This post provides further details about the rulemaking process, as well as takeaways from the Board’s discussion of key substantive topics, such as restrictions on the collection of personal information and opt-out preference signals. The Board directed CPPA staff to consider and include specific modifications, as discussed below; and on November 3, the CPPA released a further revision of its proposed rules for a 15-day public comment period (the “November 3 Draft Regulations”). The deadline to submit comments is 8:00 am on Monday, November 21.

1. Rule Revisions likely to be Finalized in Early 2023

The CPPA Board meeting and subsequent developments have provided some clarity about the likely timing of final regulations. (A second Board meeting that had been scheduled for November 4 was canceled.)

Following a review of comments submitted during the current 15-day comment window, the expected next step is for the CPPA to submit a final set of regulations to the Office of Administrative Law (OAL) for review. OAL will have 30-business days, which will likely be impacted by the upcoming holiday season, to complete its review. This means that the regulations likely will not be finalized until early 2023. But this timeline should also be considered within the context of the delayed implementation provisions in the statute. Although the CPRA’s statutory provisions go into effect on January 1, 2023, section 1798.185(d) of the CPRA provides that “civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date.” (Existing CCPA rules are enforceable before July 1, 2023.)

While the uncertain timing of final regulations adds to the challenges of meeting other privacy compliance deadlines (such as the January 1 effective date of the Virginia Consumer Data Protection Act), businesses may find some cause for relief in the CPPA’s addition of section 7301(b) to the draft regulations: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”

2. Key Substantive Changes in the November 3 Draft Regulations

The Board discussed and directed several material changes, which CPPA staff incorporated:

• Restrictions on the Collection and Use of Personal Information (§ 7002): This section would set requirements for the reasonable and proportionate collection, use, retention, and sharing of a consumer’s personal information, as well as the purposes for which such information can be collected. Board members raised concerns about whether the draft regulations went beyond the CPRA’s statutory requirements. The Board explained that the primary purpose of section 7002 is to provide guidance on how the new statutory requirements should be understood by businesses and consumers. The November 3 Draft Regulations, however, do not contain any obvious signs of additional flexibility. The Board also discussed adding language that would require businesses to be reasonable and proportionate in the practices that a consumer consents to – and the section 7002(d) of the November 3 Draft Regulations expressly states that personal information processing “shall also be reasonably necessary and proportionate to achieve any purpose for which the business obtains the consumer’s consent . . .”
• Opt-Out Preference Signals (§ 7025): This section requires that any business that sells or shares personal information must process any opt-out preference signal that meets the CPPA’s requirements, which are currently outlined in section 7025(b). The Board requested that staff add language to expressly require businesses to apply opt-out preference signals to pseudonymous profiles, e.g., consumer profiles associated with the browser or device. Section 7025(c)(1) of the November 3 Draft Regulations incorporates such a change.

• Requests to Limit Use and Disclosure of Sensitive Personal Information (§ 7027(m)): Board members requested that staff include a statement noting that the use, disclosure, and means of collection of sensitive personal information for purposes that are exempt from Right to Limit requests must be reasonably necessary and proportionate to achieve such purposes listed. The November 3 Draft Regulations include this change in section 7027(m)(8).

Finally, the Board discussed the following smaller – but still significant – changes:

• Definitions (§ 7001(b)): This section provides definitions for terms used through the draft regulations. The Board recommended adding a definition of “Alternative Out-Out Link,” which a business can provide instead of posting separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links, as set forth in Cal. Civ. Code §1798.135. The Alternative Opt-Out Link is explained further in section 7015. The Board also recommended clarifying the definition of “right to limit” and adding a definition of a “Nonbusiness” to clarify a term that was introduced in the October 21 draft regulations.
• Notice at Collection of Personal Information (§ 7012): The Board asked staff to consider including in a future rulemaking proposal a revision that would allow businesses to disclose the number of third parties they sell or share information with, as a way to reduce the burden of disclosing the names of third parties in the Notice at Collection. The November 3 Draft Regulations do not include such a change. However, the Draft Regulations continue to provide that a first party and third parties that control collection may provide a “single Notice at Collection that includes the required information about their collective Information Practices.” The “illustrative example” in section 7012(g)(3)(A) suggests that identifying third parties by name is not necessary (and the proposal that specifically identified this option in the CPPA’s initial draft regulations was deleted in its October revisions), provided that the business sufficiently describes the practices of third parties in the Notice at Collection.
• Requests to Delete (§ 7022(b)(2)): This section provides guidance on how a business, service provider, or contractor shall comply with a request to delete personal information. The Board recommended, and CPPA staff added, clarifying language that service providers can utilize self-service methods that enable businesses to delete personal information that the service provider or contractor collected in the November 3 Draft Regulations. The new regulation more closely conforms to the language in the CPRA. The new language is also more precise as to how the service provider’s or contractor’s obligations apply to the personal information it collected pursuant to a contract with the business.
• Requests to Correct (§ 7023(d)(1)): This section provides guidance on how a business, service provider, or contractor shall comply with a request to correct. The November 3 Draft Regulations add language that consumers should make a good faith effort to provide businesses with all necessary information and documentation available in connection with their right to correct when they make a request.
• Requests to Opt-Out § 7026(a)(1): This section requires a business that sells or shares personal information to provide two or more designated methods to submit requests to opt-out of sale/sharing. As per the November 3 Draft Regulations, CPPA staff revised this language to clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods: an interactive form accessible via the “Do Not Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy.

In this post, we summarize the Draft Regulations’ disclosure provisions and provide outline steps for businesses to consider taking to prepare for these requirements.

New Disclosure Requirements

Citing a CCPA provision that authorizes regulations to ensure that notices and information required under the CCPA are provided to consumers at the appropriate time and in a manner that may be “easily understood by the average consumer,” the Draft Regulations would create new disclosure requirements for any business engaged in the collection of consumers’ personal information.

Notice at Collection

The Draft Regulations, citing a declared purpose in the CPRA of enabling consumers to “exercise meaningful control” over businesses’ use of their information, would require businesses to provide additional details about certain aspects of their information practices at or before the point of collection. These provisions include new requirements governing first parties’ and third parties’ notice at collection disclosures.

• Required Content of a Notice at Collection. Building on existing requirements under the CCPA, the Draft Regulations would require a business to include the following information in its notice at collection:
• • the categories of personal information collected, including sensitive personal information;
  • the purposes for which the categories of personal information are collected and used;
  • whether the categories of personal information listed are sold or shared;
  • the length of time the business intends to retain each category of personal information listed (or the criteria used to determine the retention period);
  • a link to the business’ notice of the right to opt out of the sale/sharing of personal information (or, in the case of an offline notice, where the webpage can be found online);
  • if the business allows third parties to control the collection of personal information on its property, the names of all such third parties or information about their business practices; and
  • a link to the business’ privacy policy (or, in the case of an offline notice, where the privacy policy can be found online).
• Presentation of the Notice at Collection. The Draft Regulations also prescribe how a business must present its notice at collection. According to the Draft Regulations, it is insufficient to direct consumers to the top of a privacy policy or to require consumers to scroll to find the notice at collection disclosures. Instead, a business must include a link that takes consumers directly to the section of its privacy policy that includes the required information. The link to the notice at collection must be made “readily available where consumers will encounter it at or before the point of collection.” As an example, the Draft Regulations provide that, when a business collects personal information from a consumer via a webform, it should include a “conspicuous link” to the notice at collection in “close proximity” to either the fields where the consumer enters his/her personal information or the button the consumer hits to submit his/her personal information.
• First and Third Party Disclosures. Based on the view that “more than one business may control the collection of a consumer’s personal information, and thus, have an obligation to provide a notice at collection,” Section 7012(g) of the Draft Regulations would require a business to include in its notice at collection extensive information about third parties that “control” the collection of personal information. In particular, the Draft Regulations provide that if a business owns a physical or digital property from which consumers’ personal information is collected (a “first party”) and allows third parties to control the collection of personal information on its property, the business must include in its notice at collection either (i) the name of all such third parties or (ii) details about such third parties’ “business practices” (which the third parties would be required to provide to the first party). Additionally, the Draft Regulations provide that if a third party collects information from the first party’s physical premises, the third-party business must provide a notice at collection “in a conspicuous manner” at the physical location(s) where it collects the information.

Privacy Policy

The Draft Regulations would also require businesses to include more granular disclosures in their privacy policies. These requirements include:

• a detailed description of the business’ online and offline information handling practices, including a statement indicating whether the business uses or discloses sensitive personal information for purposes other than those enumerated in Section 7027(l);
• details about the rights consumers have with respect to their personal information under the CCPA, as amended by the CPRA (which we will discuss in a subsequent blog post);
• an explanation of how consumers can exercise their rights and what they can expect from the process, including details about how the business processes opt-out preference signals;
• the date the privacy policy was last updated; and
• the business’ consumer rights requests metrics for the previous calendar year (or a link to such information), where applicable.

Takeaways

While the CPPA may revise the Draft Regulations before they are finalized, the direction toward more detail in notices at collection and privacy policies – particularly about third parties – seems clear. Satisfying the notice at collection requirements in the Draft Regulations would likely present significant challenges. While the Draft Regulations provide businesses with some flexibility in terms of how they disclose the presence of third parties on their properties, presenting all of the required information in a clear and meaningful manner to consumers could be difficult. Additionally, the need to disclose extensive information about third parties could interfere with consumers’ online experiences.

To prepare for these potential changes, a valuable step for many businesses would be to take stock of the third-party information collection occurring on their sites and in their apps and to consider how to provide more detailed disclosures to consumers in a concise, intelligible, and easily accessible form.

Stay tuned for additional blog posts in which we will summarize how the Draft Regulations contemplate some of the CPRA’s other amendments to the CCPA.

* * * *

Join us today for State Attorneys General 102.

Here is a timeline of the proposed rulemaking:

• Formal Publication of Rules: The CPPA will commence formal rulemaking in accordance with the California Administrative Procedures Act. As detailed in response to FAQs on the CPPA’s website, the agency will file a Notice of Proposed Action (NOPA), the text of the proposed regulations, and the Initial Statement of Reasons (ISOR) with the Office of Administrative Law (OAL). The NOPA will be published in the California Regulatory Notice Register (similar to the Federal Register), marking the first day of the formal rulemaking process.
• Comment & Hearing: The initial comment period will run at least 45 days, and the CPPA will hold a public hearing. Then, if any changes are made to the initial draft, a subsequent comment period of at least 15 days will run to receive comments on the revisions. The CPPA will then issue its Final Statement of Reasons (FSOR) and final regulations.
• Board Involvement During Rulemaking Process: At the CPPA’s May 26, 2022 open meeting, the Process Subcommittee provided a presentation on the rulemaking process, indicating that the CPPA intends for the CPPA Board to play an active role. The presentation proposes the following:
  • At the next meeting (20-45 days after the June 8, 2022 meeting), Staff will answer the Board’s questions about the proposed rules, and the Board will discuss the proposed rules in detail.
  • After the close of the initial comment period, the Board will hold at least one meeting where Staff will present the Board with proposed updates to the rules, and answer questions. The Board has an opportunity to bring in experts to testify about changes to the rules. The Board will then vote to approve moving forward.
  • Staff will then prepare the final package, and at a final meeting, the Board will vote to approve the filing of the package with the OAL.
• Advance Notice of CPPA Action: All action of the CPPA occurs during open meetings of the Board, and all materials to be considered by the Board must be made available 10 days before the open meeting. This will provide the public advance insight into any written materials under consideration by the CPPA before any vote.
• Additional Rulemaking: The CPPA has indicated that the initial draft rules are not the only rules that the CPPA will issue. In addition, a second round of rulemaking may focus on automated decisionmaking, cybersecurity audits, and privacy risk assessments. The timeline for issuance of additional rules is currently unclear.

* * * *

JOIN US FOR

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.

Quick and Costly Potential CPPA Enforcement

Consumers, the CPPA, and the California Attorney General’s Office all are empowered to take businesses (and contractors, service providers, and third parties) to task for perceived non-compliance with privacy obligations. Among all of the proposed changes in the draft regulations, the enforcement provisions should cause many companies, regardless of their role, to pause and evaluate whether they’ve allocated sufficient resources to address privacy compliance. While there is not a privacy private right of action under the CCPA/CPRA, the draft rules set forth a new increased, and fast tracked form of compliance monitoring and action that could be surprising to many companies and costly.

