As a follow-up to their release of draft regulations (“Draft Regulations”) for the California Privacy Rights Act (CPRA) (which we covered in this article), the California Privacy Protection Agency (“Agency”) released an Initial Statement of Reasons (“Statement of Reasons”) explaining the necessity and rationale of each update in the Draft Regulations. The Statement of Reasons may also help businesses understand how the Agency expects them to comply with the various provisions of the Draft Regulations as the effective date of the law (January 1, 2023) nears closer. This guidance may be particularly helpful for companies as they assess their business practices for compliance with the provisions related to dark patterns, opt-out preference signals, and required disclosures to consumers.
The Agency also voted to begin its formal rulemaking process at its June 8 board meeting, which initiates a 45-day period in which the public can submit written comments on the proposed regulations.
Below we have highlighted the major takeaways from the June 8 Agency meeting, as well as summarized the key points from the Statement of Reasons, organized by the various topic areas in the Draft Regulations. We are happy to answer any questions you may have regarding CPRA compliance.
June 08 Board Meeting
The Agency voted 4-0 to begin the formal rulemaking process, and to authorize the board’s Executive Director, Ashkan Soltani, to take the necessary steps to begin the process. So far, the Agency has requested preliminary written comments from the public, held informational sessions with experts, engaged stakeholders in sessions, and released draft regulations.
The filing of the Notice of Proposed Rulemaking Action starts a 45-day period of public comment. The Agency will hold another hearing, and consider the public comments submitted. In particular, the Agency is interested in receiving information from businesses about specific compliance challenges expected. If substantial changes are made to the draft regulations, the Agency will provide another 45 days for public input.
It is unclear whether the Agency will finalize rulemaking by the July 1 deadline set out in the CPRA. Public concerns about the enforcement deadline raised at the meeting prompted the Agency to consider obtaining a legal opinion on whether it can disclose enforcement deadlines, and related information, to the public.
In addition, two members of the California Department of Justice, Lisa Kim (Deputy Attorney General) and Stacey Schesser (Supervising Deputy Attorney General) provided a brief overview of the draft regulations. Kim explained that the proposed regulations accomplish three aims: (1) harmonizing the existing CCPA regulations with the CPRA amendments to the CCPA and addressing any confusion in the marketplace; (2) operationalizing the new rights and concepts introduced by the CPRA amendments; and (3) reorganizing and consolidating requirements to improve compliance and understanding. Kim and Schesser also provided examples of how provisions were changed, in light of the outlined aims. For example, Article II, which outlines required disclosures for consumers, was updated to operationalize new CPRA rights, like being able to obtain notice of the right to opt-out of the sharing of personal information. And Article II’s privacy policy section, for instance, was rewritten to improve comprehension.
Initial Statement of Reasons
Definitions. The key behind the change in definitions is simplicity. The Agency updated definitions in order to avoid multiple meanings, remove undefined terms in the CCPA, make the regulations consistent with the CCPA as amended, eliminate any misunderstandings or confusion and make the regulations easier for consumer and businesses to understand.
Article 1: General Provisions.
Article 1 of the Draft Regulations imposes additional requirements for data processing, consumer communications and consumer request verification. The impetus of the changes to the Draft Regulations with these general provisions and specifically to 11 CCR § 7002 reflects the stated purpose and intent of CPRA that consumers “should know who is collecting their information and that of their children, how it is being used, and to whom it was disclosed so they have the information necessary to exercise meaningful control over a businesses’ use.” (Prop. 24, as approved by voters, Gen. Elec. (Nov. 3, 2020), § 3(B)(2).) More specifically:
- Plain, understandable disclosure. The requirement for plain and understandable disclosures and communications to consumers stems from CPPA findings “that studies have found that presentation and use of plain language techniques positively influence the effectiveness and comprehension of privacy policies.” The General Provisions §7003 tries to mirror this performance-based approach, calling for the disclosures and communications to be designed and presented in a way that makes them easy to read and understand. The CPPA is aiming to provide businesses with clear guidance of what is required of them. 11 CCR §7003.
- Dark patterns. The CPPA set a number of changes mitigating consumer confusion via dark patterns. The purpose of this change is to ensure that consumers’ choice is freely made and not impaired through the use of dark patterns. Changes reflecting dark usage of dark patterns was informedby academic scholarship on dark patterns and consumer consent (see our blog) as well as public comments made to the Agency during the preliminary rule-making activity. Changes regarding dark patterns are important for businesses because dark pattern do not require intent on behalf of the business to subvert consumer choice, clarify the definition of dark pattern.11 CCR §7004.
- Symmetry in choice. 11 CCR §7004(a)(2) addresses a common dark pattern that is characterized as a “roach motel” (easy to get in but hard to get out) and provides a concrete way for businesses to measure whether they are using a minimal number of steps. The CPPA added symmetry in choice indicating that as businesses are motivated to use a simple flow for opting into the sale of data, such businesses will also be required to follow the same number of steps in opting out of the sale of data.
- Confusing language and manipulation. Confusing language such as double negatives and manipulative language or bundling consents is prohibited so that (1) consumer is not confused (2) eliminate consumer manipulation or guilts the consumer through bundling consents, does not unnecessarily burden the consumer with untested or broken methods to submit CCPA requests. 11 CCR §7004(a)(3-5).
