Santa (and the CPPA) Know If You’ve Been Naughty or Nice With Your Consumer Data

Chad Gottlieb
DarrowEverett LLP
Contact
LinkedIn
Facebook
X
Send
Embed

DarrowEverett LLP

On Oct. 17, 2022, the California Privacy Protection Agency (the “CPPA”) released a revised draft of regulations to enforce the soon-to-be-effective California Privacy Rights Act (the “CPRA”). The revised regulations include revisions to sections regarding collection of personal data, restrictions on the use of personal data, privacy notice requirements and opt-out preference signals. The revisions were the topic of a two-day board meeting held in late October, during which the CPPA Board extended the comment period for an additional 15 days and directed the CPPA to further modify the draft.

Despite the CPRA’s effective date of Jan. 1, 2023 quickly approaching, some requirements introduced by the draft regulations remain unclear. One such area concerns consumer opt-out preference signals and how businesses covered under the CPRA will need to acknowledge and process them. Section 7025 of the CPRA explains that opt-out preference signals are intended to provide consumers with a simple means to automatically opt out of the sharing or sale of their personal information across all businesses they interact with online.

The current draft of the regulations requires covered businesses that sell or share personal information to process opt-out preference signals as a valid request to opt-out of the sales and/or sharing of personal information. The protection afforded to consumers sending an opt-out preference signal under this draft is strong — covered businesses cannot require consumers to provide any additional information beyond what is necessary to send an opt-out preference signal (and are required to comply as much as possible with provided information), and an opt-out preference signal takes priority in the event of a conflict with a consumer’s specific privacy settings with the business. Additionally, in the event a consumer does send an opt-out preference signal (or opts out of the sale/sharing of their personal data by another valid means), the business cannot request the consumer to consent to the sale or sharing of their personal data for at least 12 months. Lastly, businesses must process opt-out preference signals “frictionless”, meaning they cannot charge consumers any fees for using an opt-out preference signal, change the consumer’s experience for having opted out, or display any notification in response to an opt-out preference signal.

Notably, the latest draft does clarify that this requirement is not applicable to businesses that do not sell or share personal information. But, as we have seen in recent actions by the California Attorney General, the “sale” of personal information is construed broadly under the CPRA — many businesses utilize third-party service providers in ways that the State of California considers selling or sharing of personal information, including analyzing consumer data for online behavior and trends.

While the regulations provide strong guidelines for acknowledging and processing opt-out preference signals, they are less clear on how businesses should identify them. Under the current draft, covered businesses are required to process an opt-out preference signal that (1) is “in a format commonly used and recognized by businesses”, including in a HTTP header field or JavaScript object; or (2) clearly informs a consumer that the opt-out preference signal “is meant to have an effect of opting the consumer out of the sale and sharing of their personal information”. The vague definition of a valid opt-out preference signal forces businesses into an awkward position — how does a business identify an opt-out signal without knowing what one looks like?

Despite the lack of clarity, the private sector has stepped up hoping to fill the gap. There is growing support for a technical specification named Global Privacy Control (“GPC”). GPC automatically sends opt-out signals to websites GPC users visit. Reportedly, the GPC specification has been adopted by several organizations and is now integrated as a feature into web browsers like Mozilla and Firefox. Several web browser extensions are available, which can be integrated into other web browsers that do not have native universal opt-out capabilities. California’s Attorney General has stated that he is “encouraged to see the technology community developing a global privacy control in furtherance of the [California Consumer Protection Act] and consumer privacy rights.”

And while the California Consumer Protection Act and the CPRA have pushed California’s data privacy laws front and center, other states are also adopting similar universal opt-out mechanism requirements. For example, the Colorado Privacy Act (“CPA”) also requires businesses to recognize universal opt-out mechanisms, though with some caveats that may limit the GPC. [Note: the CPA’s universal out-out mechanism requirements will be delayed in effect — the CPA becomes effective on July 1, 2023, but universal opt-out mechanism requirements will become effective in 2024]. It is also worth noting that the American Data Privacy Protection Act (“ADPPA”), proposed legislation that would enact federal data privacy laws in the United States, also includes “unified opt-out mechanism” requirements. Under the latest ADPPA draft, the Federal Trade Commission will establish at least one “acceptable privacy protection, centralized mechanism” for individuals to exercise opt outs through a single interface, including “global privacy signals such as browser or device privacy settings.” Although the ADPPA was blocked from moving to before the full U.S. House of Representatives, the Committee on Energy and Commerce is likely taking cues from California to prepare a draft with stronger consumer protections.

However, despite the growing push for global opt-out signals, the uncertainty for California’s opt-out preference signals may not be resolved by the time the CPRA becomes effective. In its last action on Oct. 29, the CPPA Board highlighted certain aspects of the latest regulations to further revise. Though opt-out preference signal requirements will be further expanded upon in the next draft, the identification of global opt outs is not expected to be clarified. As of now, the CPPA’s next board meeting has not been scheduled.

In the meantime, businesses that sell or share the personal information of consumers should take the time to become familiar with GPC and other opt-out signal initiatives or applications that develop in the near future. Quickly identifying a potential global opt-out signal may help businesses stay compliant and avoid penalties under the CPRA and other data privacy laws.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© DarrowEverett LLP | Attorney Advertising

Written by:

DarrowEverett LLP
DarrowEverett LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

DarrowEverett LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide