• Regulators’ Favorite Shade – Dark Patterns: Following the FTC’s 2022 Dark Patterns Report and high profile enforcement action against Epic Games, regulators including the FTC, CFPB, and state AGs continued to bring enforcement and provide guidance on perceived “dark patterns” – primarily related to automatic renewal and continuous service options, but also as to chat bots, disclosures, and marketing practices more broadly. In January, the CFPB released guidance focused on dark patterns in negative option marketing. In March, the NAD joined the discussion in a decision highlighting potential issues with Pier 1’s advertising of discounted pricing only available with a paid subscription and its use of a pre-checked box for enrollment with that same subscription. The FTC continued to lead the charge – with dark patterns allegations playing a key role in a number of enforcement actions, including against Publishers Clearing House, Amazon, and fintech provider Brigit.

• Beyoncé and Taylor Swift Concerts Lead to War on Junk Fees: Okay, the war against junk fees may have predated the fees associated with the pop stars’ mega tours, but it continued in earnest throughout the year. As with dark patterns, the FTC, CFPB and state AGs all took on junk fees at various times. Most notably, the FTC proposed a far-reaching rule that could fundamentally alter how prices and fees are disclosed in businesses across the country. The comment period was just extended until February 7, 2024 for the proposed rule. Not to be outdone, California passed new legislation banning hidden fees and the Massachusetts AG issued draft regulations that would prohibit hidden “junk fees,” enhance transparency in various transactions, and make it easy for consumers to cancel subscriptions.

• Endorsement Guides: In June, the FTC released its long-awaited update to the Endorsement Guides. We noted that the Guides include some significant changes, including new examples of what constitutes an “endorsement,” details about what constitutes a “clear and conspicuous” disclosure, and an increased focus on consumer ratings and reviews. We also examined how the revisions could affect influencer campaigns. In November, we reported that the FTC had sent warning letters to two trade associations and 12 influencers over their posts, giving us a glimpse of enforcement to come. Meanwhile, NAD has also been active in this space and even referred a case to FTC for enforcement. Expect this to be a priority for both FTC and NAD in 2024.

• Green Guides: The FTC’s Green Guides review progressed this year with an initial comment period closing in April, followed by an FTC workshop on “recyclable claims,” which we attended and highlighted here. With its history of hosting several workshops on hot green topics, we expect to hear of more workshops in the new year. California has been active as well with the governor signing a new law in October that aims to regulate carbon claims and make businesses more transparent about their carbon reduction efforts by requiring certain website disclosures (see our summary of the law here). The effective date is the first of the new year, but according to a recent letter from the bill’s sponsor, we expect that California will defer enforcement until January 1, 2025 to give companies time to comply (see here). With ESG efforts continuing to be front and center for most companies, consumers and regulators are holding companies accountable for those claims by questioning messaging about their efforts, aspirations for the future, and basis for the claims (see, for example, here, here, and here).

• State Privacy Laws: It’s getting increasingly hard to remember a time before state privacy laws regulated data sales, targeted advertising, sensitive data, and privacy disclosures. At the start of the year, five states had enacted privacy laws, and now there are 13 comprehensive consumer privacy laws (CA, CO, CT, DE, FL, IN, IA, MT, OR, TN, TX, UT & VA) and an additional two health-focused laws (WA, NV). What does this mean for advertisers? (1) Know who your vendors are and their data practices. (2) Obtain consent before building inferences based on sensitive data, like race/ethnicity, religion, or health. (3) Disclose up-front the collection, use, and disclosure of personal information. (4) Finally, recognize the limitations of third-party data as new regulations and laws take effect.

• Children’s Privacy: Congress, regulators, and advocates focused time and energy on children’s privacy issues in 2023. The House and Senate held hearings focused on children’s safety and privacy. Although the Senate Commerce Committee advanced the Kids Online Safety Act, it never received a floor vote; Senators Markey and Cassidy continued to advocate for approval of the Children and Teens’ Online Privacy Protection Act (COPPA 2.0). The FTC reached settlements with companies about practices it alleged violated the Children’s Online Privacy Protection Act (COPPA) on the Xbox and Alexa platforms and with edtech provider, Edmondo. In September, the FTC released a ​“Staff Perspective” on digital advertising to children, which included recommendations on how to protect kids from the harms of “stealth advertising.” Also in September, a federal court agreed with industry advocates that California’s Age Appropriate Design Act, which imposes a variety of obligations on businesses that provide online services “likely to be accessed by children,” violated the First Amendment. California is appealing the decision, and regulators, including a number of Attorneys General and FTC Commissioner Alvaro Bedoya, have joined the state as amici. One of the most anticipated developments occurred with just 11 days left in the year, when the FTC proposed revisions to the COPPA Rule—more than four years after initiating its review process. Among other things, the proposed Rule would require new, additional consents for third-party disclosures and could affect operators’ approach to “internal operations.” Online services with children’s audiences have lots to consider in 2024 and beyond. Stay tuned for further updates.

