CPRA Regulations Sent to OAL: MoFo Surveyed How They Came Out on the Open Issues

Final Approval

The California Privacy Protection Agency (“CPPA”) has approved a set of regulations to implement the California Privacy Rights Act (“final proposed CPRA regulations”). The final proposed CPRA regulations will be submitted to the California Office of Administrative Law in the next two weeks for a 30-day approval period. If there are no delays, the final proposed CPRA regulations could take effect as early as April 2023. This would leave businesses with approximately three months to ensure compliance before enforcement is set to commence on July 1, 2023.

CPPA Rulemaking

The final approval comes more than six months after regulations were originally set to be finalized under the CPRA. It also marks the end of what has been an iterative rulemaking process for the CPPA. Starting in July 2022, the CPPA published and sought comment on three rounds of proposed draft regulations. This culminated in draft regulations released for public comment on November 3, 2022.

How CPRA Regulations Came Out On The Open Issues

The final proposed CPRA regulations remain largely unchanged from the November draft regulations. In conjunction with the final proposed CPRA regulations, the CPPA released a Final Statement of Reasons (“FSOR”) explaining each change. Below are outcomes for the following key topics that we have been covering throughout the CPPA’s rulemaking process:

• Consumers’ Explicit Consent. Earlier proposed drafts required businesses to obtain additional, explicit consent to process personal information for purposes incompatible with, or unrelated to, the original purposes for processing the information. The final proposed CPRA regulations remove the term “explicit” from this requirement. This does not mean that businesses may now rely on implicit consent for additional processing purposes. To the contrary, the FSOR explains that other requirements surrounding consent obviated the need to use the term “explicit” when describing consent in the regulations. For instance, the final proposed CPRA regulations contain a list of factors relevant to a consumer’s reasonable expectations, one of which is “the specificity, explicitness, and prominence of disclosures to the consumer about the purpose” for processing. (Emphasis added). Also, the CPRA’s definition of “consent” cuts against the possibility of implied consent. However, note that the CPRA itself requires that a business not collect additional categories of personal information, or use personal information for additional purposes that are incompatible with the disclosed purpose, without providing the consumer with notice, but the CPRA does not, on its face, require consent.
• Opt-Out Links and [Now Mandatory] Opt-Out Preference Signals. Under the final proposed CPRA regulations, it is now mandatory for businesses who “sell” or “share” personal information to offer and honor a consumer’s opt-out preference signal that is received in a format commonly used and recognized by businesses (e.g., a preference signal sent by web browsing software like the Global Privacy Control). This dispels earlier questions as to whether businesses had the option to use their own opt-out mechanisms in lieu of recognizing opt-out preference signals. The final proposed CPRA regulations establish several scenarios where businesses must honor opt-out signals despite certain conflicting indications. The applicable scope for detected opt-out preference signals is also considerably expanded. That is, the final proposed CPRA regulations make clear that an opt-out preference signal, in a format commonly used and recognized by businesses, received from a browser or device associated with a known consumer should be treated as a global opt out for all sales/sharing of that consumer’s personal information. In this context, a “known consumer” includes a browser or device that the business can associate with a consumer’s profile, including a pseudonymous profile. In addition to complying with opt-out preference signals, businesses who sell or share personal information must also provide one additional opt-out mechanism. The required mechanism will depend on whether the business processes opt-out preference signals in a “frictionless” or non-frictionless manner.
• Non-Frictionless Opt-Out Preference Processing + Opt-Out Links: Businesses who do not process opt out preference signals in a “frictionless” manner must display on their “Homepages” either the “Do Not Sell or Share My Personal Information Link” leading to an interactive form, or the “Alternative Opt-Out Link” (which can be used as a combined alternative for a business who must offer both opt-out and limitation rights).
• Frictionless Opt-Out Preference Processing + Privacy Policy Disclosures: A business can rely on certain disclosures in its privacy policy in lieu of the aforementioned Homepage link if it processes opt-out preference signals in a “frictionless” manner, and allows the opt-out preference signal to fully effectuate the opt-out request. The final proposed CPRA regulations specify which information must be included in a privacy policy for this purpose. 
• Frictionless processing. Under the final proposed CPRA regulations, frictionless processing of opt-out preference signals means the processing of opt-out preference signals without: charging a fee or requiring any other valuable consideration from the consumer; changing the consumer’s experience with the offered product or service; or displaying any pop-up, notification, or other such interstitial content in response to the opt-out preference signal, with some exceptions.
• Due diligence safe harbor. The final proposed CPRA regulations maintain that a business’s due diligence could impact its eligibility for the CPRA safe harbor. The safe harbor shields a business from liability for CPRA violations of another entity to which the business discloses personal information, if the business had no reason to believe, at the time of the disclosure, that the other entity intended to use the information in violation of the CPRA. Whereas earlier drafts of the regulations referred specifically to a business’s due diligence of service providers and contractors, the final proposed CPRA regulations apply this to a business’s due diligence of third parties as well. Specifically, a business’s failure to enforce its contracts with any of these groups, or a business’s failure to audit or test its service providers’ or contractors’ systems, could prevent the business from relying on this safe harbor.
• Third-party disclosures in notice at collection. The final proposed CPRA regulations drop the requirement for businesses to include, in their Notices at Collection, the names or business practices of third parties who control their collection of personal information.
• Agreements with service providers, contractors, and third parties. The final proposed CPRA regulations preserve earlier changes made to the provisions addressing service providers, contractors, and third parties. For instance, language from earlier drafts that limited the scope of service providers’ and contractors’ obligations to apply only to information “received from or on behalf of” a business has been removed. Service providers’ and contractors’ compliance obligations will now apply more broadly to any information collected pursuant to their written contracts with a business, whether or not it was received from or on behalf of the business. Similarly, provisions addressing third parties’ obligations are rephrased to apply to all personal information “made available” to the third party by the business. The FSOR clarifies that this is meant to include information that is both sold to and shared with third parties. Mandatory contractual provisions are now the same for service providers and contractors, and a more limited set of contractual provisions are also required for third party contracts as well. The final proposed CPRA regulations also include service providers, contractors, and third parties in the exception for responding to consumer requests that would require disproportionate efforts.
• Authorized agents. Any business entity authorized by a consumer, and not just business entities registered with the Secretary of State to conduct business in California, may submit requests on a consumer’s behalf as an “authorized agent.”
• Responding to a consumer’s request to know. The final proposed CPRA regulations revise certain aspects of the consumer’s right to know. For example, a business must fulfill access requests with personal information it has collected or maintained since January 1, 2022 (instead of only during the 12 months prior to the request), unless the consumer specifies an alternative shorter timeframe. Still, compliance obligations for these requests will be limited to the extent they require disproportionate efforts by the business. Additionally, service providers and contractors may use self-service methods to enable businesses to access personal information about a consumer for purposes of responding to a request to know. Moreover, when a business must correct information that was the subject of a consumer’s previous request to know, the business does not need to disclose to the consumer every specific piece of information it maintains or collects about the consumer. Instead, the business may disclose whatever information is needed to confirm that it has corrected the consumer’s information.
• Enforcement. The CPPA’s enforcement powers under the final proposed CPRA regulations were slightly modified since the November 2022 version. Specifically, the final proposed CPRA regulations now provide the CPPA with discretion to “consider all facts it determines to be relevant” before deciding whether to investigate alleged CPRA violations.

What’s Next

The CPPA has already commenced rulemaking for the next set of topics that were not included in these final proposed CPRA regulations. According to the list of proposed preliminary rulemaking questions included in the CPPA’s February board meeting materials, these topics include cybersecurity audits, risk assessments, and automated decision-making.