CPPA to Propose Changes to Privacy Policy Requirements

While the California Privacy Protection Agency (CPPA) Board’s attention during its December 8 public meeting was mainly focused on preliminary draft regulations on automated decisionmaking technology (ADMT), risk assessments, and cybersecurity audits, the Board also decided to begin a formal process to revise its existing regulations.

The proposed changes emphasize the need to give consumers a meaningful understanding” of personal information practices and the CPPA’s focus on providing information about data practices before consumers engage with a business. These changes are less far-reaching than the ADMT, risk assessment, and audit proposals, but they could affect how businesses make disclosures in their privacy policies and are likely to be finalized on a relatively short timeline.

Here are the key ways that privacy policy requirements would change under the CPPA’s proposal.

  • Meaningful Understanding” of Sources and Third-Party Recipients of Personal Information

The draft revisions to sections 7011(e)(1)(B) and (E) would expressly include a requirement for privacy policies to give consumers a meaningful understanding” of the sources from which a business collects personal information and the categories of third parties to which it sells or shares personal information. The phrase meaningful understanding” is already in the current definitions of categories of sources” and categories of third parties” in section 7001. Its repetition in section 7011 could signal an expectation of increased specificity and clarity in how businesses collect and sell personal information.

  • Clarifying Disclosures to Service Providers and Contractors

Proposed revisions to section 7011(e)(1)(H) would require businesses to identify the categories of personal information that they disclosed to a service provider or contractor in the preceding 12 months, along with the business purpose for these disclosures. This change would remove an ambiguity in current section 7011(e)(1)(H), which also mentions disclosures to third parties for business purposes, which is arguably inconsistent with the definition of a third party. Companies that have interpreted subsection (H) differently may need to take another look at their privacy policies in light of this proposal.

  • Privacy Policy Links for Mobile Applications

Finally, the draft regulations propose to require mobile applications to include a link to their privacy policies within their settings menu. Under current section 7011(d), including a privacy policy link in an app’s setting menu is discretionary. This new requirement would be in addition to the current mandate to make the privacy policy available through the business’s homepage or app store download page.

What’s Next?

Once CPPA staff revises the draft revisions to reflect Board members’ input, the package of rule changes will be published for a 45-day public comment period. The CPPA did not indicate when the comment period will begin.