First, while there are provisions about requiring consumers to file sworn complaints, the CPPA provides that it can accept and initiate investigations on unsworn and anonymous complaints too. For every sworn complaint, the CPPA must notify the consumer complainant in writing of what actions the Agency has taken or plans to take and the reasons for action or non-action. Because the Agency has to respond to each complaint, this could turn into a routinized process of a high volume of complaints forwarded to businesses, with tight timeframes to respond in writing or else face violations and administrative fines.

The rules provide that there is “probable cause” of a privacy violation if “the evidence supports a reasonable belief that the CCPA has been violated.” There is no mention of extensions of time for good faith reasons. Under the statute, the CPPA can find a violation through a probable cause hearing if it provides notice by service of process or registered mail with return receipt to the company “at least 30 days prior to the Agency's consideration of the alleged violation.” The notice must contain a summary of the evidence, inform the company of their right to be present “in person and represented by counsel.” The “notice” clock starts as of the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. It’s possible this process occurs through the forwarding of unverified consumer complaints.

Under the draft rules, a company can request the proceeding be made public if they make a written request at least 10 business days before the proceeding. A company has a right to an in-person proceeding only if it requests the proceeding be made public. Otherwise, the proceeding may be conducted in whole or in part by telephone or video closed to the public. Participants are limited to the company representative, legal counsel, and CPPA enforcement staff. The CPPA serves as prosecutor and arbiter, and the draft rules do not define how the agency preserves its neutrality in its latter role.

The CPPA makes a determination of probable cause at such proceeding “based on the probable cause notice and any information or arguments presented at the probable cause proceeding by the parties.” If a company does not participate or appear, it waives “the right to further probable cause proceedings” (it’s not clear in the draft rules whether that is limited to the facts of that matter, or future alleged violations) and a decision can be made on the information provided to the CPPA (such as through a complainant).

The CPPA then issues a written decision and notifies the company electronically or by mail. Of concern, the draft rules provide that this determination “is final and not subject to appeal.” Under the statute, violations can result in an administrative fine of up to $2500 for each violation, and up to $7500 for each intentional violation or if the violation involves minors. Multiple parties involved can be held jointly and severally liable. It’s conceivable that violations may be calculated on any number of factors that could add up substantially, and as contemplated by these draft rules, there is no process to challenge such judgments, including if there are factual or legal disputes. One can imagine future legal proceedings that challenge a variety of the legal bases for such a structure if these rules are finalized as drafted.

Service Provider Requirements and Restrictions

Data Privacy Addendums Get a Further Tune Up, and Open Question on Whether They Need to be Bespoke. One aspect of state privacy law compliance that has consumed much resources and time are the service provider contracts. Who is a service provider? What must the contract say? What restrictions apply to service providers (or contractors)? The draft rules continue to add more obligations.

One must have a written contract in place that meets all of the requirements outlined below to even qualify as a service provider and contractor. The contract requirements are very granular, and go beyond what most current privacy addendums (or technology provider terms and conditions) look like today, and include:

• Restrictions from selling or sharing the business’s personal information.
• Identify which specific business purposes and services are required for processing the business’s personal information, and that such disclosure occurs only for the limited and specified business purposes set forth in the contract. This cannot be stated generally with reference to the agreement, but rather requires a specific description.
• • This language suggests that a one-size-fits-all data processing agreement for all vendors processing personal information for different business purposes or functions might not be sufficient, which is very concerning from a resource and practicality standpoint.
• Restricting the processing of personal information outside or for any other purpose from those business purposes in the contract, including to service a different business, unless permitted by the CCPA. Awkwardly, the proposed rule suggests that all of the specific business purpose(s) and service(s) identified earlier would need to be restated as part of the restrictions.
• • On this last point, the draft rules underscore this specific example: “a service provider or contractor shall be prohibited from combining or updating personal information received from, or on behalf of, the business with personal information that it received from another source unless expressly permitted by the CCPA or these regulations”
• Requiring compliance with all applicable provisions of the CCPA, including providing the same level of privacy protection as applicable to businesses, to cooperate with the business for handling consumer rights requests, and reasonable data security provisions.
• Reasonable audit provisions to ensure CCPA compliance, such as “ongoing manual reviews and automated scans of the service provider’s system and regular assessments, audits, or other technical and operational testing at least once every 12 months.”
• Notification to the business within 5 business days if the service provider/contractor determines it cannot meet its obligations.
• Providing the business the right to take reasonable steps to stop and remediate any unauthorized use of personal information by the service provider/contractor, such as “to provide documentation that verifies that [the service provider/contractor] no longer retain[s] or use[s] the personal information of consumers that have made a valid request to delete with the business.”
• Provides that the business will notify the service provider/contractor of any consumer rights request and provide the information necessary for the service provider/contractor to comply with the request.

