This post provides further details about the rulemaking process, as well as takeaways from the Board’s discussion of key substantive topics, such as restrictions on the collection of personal information and opt-out preference signals. The Board directed CPPA staff to consider and include specific modifications, as discussed below; and on November 3, the CPPA released a further revision of its proposed rules for a 15-day public comment period (the “November 3 Draft Regulations”). The deadline to submit comments is 8:00 am on Monday, November 21.

1. Rule Revisions likely to be Finalized in Early 2023

The CPPA Board meeting and subsequent developments have provided some clarity about the likely timing of final regulations. (A second Board meeting that had been scheduled for November 4 was canceled.)

Following a review of comments submitted during the current 15-day comment window, the expected next step is for the CPPA to submit a final set of regulations to the Office of Administrative Law (OAL) for review. OAL will have 30-business days, which will likely be impacted by the upcoming holiday season, to complete its review. This means that the regulations likely will not be finalized until early 2023. But this timeline should also be considered within the context of the delayed implementation provisions in the statute. Although the CPRA’s statutory provisions go into effect on January 1, 2023, section 1798.185(d) of the CPRA provides that “civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date.” (Existing CCPA rules are enforceable before July 1, 2023.)

While the uncertain timing of final regulations adds to the challenges of meeting other privacy compliance deadlines (such as the January 1 effective date of the Virginia Consumer Data Protection Act), businesses may find some cause for relief in the CPPA’s addition of section 7301(b) to the draft regulations: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”

2. Key Substantive Changes in the November 3 Draft Regulations

The Board discussed and directed several material changes, which CPPA staff incorporated:

• Restrictions on the Collection and Use of Personal Information (§ 7002): This section would set requirements for the reasonable and proportionate collection, use, retention, and sharing of a consumer’s personal information, as well as the purposes for which such information can be collected. Board members raised concerns about whether the draft regulations went beyond the CPRA’s statutory requirements. The Board explained that the primary purpose of section 7002 is to provide guidance on how the new statutory requirements should be understood by businesses and consumers. The November 3 Draft Regulations, however, do not contain any obvious signs of additional flexibility. The Board also discussed adding language that would require businesses to be reasonable and proportionate in the practices that a consumer consents to – and the section 7002(d) of the November 3 Draft Regulations expressly states that personal information processing “shall also be reasonably necessary and proportionate to achieve any purpose for which the business obtains the consumer’s consent . . .”
• Opt-Out Preference Signals (§ 7025): This section requires that any business that sells or shares personal information must process any opt-out preference signal that meets the CPPA’s requirements, which are currently outlined in section 7025(b). The Board requested that staff add language to expressly require businesses to apply opt-out preference signals to pseudonymous profiles, e.g., consumer profiles associated with the browser or device. Section 7025(c)(1) of the November 3 Draft Regulations incorporates such a change.

• Requests to Limit Use and Disclosure of Sensitive Personal Information (§ 7027(m)): Board members requested that staff include a statement noting that the use, disclosure, and means of collection of sensitive personal information for purposes that are exempt from Right to Limit requests must be reasonably necessary and proportionate to achieve such purposes listed. The November 3 Draft Regulations include this change in section 7027(m)(8).

Finally, the Board discussed the following smaller – but still significant – changes:

• Definitions (§ 7001(b)): This section provides definitions for terms used through the draft regulations. The Board recommended adding a definition of “Alternative Out-Out Link,” which a business can provide instead of posting separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links, as set forth in Cal. Civ. Code §1798.135. The Alternative Opt-Out Link is explained further in section 7015. The Board also recommended clarifying the definition of “right to limit” and adding a definition of a “Nonbusiness” to clarify a term that was introduced in the October 21 draft regulations.
• Notice at Collection of Personal Information (§ 7012): The Board asked staff to consider including in a future rulemaking proposal a revision that would allow businesses to disclose the number of third parties they sell or share information with, as a way to reduce the burden of disclosing the names of third parties in the Notice at Collection. The November 3 Draft Regulations do not include such a change. However, the Draft Regulations continue to provide that a first party and third parties that control collection may provide a “single Notice at Collection that includes the required information about their collective Information Practices.” The “illustrative example” in section 7012(g)(3)(A) suggests that identifying third parties by name is not necessary (and the proposal that specifically identified this option in the CPPA’s initial draft regulations was deleted in its October revisions), provided that the business sufficiently describes the practices of third parties in the Notice at Collection.
• Requests to Delete (§ 7022(b)(2)): This section provides guidance on how a business, service provider, or contractor shall comply with a request to delete personal information. The Board recommended, and CPPA staff added, clarifying language that service providers can utilize self-service methods that enable businesses to delete personal information that the service provider or contractor collected in the November 3 Draft Regulations. The new regulation more closely conforms to the language in the CPRA. The new language is also more precise as to how the service provider’s or contractor’s obligations apply to the personal information it collected pursuant to a contract with the business.
• Requests to Correct (§ 7023(d)(1)): This section provides guidance on how a business, service provider, or contractor shall comply with a request to correct. The November 3 Draft Regulations add language that consumers should make a good faith effort to provide businesses with all necessary information and documentation available in connection with their right to correct when they make a request.
• Requests to Opt-Out § 7026(a)(1): This section requires a business that sells or shares personal information to provide two or more designated methods to submit requests to opt-out of sale/sharing. As per the November 3 Draft Regulations, CPPA staff revised this language to clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods: an interactive form accessible via the “Do Not Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy.

In this webinar in association with Mondaq, Kelley Drye provided observations on the proposed regulations, including which would pose the biggest challenge for businesses if implemented, and will offer strategies to plan efficiently for compliance in the face of these proposals.

Click here to view the webinar recording and click here for the presentation slides.

Join us for our next webinar, State Attorneys General 102, on June 30. Register here.

Find our state privacy law portal and more here.

Subscribe to the Ad Law Access blog to receive real-time updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

For easy access to all of our webinars, posts and podcasts, download our new Ad Law Access App.

.

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.

Quick and Costly Potential CPPA Enforcement

Consumers, the CPPA, and the California Attorney General’s Office all are empowered to take businesses (and contractors, service providers, and third parties) to task for perceived non-compliance with privacy obligations. Among all of the proposed changes in the draft regulations, the enforcement provisions should cause many companies, regardless of their role, to pause and evaluate whether they’ve allocated sufficient resources to address privacy compliance. While there is not a privacy private right of action under the CCPA/CPRA, the draft rules set forth a new increased, and fast tracked form of compliance monitoring and action that could be surprising to many companies and costly.

First, while there are provisions about requiring consumers to file sworn complaints, the CPPA provides that it can accept and initiate investigations on unsworn and anonymous complaints too. For every sworn complaint, the CPPA must notify the consumer complainant in writing of what actions the Agency has taken or plans to take and the reasons for action or non-action. Because the Agency has to respond to each complaint, this could turn into a routinized process of a high volume of complaints forwarded to businesses, with tight timeframes to respond in writing or else face violations and administrative fines.