• State AG: State Attorneys General continued to make their presence felt in 2023. State AGs continued to go after companies for using fake reviews and false endorsements, enforced and proposed new price gouging rules, pursued telehealth companies for deceptive practices, supported the FTC’s Negative Option Rulemaking while bringing their own auto-renewal actions, continued to impose significant penalties against companies for data breaches, pursued companies for misleading consumer financial practices, and focused efforts on so-called “junk fees.” But two topics continue to be the highest priority of AGs – the impact of developments in AI (which we’ve written about here, here, and here – just to name a few) and protecting the most vulnerable consumers – especially our nation’s youth. The incoming president of the National Association of Attorneys General president, Oregon Attorney General Ellen Rosenblum, has already made protecting youth, especially teens, this year’s presidential initiative. Look for AGs to continue to this focus well into 2024.

• Automatic Renewal: While auto-renewal service sign-up flows remain important, this year, we have seen a transition to cancellation processes being the hottest topic as states enforce their specific requirements and the FTC has drawn attention to “click to cancel” through its proposed rule. But we shouldn’t forget all of the FTC’s other proposals under the negative option rule NPRM, including expanding the scope, requiring more specific disclosures, separate consent for negative option, consent for save offers, and expanded notice requirements. Regardless of whether a federal rule formally comes into play in 2024, as referenced above certainly states have agreed are on board with FTC’s proposals, and they also resolved a multistate investigation this year requiring checkbox consent, online cancellation, and limiting save attempts. And don’t forget Massachusetts is working on its own rulemaking involving online cancellation.

• NAD: This year, NAD issued number of decisions that caught our attention. For example, a decision in February narrows the scope of what claims may be considered puffery. NAD later elaborated on what it thinks advertisers must do in order to substantiate aspirational claims about future goals. NAD also issued a number of decisions involving endorsements – including employee endorsements and disclosure requirements – and even referred a case to FTC for enforcement. In August, NAD held that emojis could convey claims, though NARB later disagreed with how NAD had applied that principle. As always, NAD plays a big role in the advertising law landscape, so companies will want to continue to watch what NAD does in 2024.

• Same Product/Different Label Litigation: We chronicled a Connecticut district court’s denial of a motion to dismiss in a case in which the plaintiff alleged that Beiersdorf, maker of Coppertone sunscreens, engaged in false advertising by selling the same sunscreen formula in two different packages, one of which was labeled as “FACE” and sold in a smaller tube at twice the price of the regular Coppertone Sport Mineral sunscreen. That case is one to watch but it is not the only one of its kind. In fact, 2023 saw several similar cases involving allegedly the same formula marketed as different products with varying price points, such that the plaintiffs alleged that they were misled into purchasing the more expensive item because they believed it was uniquely suited to their needs when, in fact, it was the same as the lower-priced item. These cases involved a range of products, such as baby/adult lotions, infant/children’s acetaminophen, children’s/adult cold remedies, to name a few. So far, decisions are mixed, with some courts being more willing than others to find that the differing prices were justified. Marketers of food and personal care brands that merchandise the same formula in varying iterations will want to remain mindful of these cases as they update packaging and claims.

Keep following us in 2024, and we’ll keep you posted on how these trends develop. In the meantime, have a great holiday!

“Restricted Data Processing” Under the CCPA

Since 2019, Google has offered a number of its services on a “restricted data processing” basis. Where a service is configured for restricted data processing, Google acts as a service provider with respect to personal information (i.e., names, email addresses, online identifiers) that Google collects from advertisers, publishers, and other partners.

