The California Privacy Rights Act (CPRA), the 2020 voter initiative that updated the California Consumer Privacy Act (CCPA, collectively the CPRA and CCPA are usually referred to as the CCPA), created the California Privacy Protection Agency (CPPA) to replace the California attorney general as the designated regulator to enforce the CCPA. On July 8, 2022, the CPPA issued a notice of its proposed regulations under the CCPA that will take effect on Jan. 1, 2023.
The proposed regulations are not completely new out of whole cloth; instead they represent incremental amendments to the existing CCPA regulations issued by the attorney general.
The CCPA creates a privacy regime that in many ways resembles the approach first seen in Europe. Companies are not only required to disclose their privacy practice, but also take specific actions at the request of the individuals to whom the information relates. This includes giving a data subject the right to request access to their information, correction, deletion and even to know what categories of parties the information has been shared with in the past year.
The new proposed regulations, if they become effective as drafted, will create some significant impacts to how information is handled, at least for some companies.
Data Minimization
Perhaps most controversial, the new regulations require that “collection, use, retention, and/or sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed.” It goes further to define “necessary and proportionate” in this context as being “what an average consumer would expect” at the time of collection. The proposed regulation elaborates with several examples that make clear that the subsequent usage of information for marketing purposes, especially for a third party to market, is probably outside “what an average consumer would expect.”
Additionally, and more concrete, the regulations make clear that California will be looking closely at the disclosures in a company’s privacy notice and comparing that with information actually collected. If new information is needed that wasn’t disclosed, new notice is required.
Ease of Use
The CPPA’s proposed regulations also provide extensive guidance that is intended to help companies make their disclosures clear to consumers. This has also been an enforcement priority with California under the current law, and these proposed regulations seem to be attempting to capture some of the main points that California has been encountering.
Of particular importance is the requirement that consent to use personal information be as simple to withdraw by a consumer as it is to grant.
Automated Opt-out Signals and the Global Privacy Control
The proposed CPPA regulations extensively augment California’s insistence that companies honor automated opt-out signals, including the Global Privacy Control (GPC), despite the practical implications of the limitations of the GPC as implemented. In so doing, California is attempting to become the de facto global opt-out regulator. The GPC has no mechanism for a company to determine what jurisdiction’s laws apply to a consumer who is using a browser that transmits the signal. California is making its position clear: regardless of whether there’s anything indicating the consumer is in California, a company must comply.
Sensitive Information
One of the most significant changes in the CPRA was the addition of special restrictions for “Sensitive” information, which includes race, religion, ethnicity, geolocation, genetic data, biometric data, financial account information and social security number. The proposed regulations specify the means by which a company must give a consumer the option to limit the use and sharing of their sensitive information (if it’s collected) through a link on the company’s website specifically labeled “Limit the Use of My Sensitive Personal Information.”
Additional Bits
Last, the additions identify the business purposes for which service providers and contractors may use consumers’ personal information pursuant to a written contract with a business, for the service provider or contractor’s own business purpose. They also establish procedures for filing complaints with the agency and procedures necessary for the agency’s administrative enforcement of the CPRA. The additions also outline the scope and process for the exercise of the agency’s audit authority as well as the criteria for selecting those that would be subject to an audit, and harmonize regulations governing opt-out mechanisms, notices and other operational mechanisms to promote clarity and functionality.
THIS DOCUMENT IS INTENDED TO PROVIDE YOU WITH GENERAL INFORMATION REGARDING NEW CPPA REGULATIONS. THE CONTENTS OF THIS DOCUMENT ARE NOT INTENDED TO PROVIDE SPECIFIC LEGAL ADVICE. IF YOU HAVE ANY QUESTIONS ABOUT THE CONTENTS OF THIS DOCUMENT OR IF YOU NEED LEGAL ADVICE AS TO AN ISSUE, PLEASE CONTACT THE ATTORNEYS LISTED OR YOUR REGULAR BROWNSTEIN HYATT FARBER SCHRECK, LLP ATTORNEY. THIS COMMUNICATION MAY BE CONSIDERED ADVERTISING IN SOME JURISDICTIONS.