The rules provide that there is “probable cause” of a privacy violation if “the evidence supports a reasonable belief that the CCPA has been violated.” There is no mention of extensions of time for good faith reasons. Under the statute, the CPPA can find a violation through a probable cause hearing if it provides notice by service of process or registered mail with return receipt to the company “at least 30 days prior to the Agency's consideration of the alleged violation.” The notice must contain a summary of the evidence, inform the company of their right to be present “in person and represented by counsel.” The “notice” clock starts as of the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. It’s possible this process occurs through the forwarding of unverified consumer complaints.

Under the draft rules, a company can request the proceeding be made public if they make a written request at least 10 business days before the proceeding. A company has a right to an in-person proceeding only if it requests the proceeding be made public. Otherwise, the proceeding may be conducted in whole or in part by telephone or video closed to the public. Participants are limited to the company representative, legal counsel, and CPPA enforcement staff. The CPPA serves as prosecutor and arbiter, and the draft rules do not define how the agency preserves its neutrality in its latter role.

The CPPA makes a determination of probable cause at such proceeding “based on the probable cause notice and any information or arguments presented at the probable cause proceeding by the parties.” If a company does not participate or appear, it waives “the right to further probable cause proceedings” (it’s not clear in the draft rules whether that is limited to the facts of that matter, or future alleged violations) and a decision can be made on the information provided to the CPPA (such as through a complainant).

The CPPA then issues a written decision and notifies the company electronically or by mail. Of concern, the draft rules provide that this determination “is final and not subject to appeal.” Under the statute, violations can result in an administrative fine of up to $2500 for each violation, and up to $7500 for each intentional violation or if the violation involves minors. Multiple parties involved can be held jointly and severally liable. It’s conceivable that violations may be calculated on any number of factors that could add up substantially, and as contemplated by these draft rules, there is no process to challenge such judgments, including if there are factual or legal disputes. One can imagine future legal proceedings that challenge a variety of the legal bases for such a structure if these rules are finalized as drafted.

Service Provider Requirements and Restrictions

Data Privacy Addendums Get a Further Tune Up, and Open Question on Whether They Need to be Bespoke. One aspect of state privacy law compliance that has consumed much resources and time are the service provider contracts. Who is a service provider? What must the contract say? What restrictions apply to service providers (or contractors)? The draft rules continue to add more obligations.

One must have a written contract in place that meets all of the requirements outlined below to even qualify as a service provider and contractor. The contract requirements are very granular, and go beyond what most current privacy addendums (or technology provider terms and conditions) look like today, and include:

• Restrictions from selling or sharing the business’s personal information.
• Identify which specific business purposes and services are required for processing the business’s personal information, and that such disclosure occurs only for the limited and specified business purposes set forth in the contract. This cannot be stated generally with reference to the agreement, but rather requires a specific description.
• • This language suggests that a one-size-fits-all data processing agreement for all vendors processing personal information for different business purposes or functions might not be sufficient, which is very concerning from a resource and practicality standpoint.
• Restricting the processing of personal information outside or for any other purpose from those business purposes in the contract, including to service a different business, unless permitted by the CCPA. Awkwardly, the proposed rule suggests that all of the specific business purpose(s) and service(s) identified earlier would need to be restated as part of the restrictions.
• • On this last point, the draft rules underscore this specific example: “a service provider or contractor shall be prohibited from combining or updating personal information received from, or on behalf of, the business with personal information that it received from another source unless expressly permitted by the CCPA or these regulations”
• Requiring compliance with all applicable provisions of the CCPA, including providing the same level of privacy protection as applicable to businesses, to cooperate with the business for handling consumer rights requests, and reasonable data security provisions.
• Reasonable audit provisions to ensure CCPA compliance, such as “ongoing manual reviews and automated scans of the service provider’s system and regular assessments, audits, or other technical and operational testing at least once every 12 months.”
• Notification to the business within 5 business days if the service provider/contractor determines it cannot meet its obligations.
• Providing the business the right to take reasonable steps to stop and remediate any unauthorized use of personal information by the service provider/contractor, such as “to provide documentation that verifies that [the service provider/contractor] no longer retain[s] or use[s] the personal information of consumers that have made a valid request to delete with the business.”
• Provides that the business will notify the service provider/contractor of any consumer rights request and provide the information necessary for the service provider/contractor to comply with the request.

The Limitations on Internal Use of Customer Data by a Service Provider/Contractor. The draft rules provide that a service provider/contractor is restricted from using customer personal data for its own purposes, except for internal use to build or improve the quality of its services, provided that the service provider/contractor does not use the personal information to perform services on behalf of another person in a manner not permitted under the CCPA. This language is notably different from the governing CCPA rules. Based on the examples outlined below, and the admonition above that the service provider cannot combine or update personal information received from another source unless permitted by the CCPA, makes it ambiguous as to when updating personal information crosses the line. From the examples, it suggests that where such functions are to facilitate personalized advertising or data sales, they would not fit within a service provider/contractor role.

Use for Analysis/Data Hygiene (Sometimes). The draft rules set forth two examples that seem to allow some analysis and data correction under particular circumstances. For example, the first illustration emphasizes that the service provider/contractor can analyze how a business customer’s consumers interact with company communications to improve overall services, and the second example highlighted that a service provider/contractor can use customer data to identify and fix incorrect personal information that, as a result, would improve services to others. The draft rules underscore, however, that a service provider/contractor could not compile (e.g., enrich/append) personal information for the purpose of sending advertising to another business or to sell such personal information.

Data Security/Fraud Prevention. Consistent with the statute, the draft rules allow service providers/contractors to use and combine customer personal information “[t]o detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity.”

Other Legal Purposes. The draft rules acknowledge that a service provider/contractor can use customer data to comply with other laws, lawful process, to defend claims, if the data is deidentified or aggregated, or does not include California personal information.

Advertising Service Provider Functions Look Limited. The draft rules acknowledge a business can engage a service provider/contractor for advertising/marketing services if the services do not combine opted out consumer data from other sources. The draft rules also affirmatively reiterate that an entity who provides cross-contextual behavioral advertising is a third party and not a service provider/contractor.

• As an example of what would cross the line, the draft rules provide that a service provider/contractor can provide non-personalized advertising based on aggregated or demographic information (ads based on gender, age range, or general geographic location), but could not, for example, share the business’s customer information with a social media platform to “identify users on the social media company’s platform to serve advertisements to them.” This example is stated without qualification to what commitments the platform has provided on its own use and restrictions as to such data, or if and how any other permitted “business purposes” under the CPRA may apply.
• In another example, the draft rules provide that an advertising agency can be a service provider/contractor by providing contextual advertising services. Again, this example is set forth without reference to any other business purposes that may apply. However, one wonders whether the enforcement structure may inhibit broader interpretations where functions involve personalized advertising and analytics.

Notice at Collection. The draft rules have new language that, in the context of “notice at collection” provide that when more than one party controls personal information collection, such as in connection with digital advertising, all such parties must provide a very detailed “notice at collection” that accounts for all parties’ business practices. As an example:

• A “first party may allow another business, acting as a third party, to control the collection of personal information from consumers browsing the first party’s website. Both the first party that allows the third parties to collect personal information via its website, as well as the third party controlling the collection of personal information, shall provide a notice at collection.”