Under the California Consumer Privacy Act (CCPA), which first took effect in 2020, a service provider is not permitted to use personal information other than for business purposes associated with offering services. For example, the CCPA does not permit a service provider to resell personal information processed on behalf of a business or to use the information to build profiles about individual consumers for its own commercial benefit.

In documentation available at https://business.safety.google/rdp/, Google explains that when restricted data processing applies, Google will use personal information for business purposes such as ad delivery, reporting and measurement, security and fraud detection, debugging, and to improve and develop product features. Google cites these policies to support its position that it is a “service provider” for many of its advertising-related services, such as Google Ads, Google Analytics, Tag Manager, and Display & Video 360.

What’s changing?

Starting July 1, 2023 – the day that the California Privacy Rights Act (CPRA) amendments to the CCPA become enforceable – Google will no longer offer restricted data processing for the following services in California:

• Any feature that entails uploading customer data for purposes of matching with Google or other data for personalized advertising (e.g., Customer Match)
• Any feature that entails targeting user lists obtained from a third party (e.g., Audience Partner API)
• Any feature that entails creating, adding to, or updating user lists using first-party customer data (e.g., audience building with floodlight tags and audience-expansion features in DV360)

These changes reflect key amendments to the CCPA. In particular, the CPRA amendments define “cross-context behavioral advertising” to mean “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across” the internet, and prohibit service providers from offering services that involve “sharing” personal information for purposes of “cross-context behavioral advertising.”

The clear but unstated message behind these changes is that Customer Match involves cross-context behavioral advertising. When an advertiser uses the Customer Match service, the advertiser provides Google with a target audience, and Google displays ads to that audience on its search results. Because the service involves targeting ads to consumers on Google based on the consumer’s interactions with the advertiser, Google’s apparent position is that Customer Match is a cross-context behavioral advertising service.

As noted above, advertisers, publishers, and other businesses that share personal information with third parties (such as Google) for cross-context behavioral advertising must offer consumers an opportunity to opt-out of the “sale” and “sharing” of their personal information. In addition, as described in the latest CCPA regulations, these businesses are required to enter into a contract for the “sale” or “sharing” of personal information that requires the third party recipient to comply with the CCPA and provide the same level of privacy protection for consumer data as any business subject to CCPA.

Where can I find the restricted data processing contract?

Google publishes its restricted data processing contract for US state privacy laws at https://business.safety.google/usaprivacyaddendum/.

What about Google Analytics?

Google Analytics is a popular service that allows businesses to gain insights into who visits their digital properties. Google states that it will act as a service provider for Google Analytics as long as the business disables sharing with other Google products and services.

Google offers a variety of privacy-related tools for Google Analytics, including support for deletion requests, here.

What about real-time bidding?

Google also offers services like Display & Video 360 and Authorized Buyers that enable advertisers to respond to bids in real-time for ad inventory across the web. Google indicates that these services continue to operate using restricted data processing but also makes clear that restricted data processing “does not extend to the sending or disclosure of data to third parties that you may have enabled in our products and services.” As a result, publishers issuing bid requests and advertisers responding to publisher bid requests should understand that personal information conveyed to third parties for bidding purposes may not be covered by Google’s restricted data processing terms.

This post provides further details about the rulemaking process, as well as takeaways from the Board’s discussion of key substantive topics, such as restrictions on the collection of personal information and opt-out preference signals. The Board directed CPPA staff to consider and include specific modifications, as discussed below; and on November 3, the CPPA released a further revision of its proposed rules for a 15-day public comment period (the “November 3 Draft Regulations”). The deadline to submit comments is 8:00 am on Monday, November 21.

1. Rule Revisions likely to be Finalized in Early 2023

The CPPA Board meeting and subsequent developments have provided some clarity about the likely timing of final regulations. (A second Board meeting that had been scheduled for November 4 was canceled.)

Following a review of comments submitted during the current 15-day comment window, the expected next step is for the CPPA to submit a final set of regulations to the Office of Administrative Law (OAL) for review. OAL will have 30-business days, which will likely be impacted by the upcoming holiday season, to complete its review. This means that the regulations likely will not be finalized until early 2023. But this timeline should also be considered within the context of the delayed implementation provisions in the statute. Although the CPRA’s statutory provisions go into effect on January 1, 2023, section 1798.185(d) of the CPRA provides that “civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date.” (Existing CCPA rules are enforceable before July 1, 2023.)

