An appellate court recently ruled that the California Privacy Protection Agency’s regulations issued under the state’s California Consumer Privacy Act (”CCPA”) will take effect immediately. These regulations have been published for some time, but a lower court-mandated enforcement delay abruptly ended with this latest decision overriding a one-year delay of the original effective date of March 29, 2023.
Compliance with the CCPA Regulations
With the appellate court’s reversal, companies subject to the CCPA should assess their obligations under the recent CCPA regulations and take steps to comply. Here are some highlights from the regulations:
1. Restricted Use, Retention, and Disclosure of Personal Data
The regulations include broad provisions addressing uses, retention, and disclosures of personal data. For example, all businesses must ensure use, retention, and/or sharing of personal information subject to the CCPA is “reasonably necessary and proportionate” for the purposes “for which the personal information was collected or processed” or “another disclosed purpose that is compatible with the context in which the personal information was collected.” The collection or processing of personal information must also be consistent with reasonable expectations of the consumer.
If these and other requirements (which are detailed further in the regulations) are not met, the business must obtain consent from the consumer for the processing. To adequately assess their compliance obligations, businesses should carefully evaluate their use, retention, and disclosure of personal information against the CCPA regulations.
2. Data Subject/Consumer Rights Requests
The CCPA regulations further clarify how businesses must implement consumer rights request mechanisms to provide clear information about consumers’ rights and an efficient way to exercise these rights, as well as contains detailed information and examples for complying with consumer rights requests. These include that businesses must comply with opt-out preference signals (e.g., global privacy control or “GPC” signals), explain how these signals will be processed, and explain how consumers can opt out in a “frictionless manner” (if applicable). The regulations also detail concepts such as “symmetry in choice”, “confusing” language or interactive elements, and “choice architecture” that impairs or interferes with consumer choices, as well as discussing “dark patterns” and clarifying that intent is not determinative in evaluating whether a user interface is a dark pattern.
The regulations also include more detailed requirements for use or disclosure of sensitive personal information, particularly where the purpose of collection or processing is “inferring characteristics” about a consumer.
3. Contract Review and Amendments
In light of the clarifications to existing requirements and additional obligations imposed by the CCPA regulations, businesses should ensure contracts or other arrangements with vendors, subcontractors, commercial partners and other third parties adequately address CCPA requirements. The regulations include clarification of service provider and contractor relationships and appropriate processing of personal information in connection with these relationships, including clarifying that a failure to have a data processing agreement that complies with the regulations will not be considered a service provider or contractor. If any arrangement lacks adequate protections, including failure to incorporate the ten elements required by the regulations, then amendments or other compliance measures may be necessary.
4. Privacy Policy Updates
Complying with the CCPA regulations may also require businesses to update their privacy policies. The regulations impose various requirements and restrictions that did not apply previously under the statutory language of the CCPA – notably these include clarifications on “Do Not Sell or Share My Personal Information” links, opt-out preference signals, among other requirements. So, even if a website’s privacy policy or terms of use were drafted with CCPA compliance in mind, they may still be insufficient for compliance going forward unless revisited with these regulations in mind.