Honoring Opt Outs. Section 7051 provides that third parties are directly obligated to honor opt outs, including as conveyed through a global privacy signal or otherwise on a first-party business’s site hosting the third party’s tag collecting personal information, unless the first-party business informs the third party that the consumer has consented to the sale/sharing, or “the third party becomes a service provider or contractor that complies with the CCPA and these regulations.”

• This latter provision is interesting because it suggests implicit support for frameworks, such as IAB’s LSPA, where a contract that contains commitments around use of personal data post-opt outs can support a continued service provider role.

* * *

JOIN US

Separately, join us as Kelley Drye privacy lawyers provide observations on the proposed regulations, including which would pose the biggest challenge for businesses if implemented, and will offer strategies to plan efficiently for compliance in the face of these proposals. Register here.

• As defined in the CPRA, “personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. The bill modifies the definition of “publicly available” by removing the apparently superfluous language “or by the consumer.” The change to the definition in the CPRA is as follows:
  • “‘[P]ublicly available’ means: information . . . lawfully made available . . . or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.”
• The bill changes when the California Privacy Protection Agency will assume responsibility for rulemaking from the “earlier” to the “later” of two dates: July 1, 2021 or six months after the Agency provides notice to the Attorney General that it is prepared to begin rulemaking. The change in the CPRA is as follows:
  • “The agency shall perform the following functions: . . . (b) On and after the earlierlater of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities under this title, adopt, amend, and rescind regulations pursuant to Section 1798.185 to carry out the purposes and provisions of the California Consumer Privacy Act of 2018 . . . .”
• The bill also adds an exemption to the consumer’s right to opt out of the sale of their personal information by a third party. A consumer cannot opt out when the information pertains to “vessel information” and ownership information shared between a “vessel dealer” and a manufacturer, if such information is shared for certain purposes. The bill adds definitions for the terms “vessel information” and “vessel dealer.”

The message did not stick. Voters overwhelmingly enacted the CPRA, apparently judging that its provisions – including those that apply to employers – were worth an additional two-year waiting period. The effective date of the new law is January 1, 2023.

As companies build their roadmap to CPRA compliance, that assessment should also take into account planning for employee and job applicant privacy changes. The new law imposes first in the nation obligations that grant employees and job applicants new rights to access, correct, delete, and opt out of the sale or sharing of their personal information. The law also prohibits discriminating against employees or job applicants who lodge privacy rights requests.

In this post, we provide an overview of topics that employers should know as the sunset of the employer exception to CCPA approaches.

Why Would CCPA Apply to Employers?

The California Consumer Privacy Act of 2018 (CCPA), which became effective on January 1, 2020, originally applied to employers. The law defines a “consumer” as a natural person who is a California resident. This includes employees, job applicants, contractors, or other staff of a business.

In 2019, the California legislature amended the CCPA with a stopgap measure – for one year, the CCPA would not apply to employers. The measure, AB 25, said that personal information collected by a business in the course of the person acting as an employee, job applicant, or contractor in connection with the consumer’s employee, job applicant, or contractor role is exempt from the CCPA. Also exempt is emergency contact information or information necessary to administer benefits.

Last year, California voters extended the employer exemption for another two years to January 1, 2023 in the CPRA ballot initiative.

What Employers are Covered by California Privacy Law?

If a business is covered by the CCPA for consumer data, it is covered for employee data. Starting in January 2023, the CPRA thresholds for coverage are as follows:

• Annual gross revenues in excess of $25 million in the preceding calendar year,
• Buys, sells, or share personal information of 100,000 or more California consumers or households, or
• Derives 50 percent or more of its annual revenues from selling or sharing California consumers’ personal information.

Also, employers that have existing obligations as business associates under the Health Insurance Portability and Accountability Act (HIPAA) may also be exempt with respect to any medical, protected health information (PHI), or covered benefits information that they maintain, use, or disclose.

In general, employers are also not required to comply with CPRA obligations that conflict with other federal, state, or local laws or legal obligations, or restrict an employer’s ability to exercise or defend legal claims. For example, affirmative legal obligations to gather and maintain certain information, such as EEO-1 reports or compensation-related information may directly conflict with CPRA.

What Constitutes Employee Personal Information?

The definition of employee “personal information” includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular employee.

This may include name, contact information, identifiers, protected classifications (like gender, race, or sexual orientation), financial or medical information, account log in, religious or philosophical beliefs, union membership, commercial information, biometric information, internet or electronic network activity information, geolocation data, audio, electronic, visual, thermal, olfactory, or similar information, professional or employment-related information, education information, and inferences drawn from any of this information about the employee.

The contents of an employee’s mail, email, and text messages constitutes sensitive personal information, a sub-category of personal information, unless the employer is the intended recipient of the communication.

What Obligations Apply Starting in January 2023?

All CPRA obligations apply. These include:

• Notice: Employees will be required to provide a comprehensive notice of their collection of personal information from employees, job applicants, and contractors, including description of the categories of personal information collected, the purposes of collection, details on disclosure of personal information, and information about retention of personal information.
• Right to access: Provide employees with a right to access categories of personal information and specific pieces of personal information. This includes any inferences drawn from personal information to create a profile reflecting the employee’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
• Right to correct: Provide employees with the right to correct their personal information using commercially reasonable efforts.
• Right to delete: Provide employees the right to delete their personal information. However, numerous statutory exemptions may apply, including allowing an employer to retain personal information reasonably anticipated by the employee within the context of an ongoing relationship with the employer, to perform a contract between the employee and employer, or to comply with a legal obligation.
• Right to restrict uses of sensitive personal information: Sensitive personal information includes a social security number, account log in, financial information, geolocation, racial or ethnic origin, religious beliefs, sexual orientation, health information, biometrics, and the contents of employee communications unless the employer is the intended recipient of the communication. Starting in January 2023, an employee may be able to direct an employer to limit certain uses of sensitive personal information for specific business purposes, as well as to direct an employer to limit disclosure of sensitive personal information, absent a qualifying exemption.
• Right to opt out: Provide employees the right to opt out of the sale of personal information to third parties. The term “sale” is a broad term, and includes disclosing employee information to business partners, vendors, and contractors absent a written agreement containing specific terms restricting the third party’s use of that data, or a qualifying exemption.

What Steps Should Employers Take to Prepare?

Given the complexity of HR data and systems, as well as the sensitivity of employee data generally, it is not too early for employers to prepare for CPRA. Such efforts might include, for example:

• Privacy Stakeholders: Determine the legal, HR, and technology support (internal resources or external technology solutions) responsible for the efforts necessary to build a privacy compliance program and respond to privacy rights requests.
• Data Mapping: Understand the information that the business collects, the categorization of data (whether personal information or sensitive personal information), the location of the data, and the steps to access, correct, or delete the data. A major part of this effort should also include determining which data practices identified are subject to applicable exemptions from CPRA.
• Contract Review: Review partner contracts to correctly classify service providers and contractors from third parties, and that the contracts include the necessary restrictions depending on the classification. This effort might prioritize those partners that present more risk to the company, whether due to the nature of the processing, type, or volume of data in scope. Updating these contracts, however, might wait until there is more insight on the forthcoming CPRA regulations by the California Privacy Protection Agency (CalPPA) as to necessary terms, although the CCPA regulations are instructive.
• Response Procedures: Develop procedures for responding to employee requests, including managing sensitive requests while maintaining personal information as confidential and accessible to internal personnel only on a need-to-know basis.
• Retention Policy: Develop and document a retention policy that complies with applicable employer data retention obligations.
• Notice: Draft an employee privacy policy that complies with new statutory obligations under CPRA, as well as forthcoming regulations by the CalPPA.