Article 2: Required Disclosures to Consumers
Article 2 addresses required disclosures to consumers. The updates in this Article were originally drafted in response to public comments received by the Attorney General’s Office expressing confusion about the number and type of notices that businesses are required. Changes in this Article aim to align the regulation with amended language of the statute. Below are a few:
- Updates to the privacy policy. The changes in the privacy policy under this Article reflects the CPPA’s intent to align the regulation with the revised language of the statute, to better provide consumers with information about how to exercise their rights and to explain what a “conspicuous link”, means among other things. 11 CFR §7011.
- Ordering. Article 2 also includes revised ordering of rights in order to mirror the general flow of data through a business from collection and use through sharing, selling, and retention. The new organization of the privacy policy is intended to make it easier on businesses how to use the regulation as a checklist to ensure all the necessary information is in the policy. 11 CFR §7012.
- The right to limit the use of sensitive data. The CPPA added this section to ensure that notice is easily accessible and understandable and that businesses have clear guidance on how to provide information required for disclosure. Businesses will be required to include a link to immediately effectuate the consumer’s right to limit the collection of sensitive information. 11 CFR §7014.
- Alternative opt-out link. The purpose of the alternative opt-out link is to ensure uniformity of the opt-out link and ensure that the link is easily accessible and understandable to consumers including those with disabilities and to ensure the link allows easy opt-out option of the sale and sharing of consumer personal information. 11 CFR §7015.
- Clarification of financial incentives. The Agency clarifies that only price and service differences require a valuation of data. Other kinds of “financial incentives” such as free t-shirts or gift cards does not require valuation because the consumer is aware of the value of goods.
Article 3: Business Practices for Handling Consumer Requests
The Draft Regulations revised the methods for consumers to submit requests to delete, correct and know. Additional reasons for revisions in this section include to (1) make the regulation easier to understand (2) operationalize the right to correct, and (3) operationalize additional obligations such as notifying third parties of consumer requests. More specifically:
- Request to correct. A request to correct was added in order to operationalize the CPRA’s right to correct, minimize administrative burdens on consumers, mitigate risk associated with making requests to correct and to prevent deletion from improperly being used as a substitute for correction.
- Request to know. Revisions concerning the request to know have been aligned to comply with the revised language of the statute and to clarify the requirements of service providers and contractors.
- Opt-out preference signal. The Draft Regulations note that the purpose of an opt-out preference is to provide clarity on the intent and goal of the opt-out preference and to model the performative standard of World Wide Web consortium.
Article 4: Service Providers, Contractors, and Third Parties
Article 4 sets forth robust requirements for service provider and contractor contracts. The purpose behind the changes concerning service providers and contractors is to clarify who is a service provider or contractor, how service providers and contractors handle requests and to streamline different parts of the CCPA that have led to confusion regarding how the CCPA applies to service providers and contractors. This section was informed by the preliminary rule-making activities of the CPPA.
Article 5: Verification of Requests
Article 5 establishes rules regarding consumer verification. The CCPA regulations require that businesses establish, document and comply with a reasonable method for verifying that the consumer making a request to delete is the consumer about whom the business has personal information. This section has been revised and expanded in order to operationalize the CPRA’s right to correct and the request to know. 11 CCR § 7060(a).
Article 6: Special Rules Regarding Consumers Under Age 16
The CCPA regulations created requirements for businesses that sell the personal information of children; the Draft Regulations extend these requirements to businesses that also “share” the personal information of children. This change has been made to align with statute or the CPRA’s amendment to Civil Code section 1798.120 as it extended the right of a consumer to opt out of a business’s sale of personal information to the business’s sharing of personal information. Like the Federal Trade Commission that recently voted on the enforcement of Children’s Online Privacy Protection Act as it applies to the use of education technology (see our blog), the CPPA will likely be paying close attention to rules regarding consumers under the age of 16.
Article 7: Nondiscrimination
Article 7 is lightly amended in the Draft Regulations compared with the previous CCPA regulations. In Article 7, the CPPA omits the use of “financial incentive” to describe discrimination based on financial incentives. The CPPA reasons that financial incentive, where benefit is given for the collection or sharing of data does not invoke a discrimination analysis because there is presumably a separate negotiation taking place for the incentive. This change aims to remove the confusion in the marketplace caused by the existing regulation.
Article 8: Training and Record-Keeping
Article 8 modifies the record-keeping regulations for businesses that sell, share or otherwise make available for commercial purposes the personal information of 10 million or more consumers in a calendar year. The rights to correct and limit have been added in order to inform the Agency, the Attorney General, policy makers, academics and members of the public about a business’s compliance with CCPA.
Article 9: Investigations and Enforcement
This new Article 9 focuses on how the newly formed CPPA conducts investigations and enforcement proceedings. This section was added to preserve Agency resources, so that the public and regulated parties understand the standards that must be met prior to an administrative meeting, so that the Agency has sufficient time to handle logistics and requests and to allow parties to settle matters with judicial efficiency, among other things.