While the uncertain timing of final regulations adds to the challenges of meeting other privacy compliance deadlines (such as the January 1 effective date of the Virginia Consumer Data Protection Act), businesses may find some cause for relief in the CPPA’s addition of section 7301(b) to the draft regulations: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”

2. Key Substantive Changes in the November 3 Draft Regulations

The Board discussed and directed several material changes, which CPPA staff incorporated:

• Restrictions on the Collection and Use of Personal Information (§ 7002): This section would set requirements for the reasonable and proportionate collection, use, retention, and sharing of a consumer’s personal information, as well as the purposes for which such information can be collected. Board members raised concerns about whether the draft regulations went beyond the CPRA’s statutory requirements. The Board explained that the primary purpose of section 7002 is to provide guidance on how the new statutory requirements should be understood by businesses and consumers. The November 3 Draft Regulations, however, do not contain any obvious signs of additional flexibility. The Board also discussed adding language that would require businesses to be reasonable and proportionate in the practices that a consumer consents to – and the section 7002(d) of the November 3 Draft Regulations expressly states that personal information processing “shall also be reasonably necessary and proportionate to achieve any purpose for which the business obtains the consumer’s consent . . .”
• Opt-Out Preference Signals (§ 7025): This section requires that any business that sells or shares personal information must process any opt-out preference signal that meets the CPPA’s requirements, which are currently outlined in section 7025(b). The Board requested that staff add language to expressly require businesses to apply opt-out preference signals to pseudonymous profiles, e.g., consumer profiles associated with the browser or device. Section 7025(c)(1) of the November 3 Draft Regulations incorporates such a change.

• Requests to Limit Use and Disclosure of Sensitive Personal Information (§ 7027(m)): Board members requested that staff include a statement noting that the use, disclosure, and means of collection of sensitive personal information for purposes that are exempt from Right to Limit requests must be reasonably necessary and proportionate to achieve such purposes listed. The November 3 Draft Regulations include this change in section 7027(m)(8).

Finally, the Board discussed the following smaller – but still significant – changes:

• Definitions (§ 7001(b)): This section provides definitions for terms used through the draft regulations. The Board recommended adding a definition of “Alternative Out-Out Link,” which a business can provide instead of posting separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links, as set forth in Cal. Civ. Code §1798.135. The Alternative Opt-Out Link is explained further in section 7015. The Board also recommended clarifying the definition of “right to limit” and adding a definition of a “Nonbusiness” to clarify a term that was introduced in the October 21 draft regulations.
• Notice at Collection of Personal Information (§ 7012): The Board asked staff to consider including in a future rulemaking proposal a revision that would allow businesses to disclose the number of third parties they sell or share information with, as a way to reduce the burden of disclosing the names of third parties in the Notice at Collection. The November 3 Draft Regulations do not include such a change. However, the Draft Regulations continue to provide that a first party and third parties that control collection may provide a “single Notice at Collection that includes the required information about their collective Information Practices.” The “illustrative example” in section 7012(g)(3)(A) suggests that identifying third parties by name is not necessary (and the proposal that specifically identified this option in the CPPA’s initial draft regulations was deleted in its October revisions), provided that the business sufficiently describes the practices of third parties in the Notice at Collection.
• Requests to Delete (§ 7022(b)(2)): This section provides guidance on how a business, service provider, or contractor shall comply with a request to delete personal information. The Board recommended, and CPPA staff added, clarifying language that service providers can utilize self-service methods that enable businesses to delete personal information that the service provider or contractor collected in the November 3 Draft Regulations. The new regulation more closely conforms to the language in the CPRA. The new language is also more precise as to how the service provider’s or contractor’s obligations apply to the personal information it collected pursuant to a contract with the business.
• Requests to Correct (§ 7023(d)(1)): This section provides guidance on how a business, service provider, or contractor shall comply with a request to correct. The November 3 Draft Regulations add language that consumers should make a good faith effort to provide businesses with all necessary information and documentation available in connection with their right to correct when they make a request.
• Requests to Opt-Out § 7026(a)(1): This section requires a business that sells or shares personal information to provide two or more designated methods to submit requests to opt-out of sale/sharing. As per the November 3 Draft Regulations, CPPA staff revised this language to clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods: an interactive form accessible via the “Do Not Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy.