Employers may have an obligation to provide a notice at or before collection of personal information that details the categories of personal information that they collect and the purposes for which personal information will be used.

However, due to an apparent drafting error in the CPRA ballot initiative, this privacy notice obligation is muddled by a textbook case of unclear statutory construction.

Here’s what happened. Originally, AB 25 required employers to provide a privacy notice to employees. However, the CPRA ballot initiative from last year changed a critical code section reference in an apparent drafting error. In so doing, the CPRA ballot initiative left unclear whether the employer privacy notice is required.

AB 25 said that employers would be required to provide a privacy notice based on Cal. Civ. Code 1798.100(b). The CPRA ballot initiative changed the reference to Cal. Civ. Code 1798.100(a). It is possible that the drafters intended to point to subsection (a) because in the CPRA ballot initiative this code section also requires a privacy notice. But the CPRA ballot initiative version of the code section is not actually the law until January 1, 2023.

That’s a problem because under current law (effective until December 31, 2022), Cal. Civ. Code 1798.100(a) talks about a different topic entirely – giving consumers the right to request that a business disclose the categories and specific pieces of personal information the business has collected about a consumer.

What is a reasonable interpretation in light of this problem? When it comes to statutory interpretation of ballot initiatives, courts generally say that the drafter’s intent does not matter. In California, usually a court first looks at the language of the statute. If the language is not ambiguous, the court presumes the voters intended the meaning apparent from the language. If the language is ambiguous, then courts usually look at the ballot initiative voter materials for clues on how voters made their decision.

It is easy to see why a court might agree that the language is ambiguous. The employer exception clearly does not provide a right of employees to access their personal information until January 1, 2023. Giving full effect to 1798.100(a) would be hampered by the fact that the CCPA’s core instructions on how to provide access to personal information and what to provide are subject to the employer exemption.

This brings us back to the ballot initiative materials provided to voters. The arguments against proposition 24 from Californians for Privacy Now warn that employers will be able to secretly gather personal information “for more years to come.” Clearly, there is no recognition in the ballot initiative materials of any interim employee rights.

Bottom line? The law right now is unclear, and so, as a practical matter, it’s a best practice (and required in a few other states) to publish a privacy notice for employees and job applicants.

Final Question: Do Employers Have Privacy Obligations in Other States?

There are no other states that have enacted CPRA-style comprehensive privacy laws that apply to employees; for example, Virginia and Colorado explicitly exempted the employment context without a sunset. But there are some states, such as Connecticut, that do require some form of privacy notice to employees. There are also two-party consent requirements in a number of states that are applicable to recording calls, as well laws that require disclosure about electronic monitoring.

Conclusion

The best way to address navigating these developments is to plan ahead with a compliance roadmap leading to 2023. Figure out what resources you’ll need, including what types of internal and external support will be critical for success. Given the complexities involved, thoughtful (and realistic) preparation is a must.

* * *

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

Why June 14^th Meeting is Significant: While much of the CalPPA’s June 14 agenda focuses on administrative tasks, such as open meeting requirements, the Administrative Procedures Act, conflicts of interest, and subcommittee assignments, this meeting is also expected to mark the CalPPA’s first public steps toward developing California Privacy Rights Act (“CPRA”) regulations. Notably, according to the agenda, the CalPPA plans to provide official notice to California Attorney General Rob Bonta that the Board will assume rulemaking authority as of July 1, 2021, pursuant to CPRA Section 1798.199.40(b). The CalPPA may issue new CPRA regulations as well as “adopt, amend, and rescind regulations” under the CCPA.

What’s Ahead: The CalPPA has until July 1, 2022 to adopt final regulations under the CPRA, and businesses will need to closely track these developments as they design their compliance strategy for CPRA (including how to leverage existing CCPA compliance, and harmonize compliance with Virginia’s new privacy law). The CPRA calls for regulations on a vast array or issues, which could materially impact compliance strategies. Among the different topics include:

• Opt-Outs for Sale, Sharing, and Profiling, and Limiting Use of Personal Information: CPRA grants the CalPPA the authority to adopt regulations that further define consumers’ opt-out rights, and to adopt regulations that define “intentional interactions,” which in turn define the scope of exceptions to “sale” and “sharing.” The CalPPA is also charged with issuing rules about “profiling” opt-out rights, and this area is worth watching closely because it is not aligned with Virginia’s new privacy law. CPRA defines “profiling” as the “automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” A profiling opt-out under CPRA could apply to any first-party data use that meets this definition. (The narrower profiling opt-out right under the Virginia Consumer Data Protection Act is limited to the “furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”)
• Other aspects of opt-out rights that could be initial rulemaking targets include (a) “technical specifications” for global privacy controls; and, with the potential addition of a feature to indicate that the user is under the age of 13 or between 13 and 15 years old; (b) standards for consent to sell or share personal information, or use or disclose sensitive personal information, for businesses that respond to opt-out signals; and (c) “harmonizing” CCPA rules governing privacy notices, opt-out mechanisms, and “other operational mechanisms” to “promote clarify and functionality . . . for consumers.”
• Access Requests: CPRA directs the CalPPA to define the scope of responses to consumer requests for specific pieces of personal information. CPRA suggests that these regulations may exclude system log and other information that “would not be useful to the consumer,” as well as define authentication standards for access to sensitive personal information.
• Business Purposes: It also is possible that the CalPPA will focus initially on “further defining” business purposes for which contractors and service providers may combine personal information from multiple businesses, and whether there are some functions that may relate to interest-based advertising, for example, that can still be within a service provider scope.

While the CPRA’s substantive provisions will not be effective until January 2023, the earlier businesses have insight on how the CalPPA will potentially address these and other areas in the new regulations, the more time there will be to craft, build, and roll out compliance strategies. Stay tuned for further updates. We will continue to keep a close watch on further developments with the Board and the CalPPA’s activities.

How to Join CalPPA’s Initial Meeting:

To join the meeting by Zoom videoconference: https://zoom.us/j/94536763262

To join the meeting by telephone: 1 (669)900-9128; Webinar ID: 945 36763262

* * *

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

As it turns out, the answer is surprising. Contractors are nearly identical to service providers, with just two differences: contractors are not data processors; and contractors must make a contractual certification in CCPA contracts. Moreover, contractors are not even new entities, and were already described in existing California privacy law.

Origins of “Contractors” in CCPA

To help explain the origins of the new contractor classification, we start with the California Consumer Privacy Act (CCPA). Under the CCPA, now in effect, each disclosure of personal information from a covered business to another entity is regulated, either via consumer opt out preferences or via contractual restrictions. Altogether, there are three potential data flows described in the CCPA: business to third party, business to service provider, and business to a person who is not a third party. We describe each in turn:

• Business to Third Party: First, when a business discloses personal information to a third party, this constitutes the “sale” of personal information (unless an exception applies, such as in the context of an intentional disclosure). The CCPA grants consumers the right to opt out of such sales of their personal information to prevent these data flows.

• Business to Service Provider: Second, when a business discloses personal information to a service provider, no “sale” occurs and there is no right of consumers to opt out. The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract.

• Business to a Person Who Is Not a Third Party: Finally, there is a rarely discussed third option in the CCPA. The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party. This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms: (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.

As an example, if an authorized reseller furnishes a manufacturer with a list of new orders for fulfillment, and the manufacturer agrees to use the list only to fulfill orders, the manufacturer is not a third party. Because the manufacturer does not determine the purposes and means of processing the personal information it receives, the manufacturer is not acting as a “business.” No sale occurs.

Similarly, if an identity verification service sends personal information to a company to assist that company with confirming the identity of an applicant for service, and the company agrees contractually to limit its use and disclosure of the information for business purposes, the recipient is not a third party or business and no sale occurs from the identity verification service to the business.

Here’s a summary of the entities that may receive personal data under the CCPA:

Criteria	Third Party 1798.140(w)	Service Provider 1798.140(v)	Person Is Not a Third Party 1798.140(w)(2)
Sale?	Yes	No	No unless the recipient is a “business.”
Processor Terms	N/A	The service provider processes personal information on behalf of the business.	N/A
Contractual Terms	N/A	Retain, use, or disclose personal information only for business purposes.	Retain, use, or disclose personal information only for business purposes. Refrain from selling the personal information. Refrain from retaining, using, or disclosing the information outside of the direct business relationship between the person and the business. Certify understanding of and compliance with the above restrictions.

“Contractors” in CPRA

When CPRA becomes effective on January 1, 2023, the new law will incorporate these same classifications of entities that receive personal information.

• Third Party: A third party continues to be a recipient of sales of personal information. A third party that offers cross context behavioral advertising can now be the recipient of “sharing” of personal information, as well.
• Service Providers: Service providers remain entities that process personal information on behalf of a business pursuant to a written contract. CPRA clarifies, however, that a service provider may receive the personal information either directly from or on behalf of the business.

• Contractors: The new term “contractor” refers to a person to whom the business makes available a consumer’s personal information for a business purpose and pursuant to a written contract. This classification largely mirrors CCPA’s classification of a person who is not a third party. In particular, similar to CCPA, contractors are still required to certify their understanding and compliance with contractual restrictions.

Additionally, for both service providers and contractors, CPRA adds three new contractual terms:

• Combination of Personal Information: CPRA adds new contractual restrictions that limit how personal information from a business may be combined with personal information received from other businesses or directly from consumers. Further guidance on this issue is expected as part of the CPRA rulemaking process.
• Contract Compliance Monitoring: CPRA adds an obligation on businesses to monitor contractors and service providers for compliance with CPRA contract terms.
• Sub-processor Obligations: CPRA indicates that service providers and contractors must enter into similar CPRA contracts with any sub-processors that handle personal information, and provide notice to the business of each sub-processor.

Accordingly, in determining which types of contract terms to have in place in various data flow scenarios, it is possible that contractor terms will be used in a more limited way where the recipient of data is not processing personal information on behalf of a data owner.

Here are some examples:

• Sharing customer identifiers in certain product fulfillment use cases.
• Agreements involving joint operations on data.
• Integration agreements to enable independently-performed services on behalf of a common customer.
• Data services offered to a business with restrictions on use of the data for limited business purposes.

If you have questions about the benefits or drawbacks of the contractor classification under CPRA, please contact attorneys in the Information Privacy and Data Security practice group at Kelley Drye.

* * *

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

Inaugural Appointees

The five inaugural nominees of the CPPA Board are:

• Jennifer Urban, who was appointed as Chair of the CPPA by Governor Gavin Newsom. Urban is a clinical professor at UC Berkeley School of Law.
• John Christopher Thompson, who was appointed by Governor Newsom and is Senior Vice President of Government Relations at LA 2028.
• Angela Serra, who was designated by California Attorney General Xavier Becerra. Serra served in a wide range of roles in the California Department of Justice, including overseeing the Consumer Protection Section’s Privacy Unit.
• Lydia de la Torre, who was nominated by Senate President Pro Tem Toni Atkins. De la Torre is a professor of law at Santa Clara University.
• Vinhcent Le, who was designated by Assembly Speaker Anthony Rendon.

The announcement indicates that Urban’s and Thompson’s appointments do not require Senate confirmation.

The CPPA’s Next Milestones

Although the CPPA’s administrative enforcement authority does not become effective until July 1, 2023, the agency is poised in the meantime to become a powerful regulatory and supervisory authority, akin to a European data protection authority. Key dates in the near term are:

• July 1, 2021: CPPA takes over rulemaking authority from the California Attorney General.
• July 1, 2022: Deadline for the CPPA to adopt final regulations required by CPRA.

Which Regulations Does CPRA Require the CPPA to Issue?

Section 21 of CPRA (codified in Civil Code section 1798.185) adds fifteen areas of CCPA implementation to be spelled out in regulations to the seven areas that were defined under the initial CCPA. (CPRA also amends existing areas of rulemaking authority. For example, it grants more specific authority to prescribe standards for opt-out mechanisms.)

Although CPRA requires the CPPA to adopt final regulations in these areas by July 1, 2022, it would not be surprising to see the agency set priorities, as the Attorney General’s Office did initially under the CCPA. These priorities could include fundamental elements of the CCPA:

• Opt-Outs for Sale, Sharing, and Profiling, and Limiting Use of Personal Information: CPRA grants the CPPA the authority to adopt regulations that further define consumers’ opt-out rights. Specifically, the agency is directed to adopt regulations that define “intentional interactions,” which in turn define the scope of exceptions to “sale” and “sharing.”The CPPA is also charged with issuing rules about “profiling” opt-out rights, and this area is worth watching closely because it is not aligned with Virginia’s new privacy law or the current text of the Washington Privacy Act. CPRA defines “profiling” as the “automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” A profiling opt-out under CPRA could apply to any first-party data use that meets this definition. The profiling opt-out right under the Virginia Consumer Data Protection Act is narrower. It is limited to the “furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” (The profiling opt-out proposed in the Washington Privacy Act is substantively identical to Virginia’s opt-out.)Other aspects of opt-out rights that could be initial rulemaking targets include (a) the definition of “technical specifications” for a global platform- or browser-based opt-out mechanism; and, with the potential addition of a feature to indicate that the user is under the age of 13 or between 13 and 15 years old; (b) standards for consent to sell or share personal information, or use or disclose sensitive personal information, for businesses that respond to opt-out signals; and (c) “harmonizing” CCPA rules governing privacy notices, opt-out mechanisms, and “other operational mechanisms” to “promote clarify and functionality . . . for consumers.”
• Access Requests: CPRA directs the CPPA to define the scope of responses to consumer requests for specific pieces of personal information. CPRA suggests that these regulations may exclude system log and other information that “would not be useful to the consumer,” as well as define authentication standards for access to sensitive personal information.
• Business Purposes: Finally, it is possible that the CPPA will focus initially on “further defining” business purposes for which contractors and service providers may combine personal information from multiple businesses.

Defining CPPA’s Supervisory Authority

The CPPA will also have considerable supervisory authority. Section 1798.185(15) authorizes the CPPA to issue regulations defining audit and risk assessments for businesses “whose processing of consumers’ personal information presents significant risk to consumers privacy or security.”

Separately, the CPPA must appoint a Chief Privacy Auditor to audit businesses’ compliance with the CCPA. The Auditor’s role will be defined almost entirely through regulations, and the statutory guidance on these regulations is scant: The CPPA will define the “scope and process of the agency’s audit authority,” establish criteria for selecting audit targets, and establish protections against disclosure for the information the auditor collects.

As with other areas of CPPA rulemaking, it is unclear when the agency will turn to establishing the Chief Privacy Auditor’s authority. However, it is worth noting now that the Auditor’s authority is potentially sweeping, as well as considering how a CCPA compliance program will look when it is under the Auditor’s microscope.

Today’s appointments are an important milestone in the development of a new breed of U.S. privacy regulator. We will keep a close watch on further developments with the Board and the CPPA’s activities.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

Clarifying offline opt-out notice requirements. The modifications proposed in October required that any business that collected personal information offline provide notice via an offline method of the consumer’s opt-out right.

• The modified regulations now specify that businesses that sell personal information that they collect “in the course of interacting with consumers offline” must provide an offline notice of the consumer’s right to opt-out, and provide instructions for how the consumer can opt out.
• The same examples of providing notice on a paper form, posting a sign in a store, or giving an oral notice over the phone still apply.

Proposing an optional opt-out button. After delaying the introduction of the opt-out button in the first set of CCPA regulations, the Attorney General’s office has proposed the following blue button for businesses to use in addition to providing an opt-out notice and “Do Not Sell My Personal Information” link:

Use of the button does not absolve a business from posting the opt-out notice or link where otherwise required. Where a business posts a “Do Not Sell My Personal Information” link, the business must also include the button to the left of the link (as shown above) in “approximately the same size as any other buttons used by the business on its webpage.” The button must link to the same landing page as the “Do Not Sell My Personal Information” link itself.

Process and Timing. The deadline to submit written comments to the proposed modifications is 5:00 PM PST on December 28, 2020. The regulations have been a continued work in progress for the Attorney General’s office since their first publication in October 2019. We will continue to monitor any further changes and will provide updates on the blog.

_________________________

Hear Alysa Hutnik and Aaron Burstein discuss some of the overarching CPRA issues and a few particular issues that caught their attention on the Ad Law Access podcast.

Listen on Apple, Spotify, Google Podcasts, SoundCloud, via your smart speaker, or wherever you get your podcasts.

In a previous blog post about CPRA, we provided a general overview of the differences between CPRA and CCPA. Now that CPRA has passed, we provide a more detailed some of its key provisions:

Sharing and Selling.

The CPRA introduces the term “sharing” as distinct activity from “selling” personal information. Sharing is defined as disclosing or otherwise communicating a consumer's personal information for “cross-context behavioral advertising” – defined as ad targeting based on information obtained about a consumer across different apps or services – whether or not for monetary or other valuable consideration, including transactions between a business and a third party. Consumers have the right to opt out of the sharing of their personal information with third parties.

Why It Matters: Although California’s law will remain opt-out-based, the expansion to “sharing” may have a large impact on digital marketing contracts, and will expand businesses’ opt-out obligations. For instance, businesses that determined that their disclosures of personal information for ad-related purposes do not constitute “sales” because the exchanges do not involve valuable consideration may need to revisit those decisions. Businesses that engage in “selling” or “sharing” will also need to provide or update their opt-out links and processes to provide consumers with a “Do Not Sell or Share My Personal Information” choice.

Consumer Rights.

CPRA creates several new consumer rights and protections:

• Right to Correct. Under CPRA, consumers have the right to correct inaccurate personal information the business holds about them. This mirrors the right to correction under the GDPR.
• Automated Decision Making. Consumers also have a right to opt out of the use of their personal information for automated decision making, which includes “profiling” in connection with evaluations or decisions about to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. The consumer also has a right to access “meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”
• Right to Restrict Use of Sensitive Personal Information. CPRA also regulates the use of “sensitive personal information,” which includes precise geolocation data, race, religion, sexual orientation, social security numbers, and certain health information outside the context of HIPAA. Consumers may limit the use and disclosure of sensitive personal information for certain “secondary” purposes, including prohibiting businesses from disclosing sensitive PI to third parties, subject to certain exemptions.
• Right to Data Portability. Consumers may request that the business transmit specific pieces of personal information to another entity in a structured, commonly used and machine-readable format.

Service Providers and Contractors.

CPRA adds new requirements to qualify as a “service provider” and introduces the parallel category of “contractor.” A business “makes available” personal information to a contractor; a service provider receives personal information from or on behalf of a business and processes the information on behalf of that business. The CPRA imposes substantively similar contractual and direct obligations on contractors and service providers, and also requires contractors to certify that they understand and will comply with such contractual obligations.

In addition, CPRA imposes a number of new requirements on service providers and contractors:

• Data Silos. Service providers and contractors must keep separate any data they obtain about a consumer in the course of assisting a business with advertising and marketing from other data they obtain about the consumer from other sources.
• Marketing Services. The CPRA clarifies that a service provider or contractor can provide advertising and marketing services, but not cross-context behavioral advertising.
• Contractual Terms. The business and service provider/contractor must enter into a written agreement that includes specific terms outlined in CPRA, similar in concept to GDPR Art. 28.
• Subcontractors. Service providers and contractors to notify businesses of any engagement with a sub-service provider or subcontractor and to bind those parties to the same written terms as between businesses and service providers.

* * *

However, Governor Newsom vetoed two other privacy bills that would have tightened data- and service-specific regulations beyond the CCPA’s standards. Citing the risk of unintended consequences during the COVID-19 pandemic, Governor Newsom nixed SB 980, which would have created heightened privacy and security requirements for genetic data handled by direct-to-consumer genetic testing and analysis companies. Instead, Governor Newsom directed the state’s Health and Human Services Agency and Department of Public Health to work with the Legislature to identify “a solution that achieves the privacy aims of the bill while preventing inadvertent impacts on COVID-19 testing efforts.”

The second vetoed bill, AB 1138, would have required companies that offer “social media” services to obtain parental consent before allowing a user who companies actually know to be under the age of 13 to create an account. In his veto message, Governor Newsom explained that AB 1138 “would not meaningfully expand protections for children,” but indicated that he is “open to exploring ways to build upon current law to expand safeguards for children online.”

Privacy developments in California this year are unlikely to end with the Legislature’s session. As we have discussed, the November 3^rd vote on CPRA could have far-reaching implications for California privacy law. With the election only 33 days away, we will continue to monitor and post relevant updates.

On the latest episode of the Ad Law Access Podcast, Privacy partner Alysa Hutnik discusses the initial highlights of CPRA and provide some takeaways for you to begin to understand this new California privacy development.

Listen on Apple, Spotify, Google Podcasts, SoundCloud or wherever you get your podcasts.

