On May 27, 2022, the California Privacy Protection Agency (CPPA) released a much-anticipated first draft of some of the anticipated regulations implementing the California Privacy Rights Act (CPRA).¹ The release accompanied the CPPA’s announcement of its next public meeting on June 8, 2022, where the agency will, among other agenda items, consider possible action regarding the draft regulations and the delegation of rulemaking authority functions to the CPPA’s executive director. Ahead of this meeting, on June 3, the CPPA released a draft Initial Statement of Reasons (ISOR) to accompany the draft regulations, which provides an explanation of the purpose and necessity of the draft regulations, along with an FAQ offering further information about the draft regulations and rulemaking process. While the formal CPRA rulemaking process has not yet officially begun, we expect to learn more about a potential schedule for the notice and comment period for the regulations at the CPPA’s June 8 meeting.

Key Takeaways

• The draft regulations redline the existing CCPA regulations. Although the changes are extensive, some provisions were left largely intact with minimal edits, particularly regarding financial incentive notices, requirements for verifying requests, rules regarding consumers under 16 years of age, non-discrimination provisions, and training and recordkeeping requirements. Nevertheless, it is still possible these provisions may be modified by the CPPA in forthcoming draft regulation packages.
• The draft regulations are likely to undergo significant modifications during the forthcoming public notice and comment period. That said, it is unclear whether they will ultimately be finalized before the CPRA comes into effect on January 1, 2023, putting businesses in an uncertain compliance posture.
• The CPPA signaled in its last board meeting that it will release additional regulations in future packages. This first round does not address significant topics like data security audits, privacy risk assessments, or access and opt-out rights with respect to automated decision-making, but we expect these will be covered in future batches. Indeed, the ISOR states that the draft regulations changed certain terms to reduce confusion between references to sale/sharing opt-outs and automated decision-making opt-outs, thus signaling that the future rulemaking package will provide further discussion of consumer rights regarding automated decision-making. Also notably missing from the draft regulations are definitive technical specifications for opt-out preference signals.
• The draft regulations in some circumstances require businesses to obtain explicit (i.e., opt-in) consent, potentially exceeding the statutory opt-out consent requirements.
• Despite language in the CPRA statute that supports the interpretation that honoring opt-out preference signals (i.e., automated signals sent by a platform, technology, or mechanism that communicate the consumer’s opt-out choice) is optional, the draft regulations require all businesses to honor opt-out preference signals. We expect this tension to be subject to debate in the coming notice and comment period.
• In response to a request to know, the draft regulations would require businesses to disclose all personal information collected and maintained about the consumer on or after January 1, 2022 (even if that includes information beyond the 12-month period preceding the request), unless doing so proves impossible or would involve disproportionate effort. This requirement goes further than the CPRA statute, which states that consumers may request that a business provide personal information beyond the 12-month period.
• The draft regulations introduce new obligations for the CPRA’s new right to correct inaccurate personal information, including a requirement that businesses provide consumers the name of its data source if the business receives a request to correct information for which the business itself was not the source. This may be difficult for many businesses to comply with absent detailed data trails, and could have a profound impact on the data broker industry.
• The draft regulations introduce a new concept of “frictionless” opt-outs, which would require honoring a consumer’s opt-out preference signal and not charging a fee, changing the consumer’s experience, or displaying any content in response to the signal other than an acknowledgment that the consumer has opted out. If a business can comply with the requirements for providing “frictionless” opt-outs, among other obligations, the draft regulations maintain that a business does not have to provide opt-out links (“Do Not Sell …,” etc.) on its homepage.
• Importantly, new notice obligations in the draft regulations would apply to both first and third parties at time of collection. For example, if a business allows third parties, such as advertising providers, to control the collection of personal information on the business’s website or mobile app, the business must provide in its notice at collection either the names of all the third parties it allows to collect personal information or it must provide information about the third parties’ business practices. These burdensome, GDPR-esque notice requirements, if retained in the final draft of the regulations, would likely have a significant impact on ad tech providers.
• Finally, the draft regulations add to the CPRA statute’s already granular contracting requirements and create new duties for businesses that disclose personal information to service providers, contractors, and third parties. For example, the draft regulations require contracts with service providers to identify the specific business purposes and service for which personal information will be processed and prohibit generic descriptions of such purposes, such as referencing the entire contract generally. Businesses would also have a duty to conduct due diligence on service providers, contractors, and third parties in order to take advantage of the CPRA statute’s liability shield for compliance failures of the service provider, contractor, or third party without the business’s knowledge. These requirements are likely to add significant friction to contract negotiations between businesses and their service providers and third parties, as well as imposing potentially impossible compliance requirements for small- to mid-sized businesses that do not have the expertise or resources to reasonably audit substantially larger entities.

[1] The draft proposed regulations are referred to as “CCPA regulations” instead of “CPRA regulations.” This is because the CPRA was a ballot initiative that amended the CCPA; it did not create a separate, new law. To this end, the draft regulations propose to update existing CCPA regulations and add new rules to implement and interpret the text of the CCPA, as amended by the CPRA. We refer to these draft CCPA regulations as “draft regulations” in this alert.