A MoFo Privacy Minute Q&A: California Privacy Protection Agency’s CPRA Rulemaking Process Is Underway – What Should Businesses Care About?

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question: I heard that the public comment period on the proposed regulations under the California Privacy Rights Act (“CPRA”) recently started. What issues in the proposed regulations are businesses likely to comment on to influence the final regulations to be more business-friendly?

Answer: On July 8, 2022, the formal rulemaking process to adopt the proposed regulations initiated by the California Privacy Protection Agency (“Agency”) began, and public comments will be accepted until 5:00 p.m. PT on August 23. In addition, a public hearing will be held on August 24 and 25 by the Agency.

Here are some issues that businesses are likely to comment on:

• Consumer’s explicit consent. The CPRA requires businesses to give consumers notice at the point of personal information collection regarding the categories of information to be collected and the purposes for which this information will be used. In addition, a supplementary notice to consumers is required if any additional categories of personal information will be collected, or if the collected personal information will be used for purposes incompatible with the ones initially disclosed. Under the proposed regulations, businesses have to obtain the consumer’s explicit consent before collecting, using, retaining, and/or sharing the consumer’s personal information for purposes unrelated to, or incompatible with, the purposes for which the personal information was originally collected or processed. This will make it more difficult for businesses to evolve and improve their products and services over time.
• Opt-out links and signals. The CPRA provides businesses with different options regarding how businesses can enable consumers to exercise their opt-out rights, for instance by providing opt-out links, or by honoring opt-out preference signals received from consumers’ devices or applications. However, the proposed regulations require that opt-out preference signals need to be complied with regardless of whether a business has chosen to provide the opt-out links. This takes away a business’s choice between providing opt-out links and honoring preference signals. Also, if preference signals are not available by January 1, 2023, businesses might have to set up opt-out links and then also honor preference signals when they become available.
• Due diligence required to rely on CPRA’s safe harbor. The proposed regulations limit the CPRA’s safe harbor for businesses based on their due diligence of their service providers and other parties. Under the proposed regulations, if a business fails to enforce contractual terms and fails to audit or test its service providers’, contractors’, or third parties’ systems, the business might not be able to claim that it did not have reason to believe that its service providers, contractors, or third parties intended to use the personal information in violation of the CPRA. This erodes the safe harbor that would otherwise protect a business whose service provider fails to comply with the CPRA despite its contractual and statutory duties to do so.
• Third party disclosures in notice at collection. Under the proposed regulations, if a business allows third parties (i.e., not service providers or contractors) to control the collection of personal information, the consumer needs to be informed of these third parties’ names or business practices in the privacy notice that they receive at the time of collection of their personal information. The requirement for a business to name or describe the third parties with which it shares personal information is not currently present under U.S. law, and would require privacy notices to contain possibly long lists of company names or descriptions that are prone to becoming outdated over time.
• Agreements with service providers, contractors, and third parties. The proposed regulations require similar contractual provisions in agreements between businesses and their service providers or contractors as the required contractual provisions between businesses and other third parties. Since the nature of a relationship between a business and its processor is fundamentally different from its relationship with another controller, having the same contractual provisions, such as purpose limitations and oversight provisions, in both kinds of agreements is unlikely to accurately reflect the true relationship and allocation of responsibilities of the two parties.
• Responding to consumer’s request to know. Under the CPRA, when a business receives a verifiable consumer request to access their personal information, the disclosed information should cover the 12 months preceding the request. The CPRA allows the regulations to extend this 12-month look-back period unless doing so proves impossible or would involve disproportionate effort on behalf of the business. Accordingly, the proposed regulations impose a look-back period back to January 1, 2022, and also extend the scope of requests to personal information in the hands of the business’s service providers and contractors. This broadening of personal information that is subject to consumer requests will make honoring requests more burdensome for businesses.
• Enforcement. Per the CPRA, the finalized regulations were due by July 1, 2022 to provide businesses with enough time to comply before January 1, 2023, when the CPRA becomes operative, and before enforcement begins six months later, on July 1, 2023. However, the Agency has indicated that the regulations will not be finalized until the third or even fourth quarter of 2022, leaving businesses with very little time, if any, to comply. Businesses might address this issue during the public comment period, and request an extension of the July enforcement deadline to ensure sufficient time for compliance.

See our previous client alert about the CPRA draft regulations at Challenges Ahead: Proposed CPRA Regulations Would Dramatically Expand Compliance Obligations.

Visit our A MoFo Privacy Minute Series page to view our collection of Q&As. Explore our Privacy + Data Security page for additional information from our Privacy Library and Resource Centers on Cybersecurity, State Privacy Laws, and the GDPR + European Privacy.