For more information on health claims and other topics, visit:

• Kelley Drye’s Advertising Law Practice Page
• Advertising and Privacy Law Resource Center
• Ad Law Access Blog
• Ad Law News and Views Newsletter
• Upcoming webinars:
  • Product and Earnings Claims in the Time of COVID-19
  • Trade Association Antitrust 101
  • Additional webinars will be announced soon

To be eligible for the November 2020 ballot, CPRA needed to obtain over 623,212 verified signatures. If passed by a simple majority of California voters in November, as is looking likely, the CPRA will become effective on January 1, 2021, with most compliance obligations required by January 1, 2023. With the exception of the access right, the CPRA would apply only to personal information collected after January 1, 2022. Additionally, the CPRA would extend the CCPA’s temporary business to business exemption and employee data exemptions (which are scheduled to sunset on January 1, 2021) until January 1, 2023.

Until January 1, 2023, businesses would need to comply with the CCPA and any finalized regulations in force (which could mean both CCPA and CPRA regulations). The Attorney General would preserve its authority to issue CCPA regulations and enforcement during this period, and a new privacy agency would be formed with its own rulemaking and enforcement authority.

For more information on the comparison between CCPA and CPRA, please see our chart below. While there are no immediate action items, companies may benefit from reviewing the CPRA requirements to assess what changes may be necessary should the ballot pass. And a reminder -- the CCPA enforcement date is set for July 1, 2020, although it is not yet clear whether the CCPA regulations will be effective by then; the Office of Administrative Law’s review remains pending. Please contact any of the attorneys in Kelley Drye’s Privacy Group if you would like assistance in California privacy compliance.

	CCPA	CPRA
“Business” Threshold	$25 million annual revenue; or 50,000+ consumers; or 50% of annual revenue derived from selling consumers personal data	$25 million annual revenue; or buys, sells or shares 100,000+ consumers or households; or 50% of annual revenue derived from selling or sharing consumers’ personal data
Operative date	January 1, 2020	January 1, 2023, and applies only to personal information collected on or after January 1, 2022, except with regard to access requests.
Employee and B2B exemptions	Sunsets January 1, 2021	Sunsets January 1, 2023
“Sold” and “Shared” Definitions	“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … for monetary or other valuable consideration.	The term “sold” is broadened to “sold or shared.” This change is accompanied by a change in the definition of what it means to sell, which removes the carve-out for sharing personal information with a service provider (although this point is addressed in a more narrow definition of “third party”).
Service Providers and Contractors	A Service Provider is an entity “that processes information on behalf of a business … provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business...”	Introduces new requirements to qualify as a “service provider” and adds a new definition of a “contractor” that mirrors the definition of a service provider. Clarifies and provides additional requirements regarding service providers’ use of the data, such as a requirement that service providers silo the data they learn about a consumer from other sources. (This is more restrictive than the AG CCPA regulations). Requires contractual terms, similar to the GDPR.
Consent	Consent is not required in the CCPA. However, the definition of sale contains guidance regarding “intentional interactions.”	Consent is defined as any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she… signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose. Introduces the concept of “dark patterns” defined as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, as further defined by regulation. Agreement obtained through use of dark patterns does not constitute consent.
Sensitive information	Does not contain separate provisions for sensitive information (other than increased verification requirements.)	Contains disclosure, opt-out, and purpose limitation requirements for sensitive information.
Automated Decision-Making	N/A	Introduces concept of “profiling.” Calls for regulations requiring businesses' response to access requests to include meaningful information about the logic involved in such profiling, as well as a description of the likely outcome of the process with respect to the consumer.
Right to Correct	N/A	Gives consumers the right to correct inaccurate information.
Opt Out of Targeted Advertising	The CCPA does not restrict targeted advertising if it can be conducted without “selling” data.	Providing advertising or marketing services is a business purpose but this does not include “Cross-Context Behavioral Advertising,” a newly defined term to describe ads targeted to consumers based on a profile or predictions about the consumer related to the consumer’s activity over time and across multiple businesses or distinctly-branded services, websites or applications. Contains a broader opt-out provision (for both “sale” and “sharing”) and specifically limits service providers from engaging in any “cross-context behavioral advertising.”
Retention	The CCPA does not contain any requirements that businesses disclose their retention practices to consumers.	Businesses must disclose, at the time of collection: the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period. A business cannot retain personal information for longer than is reasonably necessary for that disclosed purpose.
GDPR Concepts ·	N/A	Contains language to promote the following GDPR principles: Data Minimization Purpose Limitation Duty to Avoid Secondary Use
Enforcement	Enforced by the Attorney General Allows a 30 day period to cure violations	Establishes the California Privacy Protection Agency that would have a broad scope of responsibilities and enforcement powers. Security breaches include email/password/challenge questions. Modifies the 30-day cure period to apply to a private right of action for security breach violations, rather than for general privacy violations of the law. Fines for violations involving children’s personal data are tripled.

We have described below some of the key provisions of the final regulations, which will impose additional requirements on businesses, service providers, and third parties and data brokers, and likely require the design and implementation of new processes. Whatever hardship the regulations may cause, it is clear that the AG is prioritizing consumer privacy, explaining that the office “has made every effort to limit the burden of the regulations while implementing the CCPA” and does not believe the regulations are “overly onerous or impractical to implement, or that compliance would be overly burdensome or would stifle businesses or innovation.”

BUSINESSES

Privacy Policy: Privacy policies will need to identify the categories of personal information disclosed for a business purpose or sold to a third party in the preceding 12 months and provide on a per category basis the categories of third parties to whom the information was disclosed or sold. With respect to how a business describes these categories, the AG explained in the response to public comments that “the regulations provide the business with discretion in determining the best way to communicate the required information and … the flexibility to craft the notices and privacy policy in a way that the consumer understands them.” This response clarifies that this list of categories need not follow verbatim the list provided in the CCPA’s definition of personal information, but should prioritize terms that are meaningful to consumers.

Annual Privacy Policy Disclosures: The regulations will require that businesses that buy, receive for their commercial purposes, sell, or share for commercial purposes the personal information of 10 million or more California residents in a calendar year disclose the following by July 1, 2021, based on data collected after the regulations take effect:

1. The number of requests to know that the business received, complied with in whole or in part, and denied;
2. The number of requests to delete that the business received, complied with in whole or in part, and denied;
3. The number of requests to opt out that the business received, complied with in whole or in part, and denied; and
4. The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

User-Enabled Privacy Controls: Businesses must honor privacy controls that clearly communicate or signal that the consumer intends to opt out of the sale of personal information. When “a global user-enabled privacy control conflicts with a consumer’s existing business-specific privacy setting, the business may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific setting.” Further, as to do-not-track signals, the AG responded to comments by noting that “the regulations do not prescribe a particular mechanism or technology but is [sic] technology-neutral in support of innovation in privacy services to facilitate consumers’ exercise of their right to opt-out.” The AG adds that the “regulations do not prohibit a business from responding and respecting a user’s [browser] ‘do not track’ signal…. If a business chooses to treat a 'do not track' signal as a useful proxy for communicating a consumer’s privacy choices…, the regulations do not prohibit this mechanism. The intention of the regulation was to encourage innovation and development of technological solutions to facilitate and govern the submission of a [sale opt-out] request.”

According to the Final Statement of Reasons, the requirement to honor user-enabled privacy controls is “necessary to prevent businesses from subverting or ignoring consumer tools related to their CCPA rights.” As support for this point, the FSOR notes that the AG reviewed businesses’ disclosures about their responses to DNT signals, which are required under the California Online Privacy Protection Act, and concluded that businesses will very likely ignore or reject a global privacy control if the regulation permits discretionary compliance.

The final regulations also clarify that opt-out requests do not need to be verified.

Financial Incentives: Businesses must obtain opt-in consent before offering a “financial incentive” for the collection, sale, or deletion of personal information. By statute, a financial incentive must be “directly related” to the value provided by the consumer’s personal information to the business, and the regulations require that the notice of financial incentive describe, among other things, (1) the incentive and its terms, (2) how consumers who have accepted a financial incentive may opt out, and (3) how the incentive is reasonably related to the value of consumers’ data, along with a good-faith estimate of the value of consumers’ data, and the method used to calculate that value. (However, in response to comments, the AG stated that the requirement to disclose the method used excludes privileged information as to why the business chose a particular method.) The regulations give several examples of how to calculate a financial incentive.

The regulations also clarify that, if the financial incentive is unrelated to the collection, sale, or deletion of personal information (e.g., a “store opening” sale), it does not fall under these financial incentive requirements.

SERVICE PROVIDERS

Internal Use: The regulations require that service providers use the personal information they receive from businesses “to process or maintain personal information on behalf of the business ... and in compliance with the written contract for services required by the CCPA,” except in certain narrowly-defined circumstances, such as building or improving the quality of their services. Notably, those internal purposes do not include using the personal information for a service provider’s own commercial purposes, to build consumer profiles, or to update personal information acquired from another source.

With respect to the concept of matching, the Final Statement of Reasons underscores that the regulation’s use of “data” (rather than personal information) in this provision is intentional to “encompass the use of personal information acquired from a business to re-identify de-identified consumer information acquired from another source.”

Interest-Based Advertising: In response to comments asking the AG to codify regulations to prevent service providers from using a consumer’s personal information “for secondary purposes,” the AG explained that it modified Section 999.314(c) “to prohibit service providers from using, retaining, and disclosing personal information outside of directly providing services to the business that has the direct relationship to the consumer.” The AG further explained that, as to ads shown on websites, “[t]he CCPA allows a service provider to furnish advertising services to the business that collected personal information from the consumer, and such ads may be shown to the same consumer on behalf of the same business on any website…. Prohibiting a service provider from placing such ads is also unnecessary because the CCPA would not prohibit the business’s own marketing department from placing the same ads itself. This provision of advertising services, however, does not relieve the service provider from its obligation to not share the personal information of the consumer with third parties and does not allow the service provider to use the personal information to provide advertising services to other businesses.”

Contract Terms: In response to comments, the AG also clarified that neither the CCPA nor the regulations specify any mandatory contract language that must appear in agreements with service providers, so long as the substantive requirements are addressed.

Collection: The regulations and Final Statement of Reasons provide that service providers do not lose their status as service providers merely because they collect consumers’ personal information, if that collection is performed at the business’s direction and on behalf of that business. In response to comments, the AG also stated that the regulations do not expressly prohibit service providers from combining personal information from multiple sources, provided such combination is consistent with a business purpose and in the context of a contractual relationship. However, the AG warned that, to “the extent that the comment proposes that collective employment of a service provider is permissible, ... such a blanket exception may sweep too broadly and be exploited to thwart the intent of the CCPA.”

Subcontractors: The regulations provide that service providers may hire subcontractors, as long as the subcontractors meet all the requirements for a “service provider” set forth in the CCPA and the regulations.

Service Provider vs. Third Party Definition: In response to comments seeking clarity between the terms in Cal. Civ. Code § 1798.140(v) and (w), the AG explained that these provisions create two types of parties that process personal information under a contract with a business: “service providers” and persons who are not “third parties.” The AG explained that it was not necessary to change the regulations “because the two different definitions serve related, but different purposes. The definition of service provider … establishes a role and requirements for sole proprietorships and corporate entities in which the transfer of information from a business to them is not deemed a sale. Relatedly, Civil Code § 1798.140(w)(2)(a) excludes from the definition of sale transfers to persons who meet the requirements in that subsection. If an entity qualifies as a service provider, it need not also attempt to qualify as a non-third party person under subsection (w)(2)(a).” This language thus clarifies that a certification with a service provider is not necessary.

Consumer Requests: A service provider that receives a request to know or delete from a consumer must either act on behalf of the business in responding to the request, or inform the consumer that it cannot act on the request because it is a service provider. Service Providers do not need to provide the consumer with contact information for the business, as the AG determined that such a requirement may be overly burdensome, particularly when a service provider provides services for many businesses that may have submitted personal information about the same consumer.

THIRD PARTIES AND DATA BROKERS

Notice at Collection: If a third party or data broker will sell personal information that it did not receive directly from a consumer, it must provide notice of its privacy practices to that consumer. It can satisfy this requirement by registering with the AG as a data broker and providing a link to its privacy policy in such registration.

ODDS AND ENDS

Cookie Banners Not Required: In response to comments seeking clarification on this point, the AG responded that the regulations do “not require a cookie banner, but rather leave[] it to businesses to determine the formats that will best achieve the result in particular environments. In addition, § 999.305(a)(3) provides additional guidance and illustrative examples on making the notice readily available to consumers.”

Trade Secret Defense: The AG rejected commenters’ requests to eliminate the obligation to provide a good faith estimate of the value of consumers’ data due to trade secret concerns, responding that it was unclear how such data or method could be a “trade secret” that “[d]erives independent economic value … from not being generally known to the public” and “[i]s the subject of efforts that are reasonable under the circumstances to maintain its secrecy…,” or would result in competitive harm. The AG concluded that the potential for harm is mitigated because all similarly situated competitors in California will be bound by the same disclosure requirements, and that neither federal nor state law provide absolute protection for trade secrets.

CPRA: In response to comments requesting that the AG defer regulations until after the CPRA initiative to avoid wasting resources, the AG responded that the “CPRA has not been enacted. If, in the future, statutes are enacted that require modification of the regulations, the OAG will review and modify the regulations as necessary.”

***

The Attorney General has filed a written request for expedited review from OAL, meaning that the regulations could become effective on July 1, 2020. In support of this request, the AG states that it “is mindful of the challenges imposed by COVID-19 and [the] Executive Order ... granting additional time to finalize proposed regulations,” but “respectfully requests that the Office of Administrative Law complete its review within 30 business days, given the statutory mandate for regulations” by July 1. It is unclear whether OAL will grant this request. As of Tuesday evening, the regulations are not yet listed as “under review.”

If the request is denied, and the final regulations are filed with the Secretary of State on or before August 31, they will take effect on October 1, 2020. If that filing occurs after August 31, the regulations will not take effect until January 1, 2021.

The immediate next step for companies is to take a close look at the regulations, evaluate what changes they will need to make, and map out a compliance checklist and timeline. Companies should also be mindful about approaching some of these requirements that offer discretion in implementation, and determining whether certain options may pose greater exposure to the company than others. Please contact any of the attorneys in Kelley Drye’s Privacy Group if you would like assistance.