A couple of overarching points are worth keeping in mind. First, implementing the CPRA’s consumer rights provides an occasion to review and update data maps so that they accurately capture how personal information flows both through their organizations and to service providers, contractors, and/or third parties. Second, preparing for CPRA consumer requests should go hand-in-hand with reviewing the systems and procedures that are in place to honor consumers’ requests.

Right to Opt Out of Sale/Sharing of Personal Information

The CPRA broadens the scope of the CCPA’s existing opt-out right to include the “sharing” of personal information. The Draft Regulations would add to existing opt-out obligations by requiring a business to:

• Provide a “means by which the consumer can confirm” that their request has been processed by the business (e.g., by displaying through a toggle or radio button on the business’s website that the consumer has exercised their right); and
• Notify all third parties to whom the business has sold or shared the consumer’s personal information since receiving the request that the consumer has exercised their opt-out right, direct them to comply with the request, and forward the request to any other person to or with whom they have disclosed or shared the consumer’s personal information.

Right to Delete

Following new requirements under the CPRA, the Draft Regulations clarify that a business must send deletion requests “downstream" to all relevant parties. Specifically, the Draft Regulations provide that a business must: (i) instruct its service providers and contractors to delete the consumer’s personal information from their records; and (ii) notify all third parties to whom it has sold or shared the consumer’s personal information to delete the information. Service providers and contractors must in turn notify other service providers, contractors, and third parties that accessed the personal information that is subject to the deletion request, unless the access occurred at the direction of the business. These obligations are subject to limitations if they are impossible or would require disproportionate effort to fulfill.

Right to Correct

The right to correct is a new right granted to consumers by the CPRA, and the Draft Regulations establish rules and procedures to facilitate consumers’ correction requests. Among other obligations, the Draft Regulations provide that, upon verification, a business must determine the accuracy of the personal information by considering the “totality of the circumstances relating to the contested personal information.” Pursuant to the Draft Regulations, relevant factors that a business would need to consider are: (i) the nature of the personal information; (ii) how the business obtained the contested information; and (iii) documentation relating to the accuracy of the information. A business that corrects personal information would also need to implement measures to ensure the information “remains corrected” and instruct its service providers and contractors to correct the information in their respective systems.

Right to Know

Building on the existing right to know, the Draft Regulations provide that a business must provide information beyond the 12-month period preceding the business’s receipt of the request unless doing so “proves impossible or would involve disproportionate effort.”

Right to Limit Use and Disclosure of Sensitive Personal Information

The right to limit the use and disclosure of sensitive personal information is another new right under the CPRA. The Draft Regulations would require a business to handle such “requests to limit” by:

• Ceasing to use and disclose the consumer’s sensitive personal information, except for purposes allowed under the regulations, within 15 business days of receiving the request;
• Notifying its service providers and contractors that the consumer has exercised their right to limit and instructing them to comply with the consumer’s request within the same time frame described above;
• Notifying all third parties to whom the business has disclosed or made available the consumer’s personal information for purposes other than those set forth in the regulations after the consumer submitted their request and before the business complied with the request that the consumer has exercised their right and directing the third party to comply with the consumer’s request and forward the request to others that have received the consumer’s sensitive personal information;
• Notifying all third parties to whom the business makes sensitive personal information available for purposes other than those set forth in the regulations (e.g., third parties that the business authorizes to collect information from its property) that the consumer has exercised their right, and directing such third parties to comply with the consumer’s request and forward the request to others that have received the consumer’s sensitive personal information; and
• Providing a “means by which the consumer can confirm” that their request has been processed by the business (similar to the obligation for opt-out requests described above).

Propagating Data Subject Rights to Service Providers, Contractors, and Third Parties

A business may have obligations to notify and instruct its service providers, contractors, and/or third parties to comply with a consumer’s request. Service Providers, contractors, and third parties may also have obligations to notify and instruct companies they’ve shared a consumer’s personal information with to comply with a request. The following chart shows obligations that each party has based on the consumer’s request.

See: Propagating Data Subject Rights Chart

Takeaways: The CPRA provides consumers with a range of rights that empower them to exercise more control over their personal information, and the additional obligations that the proposed regulations impose on businesses would help ensure that all parties processing consumers’ personal information give effect to such rights.

To reiterate, it’s unclear which of the amendments in the proposed regulations will stick. It is clear, however, that the expanded transparency and consumer rights requirements in the CPPA’s Draft Regulations are likely to require substantial time and resources to implement.