The Limitations on Internal Use of Customer Data by a Service Provider/Contractor. The draft rules provide that a service provider/contractor is restricted from using customer personal data for its own purposes, except for internal use to build or improve the quality of its services, provided that the service provider/contractor does not use the personal information to perform services on behalf of another person in a manner not permitted under the CCPA. This language is notably different from the governing CCPA rules. Based on the examples outlined below, and the admonition above that the service provider cannot combine or update personal information received from another source unless permitted by the CCPA, makes it ambiguous as to when updating personal information crosses the line. From the examples, it suggests that where such functions are to facilitate personalized advertising or data sales, they would not fit within a service provider/contractor role.

Use for Analysis/Data Hygiene (Sometimes). The draft rules set forth two examples that seem to allow some analysis and data correction under particular circumstances. For example, the first illustration emphasizes that the service provider/contractor can analyze how a business customer’s consumers interact with company communications to improve overall services, and the second example highlighted that a service provider/contractor can use customer data to identify and fix incorrect personal information that, as a result, would improve services to others. The draft rules underscore, however, that a service provider/contractor could not compile (e.g., enrich/append) personal information for the purpose of sending advertising to another business or to sell such personal information.

Data Security/Fraud Prevention. Consistent with the statute, the draft rules allow service providers/contractors to use and combine customer personal information “[t]o detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity.”

Other Legal Purposes. The draft rules acknowledge that a service provider/contractor can use customer data to comply with other laws, lawful process, to defend claims, if the data is deidentified or aggregated, or does not include California personal information.

Advertising Service Provider Functions Look Limited. The draft rules acknowledge a business can engage a service provider/contractor for advertising/marketing services if the services do not combine opted out consumer data from other sources. The draft rules also affirmatively reiterate that an entity who provides cross-contextual behavioral advertising is a third party and not a service provider/contractor.

• As an example of what would cross the line, the draft rules provide that a service provider/contractor can provide non-personalized advertising based on aggregated or demographic information (ads based on gender, age range, or general geographic location), but could not, for example, share the business’s customer information with a social media platform to “identify users on the social media company’s platform to serve advertisements to them.” This example is stated without qualification to what commitments the platform has provided on its own use and restrictions as to such data, or if and how any other permitted “business purposes” under the CPRA may apply.
• In another example, the draft rules provide that an advertising agency can be a service provider/contractor by providing contextual advertising services. Again, this example is set forth without reference to any other business purposes that may apply. However, one wonders whether the enforcement structure may inhibit broader interpretations where functions involve personalized advertising and analytics.

Notice at Collection. The draft rules have new language that, in the context of “notice at collection” provide that when more than one party controls personal information collection, such as in connection with digital advertising, all such parties must provide a very detailed “notice at collection” that accounts for all parties’ business practices. As an example:

• A “first party may allow another business, acting as a third party, to control the collection of personal information from consumers browsing the first party’s website. Both the first party that allows the third parties to collect personal information via its website, as well as the third party controlling the collection of personal information, shall provide a notice at collection.”

Honoring Opt Outs. Section 7051 provides that third parties are directly obligated to honor opt outs, including as conveyed through a global privacy signal or otherwise on a first-party business’s site hosting the third party’s tag collecting personal information, unless the first-party business informs the third party that the consumer has consented to the sale/sharing, or “the third party becomes a service provider or contractor that complies with the CCPA and these regulations.”

• This latter provision is interesting because it suggests implicit support for frameworks, such as IAB’s LSPA, where a contract that contains commitments around use of personal data post-opt outs can support a continued service provider role.

* * *

JOIN US

Separately, join us as Kelley Drye privacy lawyers provide observations on the proposed regulations, including which would pose the biggest challenge for businesses if implemented, and will offer strategies to plan efficiently for compliance in the face of these proposals. Register here.