CPRA Rule Revisions Unlikely to be Finalized in 2022
Just two months before the effective date (January 1, 2023) of the California Privacy Rights Act (“CPRA”), the California Privacy Protection Agency (“CPPA”) Board met on October 28 and 29 to discuss revisions to the agency’s initial draft CPRA regulations. Board members discussed a range of proposed changes that could significantly impact businesses but also reserved discussion on important topics, such as employee and business-to-business data, for future proceedings.
This post provides further details about the rulemaking process, as well as takeaways from the Board’s discussion of key substantive topics, such as restrictions on the collection of personal information and opt-out preference signals. The Board directed CPPA staff to consider and include specific modifications, as discussed below; and on November 3, the CPPA released a further revision of its proposed rules for a 15-day public comment period (the “November 3 Draft Regulations”). The deadline to submit comments is 8:00 am on Monday, November 21.
1. Rule Revisions likely to be Finalized in Early 2023
The CPPA Board meeting and subsequent developments have provided some clarity about the likely timing of final regulations. (A second Board meeting that had been scheduled for November 4 was canceled.)
Following a review of comments submitted during the current 15-day comment window, the expected next step is for the CPPA to submit a final set of regulations to the Office of Administrative Law (OAL) for review. OAL will have 30-business days, which will likely be impacted by the upcoming holiday season, to complete its review. This means that the regulations likely will not be finalized until early 2023. But this timeline should also be considered within the context of the delayed implementation provisions in the statute. Although the CPRA’s statutory provisions go into effect on January 1, 2023, section 1798.185(d) of the CPRA provides that “civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date.” (Existing CCPA rules are enforceable before July 1, 2023.)
While the uncertain timing of final regulations adds to the challenges of meeting other privacy compliance deadlines (such as the January 1 effective date of the Virginia Consumer Data Protection Act), businesses may find some cause for relief in the CPPA’s addition of section 7301(b) to the draft regulations: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
2. Key Substantive Changes in the November 3 Draft Regulations
The Board discussed and directed several material changes, which CPPA staff incorporated:
- Restrictions on the Collection and Use of Personal Information (§ 7002): This section would set requirements for the reasonable and proportionate collection, use, retention, and sharing of a consumer’s personal information, as well as the purposes for which such information can be collected. Board members raised concerns about whether the draft regulations went beyond the CPRA’s statutory requirements. The Board explained that the primary purpose of section 7002 is to provide guidance on how the new statutory requirements should be understood by businesses and consumers. The November 3 Draft Regulations, however, do not contain any obvious signs of additional flexibility. The Board also discussed adding language that would require businesses to be reasonable and proportionate in the practices that a consumer consents to – and the section 7002(d) of the November 3 Draft Regulations expressly states that personal information processing “shall also be reasonably necessary and proportionate to achieve any purpose for which the business obtains the consumer’s consent . . .”
- Opt-Out Preference Signals (§ 7025): This section requires that any business that sells or shares personal information must process any opt-out preference signal that meets the CPPA’s requirements, which are currently outlined in section 7025(b). The Board requested that staff add language to expressly require businesses to apply opt-out preference signals to pseudonymous profiles, e.g., consumer profiles associated with the browser or device. Section 7025(c)(1) of the November 3 Draft Regulations incorporates such a change.
- Requests to Limit Use and Disclosure of Sensitive Personal Information (§ 7027(m)): Board members requested that staff include a statement noting that the use, disclosure, and means of collection of sensitive personal information for purposes that are exempt from Right to Limit requests must be reasonably necessary and proportionate to achieve such purposes listed. The November 3 Draft Regulations include this change in section 7027(m)(8).
Finally, the Board discussed the following smaller – but still significant – changes:
- Definitions (§ 7001(b)): This section provides definitions for terms used through the draft regulations. The Board recommended adding a definition of “Alternative Out-Out Link,” which a business can provide instead of posting separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links, as set forth in Cal. Civ. Code §1798.135. The Alternative Opt-Out Link is explained further in section 7015. The Board also recommended clarifying the definition of “right to limit” and adding a definition of a “Nonbusiness” to clarify a term that was introduced in the October 21 draft regulations.
- Notice at Collection of Personal Information (§ 7012): The Board asked staff to consider including in a future rulemaking proposal a revision that would allow businesses to disclose the number of third parties they sell or share information with, as a way to reduce the burden of disclosing the names of third parties in the Notice at Collection. The November 3 Draft Regulations do not include such a change. However, the Draft Regulations continue to provide that a first party and third parties that control collection may provide a “single Notice at Collection that includes the required information about their collective Information Practices.” The “illustrative example” in section 7012(g)(3)(A) suggests that identifying third parties by name is not necessary (and the proposal that specifically identified this option in the CPPA’s initial draft regulations was deleted in its October revisions), provided that the business sufficiently describes the practices of third parties in the Notice at Collection.
- Requests to Delete (§ 7022(b)(2)): This section provides guidance on how a business, service provider, or contractor shall comply with a request to delete personal information. The Board recommended, and CPPA staff added, clarifying language that service providers can utilize self-service methods that enable businesses to delete personal information that the service provider or contractor collected in the November 3 Draft Regulations. The new regulation more closely conforms to the language in the CPRA. The new language is also more precise as to how the service provider’s or contractor’s obligations apply to the personal information it collected pursuant to a contract with the business.
- Requests to Correct (§ 7023(d)(1)): This section provides guidance on how a business, service provider, or contractor shall comply with a request to correct. The November 3 Draft Regulations add language that consumers should make a good faith effort to provide businesses with all necessary information and documentation available in connection with their right to correct when they make a request.
- Requests to Opt-Out § 7026(a)(1): This section requires a business that sells or shares personal information to provide two or more designated methods to submit requests to opt-out of sale/sharing. As per the November 3 Draft Regulations, CPPA staff revised this language to clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods: an interactive form accessible via the “Do Not Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy.