Challenges Ahead: Proposed CPRA Regulations Would Dramatically Expand Compliance Obligations

On the eve of a long holiday weekend, the California Privacy Protection Agency (“Agency”) quietly released a draft of much-anticipated proposed regulations (“Draft Regulations”) that would dramatically expand covered businesses’ compliance obligations under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). The Agency released the Draft Regulations as part of the supporting materials for its upcoming board meeting on June 8, 2022, where it will address a possible notice of proposed action regarding the Draft Regulations. The Draft Regulations provide for various amendments to the existing CCPA regulations.

It is still early in the rulemaking process and the Draft Regulations may change significantly before being finalized. Under the CPRA, the new regulations are required to be finalized by July 1, 2022, so that covered businesses have enough time to comply before the CPRA becomes operative on January 1, 2023. However, the Agency stated during its February 17, 2022 board meeting that the regulations will not be finalized on time. Formal proceedings, including public hearings, are expected to continue into the third quarter of 2022, with rulemaking completed in the third or even fourth quarter of 2022.

Despite the uncertainty, the Draft Regulations provide a strong indication that the finalized regulations will likely establish highly specific compliance requirements. This includes, without limitation, the following:

• Symmetric and free choice. The path for consumers to exercise their right to choose a more privacy-protective option may not be longer than the path to choose a less privacy-protective option. For example, the process for submitting a request to opt out of the sale or sharing of personal information must not require more steps than the process for opting into the sale or sharing of personal information after having previously opted out. Similarly, presenting the “yes” button for a less privacy‑protective option in a larger size or a more eye-catching color than the “no” button for a more privacy-protective option would not be considered symmetrical. The Draft Regulations confirm that the use of asymmetrical choice architecture might be considered a prohibited dark pattern invalidating any resulting opt-ins or consent declarations. The same applies to choice mechanisms that are found to be confusing (e.g., based on language containing double negatives) or manipulative (e.g., bundling consent so as to make the provision of services requested by the consumer conditional upon consent to the processing of personal information not in line with reasonable consumer expectations).
• Additional disclosures in notices at collection. In addition to the information to be provided in notices at the point of collection under the CPRA, the Draft Regulations introduce further disclosure requirements for businesses that allow third parties (as the term is defined by the CPRA) to control the collection of personal information from the businesses’ own users or customers. Such businesses have to inform consumers in their privacy notices at collection of the names of such third parties or, in the alternative, the third parties’ business practices. This applies, for example, where third-party providers of cross-context behavioral advertising services (as the term is defined by the CPRA) collect personal information directly on a business’s website. Another example would be a brick-and-mortar business such as a coffee shop offering complimentary Wi-Fi services through a third party collecting service‑related information directly from customers.
• Alternative opt-out links. Under the CPRA, businesses selling or sharing personal information and using or disclosing sensitive personal information for certain purposes need to provide affected consumers the option to opt out of such processing through two separate links entitled “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” (collectively “Opt-Out Links”). Alternatively, businesses may implement a single, clearly labeled link easily allowing consumers to opt out of both (“Alternative Opt-Out Link”). The Draft Regulations require that such Alternative Opt-Out Links be entitled “Your Privacy Choices” or “Your California Privacy Choices” and include a specific opt-out icon as illustrated in the Draft Regulations.
• Liability for service providers, contractors, and third parties. The CPRA provides a safe harbor to businesses with respect to their service providers’, contractors’, or third parties’ violations. Specifically, provided that, at the time of disclosing personal information to them, it has no knowledge or reason to believe that a service provider, contractor, or third party intends to commit a violation, a business is not liable for such violation. In this context, the Draft Regulations clarify that a business may not be able to rely on the safe harbor if it does not conduct due diligence, enforce applicable contracts, or audits its service providers, contractors, or third parties.

In some instances, the Draft Regulations seem to go beyond or deviate from the requirements of the CPRA. For example:

• Opt-out links and signals. The Draft Regulations make it mandatory for businesses selling or sharing personal information to process and comply with opt‑out preference signals, provided the signal is in a format commonly used and recognized by businesses (e.g., in an HTTP header field) and is known to consumers to constitute an opt-out mechanism. Opt-out preference signals are signals sent by a platform, technology, or mechanism such as an internet browser on behalf of a consumer that communicate the consumer’s choice to opt out of the sale or sharing of their personal information. The CPRA has been interpreted to give businesses the option to process and comply with opt-out preference signals instead of implementing Opt-Out Links or Alternative Opt-Out Links. The Draft Regulations contradict this interpretation and take the position that opt-out preference signals always need to be processed and complied with.
• Explicit consent to further processing. Under the CPRA, businesses need to provide notice to consumers at the point of collection regarding, inter alia, the categories of personal information collected and the purposes for which the information will be used. Before collecting additional categories of personal information or using personal information for purposes that are incompatible with the disclosed purposes, consumers need to be given supplementary notice. In contrast, the Draft Regulations require businesses to obtain the consumer’s explicit consent before collecting, using, retaining, and/or sharing personal information for any purpose that is unrelated to or incompatible with the purposes for which the personal information was collected or originally processed.

At the same time, the Draft Regulations do not address certain topics requiring regulatory attention under the CPRA. For example:

• Sensitive personal information. The Draft Regulations do not clarify when sensitive personal information is to be considered collected or processed without the purpose of inferring characteristics about the affected consumer. According to the CPRA, such processing is exempted from the right to limit the use and disclosure of sensitive personal information for certain extended purposes and shall be treated as personal information for all other purposes of the CCPA (as amended by the CPRA).
• Cybersecurity audits and risk assessments. The Draft Regulations do not address under what circumstances businesses, whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, are required to perform annual cybersecurity audits or submit risk assessments to the Agency on a regular basis.

Notably, the Draft Regulations also introduce detailed provisions on consumer complaints and enforcement methods available to the Agency, including Agency-initiated investigations, probable cause proceedings, stipulated orders, and agency audits.

The Agency will discuss the Draft Regulations at its June 8, 2022 board meeting. If the Agency formally commences the rulemaking procedure at that time, the Draft Regulations will be open to public comments for a 45-day period. In any event, businesses should review and start familiarizing themselves with the Draft Regulations and any subsequent versions in order to be able to become compliant before the rapidly approaching January 1, 2023 operative date.

For more information on the CCPA/CPRA, visit our online information center.