Stay tuned for additional blog posts in which we will summarize how the proposed regulations contemplate some of businesses’ other compliance obligations under the CPRA.

* * * *

Join us July 20 for How To Protect Employee/HR Data and Comply with Data Privacy Laws. This webinar will cover:

• Existing and prospective laws and regulations employers should be aware of when managing their workforce
• Key principles to adhere to when collecting and handling employee personal data
• Best practices for protecting employee personal data during the employment life cycle

Register here

In this post, we summarize the Draft Regulations’ disclosure provisions and provide outline steps for businesses to consider taking to prepare for these requirements.

New Disclosure Requirements

Citing a CCPA provision that authorizes regulations to ensure that notices and information required under the CCPA are provided to consumers at the appropriate time and in a manner that may be “easily understood by the average consumer,” the Draft Regulations would create new disclosure requirements for any business engaged in the collection of consumers’ personal information.

Notice at Collection

The Draft Regulations, citing a declared purpose in the CPRA of enabling consumers to “exercise meaningful control” over businesses’ use of their information, would require businesses to provide additional details about certain aspects of their information practices at or before the point of collection. These provisions include new requirements governing first parties’ and third parties’ notice at collection disclosures.

• Required Content of a Notice at Collection. Building on existing requirements under the CCPA, the Draft Regulations would require a business to include the following information in its notice at collection:
• • the categories of personal information collected, including sensitive personal information;
  • the purposes for which the categories of personal information are collected and used;
  • whether the categories of personal information listed are sold or shared;
  • the length of time the business intends to retain each category of personal information listed (or the criteria used to determine the retention period);
  • a link to the business’ notice of the right to opt out of the sale/sharing of personal information (or, in the case of an offline notice, where the webpage can be found online);
  • if the business allows third parties to control the collection of personal information on its property, the names of all such third parties or information about their business practices; and
  • a link to the business’ privacy policy (or, in the case of an offline notice, where the privacy policy can be found online).
• Presentation of the Notice at Collection. The Draft Regulations also prescribe how a business must present its notice at collection. According to the Draft Regulations, it is insufficient to direct consumers to the top of a privacy policy or to require consumers to scroll to find the notice at collection disclosures. Instead, a business must include a link that takes consumers directly to the section of its privacy policy that includes the required information. The link to the notice at collection must be made “readily available where consumers will encounter it at or before the point of collection.” As an example, the Draft Regulations provide that, when a business collects personal information from a consumer via a webform, it should include a “conspicuous link” to the notice at collection in “close proximity” to either the fields where the consumer enters his/her personal information or the button the consumer hits to submit his/her personal information.
• First and Third Party Disclosures. Based on the view that “more than one business may control the collection of a consumer’s personal information, and thus, have an obligation to provide a notice at collection,” Section 7012(g) of the Draft Regulations would require a business to include in its notice at collection extensive information about third parties that “control” the collection of personal information. In particular, the Draft Regulations provide that if a business owns a physical or digital property from which consumers’ personal information is collected (a “first party”) and allows third parties to control the collection of personal information on its property, the business must include in its notice at collection either (i) the name of all such third parties or (ii) details about such third parties’ “business practices” (which the third parties would be required to provide to the first party). Additionally, the Draft Regulations provide that if a third party collects information from the first party’s physical premises, the third-party business must provide a notice at collection “in a conspicuous manner” at the physical location(s) where it collects the information.

Privacy Policy

The Draft Regulations would also require businesses to include more granular disclosures in their privacy policies. These requirements include:

• a detailed description of the business’ online and offline information handling practices, including a statement indicating whether the business uses or discloses sensitive personal information for purposes other than those enumerated in Section 7027(l);
• details about the rights consumers have with respect to their personal information under the CCPA, as amended by the CPRA (which we will discuss in a subsequent blog post);
• an explanation of how consumers can exercise their rights and what they can expect from the process, including details about how the business processes opt-out preference signals;
• the date the privacy policy was last updated; and
• the business’ consumer rights requests metrics for the previous calendar year (or a link to such information), where applicable.

