumer (as explained by the regulations). The updated draft further provides that one relevant factor in setting consumer expectations is the “specificity, explicitness, and prominence” of disclosures to consumers about the relevant processing activity, suggesting that even an unexpected processing activity may be deemed consent if adequately disclosed; OR
- Another disclosed purpose that is compatible with the context in which the personal information was collected. The regulations contain factors for when the disclosed purpose is compatible with the context.
- Intent is not determinative of dark patterns. The prior draft of the rules provided that a user interface could be a dark pattern if it substantially subverted or impaired user autonomy, decision-making, or choice, regardless of a business’s intent. The updated regulations instead provide that intent is a factor that can be considered, and note that a business’s intent to subvert or impair a user’s choice weighs heavily in favor of establishing a dark pattern. In the same vein, the updated draft makes clear that circular and broken links are only potential dark patterns if a business knows of the issue and fails to remedy it.
- Omits the requirement that businesses name the third parties that control the collection of personal information in the notice at collection. The explanation of the changes notes that this was intended “to simplify implementation at this time.”
- Clarification that a business does not have to post a notice of the right to limit in the event the business processes sensitive personal information for purposes that do not infer characteristics about the consumer. This is an important clarification that brings the rules into alignment with the statutory text. CPRA § 1798.121(d).
- Clarification that service providers and contractors may enable businesses to honor deletion and access requests directly. Changes were made throughout to make clear that service providers and contractors do not need to manually process data subject requests from businesses, but instead can enable businesses to comply directly.
- Clarifications to provisions relating to data subject rights.
- Among them, the modified draft deletes language that obligates every business that receives a correction request to “implement measures to ensure” that personal information “remains corrected.” Instead, there is new language that provides that whether a business has implemented such measures “factors into whether” that business has complied with a request to correct. The modified draft rules include an example that suggests there might still be risk if a business fails to consider that corrected information might be overridden by inaccurate data obtained from data brokers. However, the modified provision seems designed to afford some additional flexibility. According to the agency’s explanation, “[t]his [change] considers how the CCPA applies to a wide range of industries and enables businesses . . . to tailor their compliance efforts to their information practices and systems.”
- The modified draft makes it optional instead of mandatory to provide consumers who make correction requests with the name of the source from which a business received allegedly inaccurate information.
- The CPRA permits businesses to refuse to take certain actions when doing so would involve a disproportionate effort (e.g., in response to an access request, providing information that a business collected before the year preceding that access request). The updated draft regulations clarify that (amongst other things) “disproportionate effort” means that the time and resources a business spends to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding to the request.
- Clarifications related to opt-out rights. The modified draft retains most of the provisions relating to mandatory honoring of opt-out preference signals, but it no longer requires businesses to display to consumers the status of whether they have enabled a global opt-out preference signal. It also deletes language requiring a business that receives an opt-out request (or requests to limit) to notify downstream third parties of the request and directing them to comply and further forward the request to other downstream recipients. There remains, however, an obligation to notify third parties to whom personal information was sold or shared during any period after a consumer has requested to opt-out before the request is honored.
The updated draft does not address industry comments and concerns that the proposed rules failed to include specific examples and provisions relevant to the employment context. Interestingly, the modified draft rules omit the sole provision that specifically referenced the employment. That provision – which the modified draft deletes – had relieved businesses collecting employment related information from including certain links in its notice of collection provided to employees. The agency’s explanation provides that these were deleted “to conform the regulations to the law following the expiration of the [statutory] exceptions.”