Takeaways

While the CPPA may revise the Draft Regulations before they are finalized, the direction toward more detail in notices at collection and privacy policies – particularly about third parties – seems clear. Satisfying the notice at collection requirements in the Draft Regulations would likely present significant challenges. While the Draft Regulations provide businesses with some flexibility in terms of how they disclose the presence of third parties on their properties, presenting all of the required information in a clear and meaningful manner to consumers could be difficult. Additionally, the need to disclose extensive information about third parties could interfere with consumers’ online experiences.

To prepare for these potential changes, a valuable step for many businesses would be to take stock of the third-party information collection occurring on their sites and in their apps and to consider how to provide more detailed disclosures to consumers in a concise, intelligible, and easily accessible form.

Stay tuned for additional blog posts in which we will summarize how the Draft Regulations contemplate some of the CPRA’s other amendments to the CCPA.

* * * *

Join us today for State Attorneys General 102.

In this webinar in association with Mondaq, Kelley Drye provided observations on the proposed regulations, including which would pose the biggest challenge for businesses if implemented, and will offer strategies to plan efficiently for compliance in the face of these proposals.

Click here to view the webinar recording and click here for the presentation slides.

Join us for our next webinar, State Attorneys General 102, on June 30. Register here.

Find our state privacy law portal and more here.

Subscribe to the Ad Law Access blog to receive real-time updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

For easy access to all of our webinars, posts and podcasts, download our new Ad Law Access App.

.

We like to occasionally use this space to let you know about upcoming events that you may not have heard about:

State Attorneys General 101 Please join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Senior Associate Beth Chun and Abby Stempson, Director of the Center for Consumer Protection, National Association of Attorneys General (NAAG) for State Attorneys General 101. This webinar will cover the basics of State AG consumer protection powers, what to expect if you find yourself a target of attorneys general investigation, how to look to state attorneys general to stop improper actions of competitors, and more. RSVP HERE

IAB Public Policy & Legal Summit 2022 Kelley Drye is a premier sponsor of the IAB Public Policy & Legal Summit 2022, which brings together global leaders in advertising, media, technology, and the government to discuss how organizations can lean into the coming transitions and find solutions that will enable them to build a sustainable and consumer-centric media and marketing ecosystem. Privacy practice Chair Alysa Hutnik (Solving for State Privacy Law Complexity: CPA, VCDPA, UCPA, and Beyond) and Of Counsel Jessica Rich (The FTC During the Biden Administration) will speak at this free virtual summit today. REGISTER HERE

June 14

June 23

This complimentary event is by invitation only. If you or a colleague are interested in receiving an invitation, please contact [email protected].

July 20

Other Ways to Stay Informed

• Ad Law Access App - available as a free download in the Apple App Store and Google Play, and can be used on iPhone, iPad, and Android devices
• Ad Law Access Blog (Subscribe) – Where we regularly cover advertising and privacy law developments
• Ad Law Access Daily Podcast – The Ad Law Access Daily podcast is available from a number of services (Apple, Spotify, Google Podcasts, SoundCloud and many other podcast services)
• Advertising and Privacy Law Resource Center – Addresses key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling
• Ad Law News and Views Newsletter (Subscribe) – Compiles all of our recent Advertising Law news and analysis in one place
• State Attorneys General News and Map - Updated State Attorneys General map and daily news feed

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.

Quick and Costly Potential CPPA Enforcement

Consumers, the CPPA, and the California Attorney General’s Office all are empowered to take businesses (and contractors, service providers, and third parties) to task for perceived non-compliance with privacy obligations. Among all of the proposed changes in the draft regulations, the enforcement provisions should cause many companies, regardless of their role, to pause and evaluate whether they’ve allocated sufficient resources to address privacy compliance. While there is not a privacy private right of action under the CCPA/CPRA, the draft rules set forth a new increased, and fast tracked form of compliance monitoring and action that could be surprising to many companies and costly.

First, while there are provisions about requiring consumers to file sworn complaints, the CPPA provides that it can accept and initiate investigations on unsworn and anonymous complaints too. For every sworn complaint, the CPPA must notify the consumer complainant in writing of what actions the Agency has taken or plans to take and the reasons for action or non-action. Because the Agency has to respond to each complaint, this could turn into a routinized process of a high volume of complaints forwarded to businesses, with tight timeframes to respond in writing or else face violations and administrative fines.

The rules provide that there is “probable cause” of a privacy violation if “the evidence supports a reasonable belief that the CCPA has been violated.” There is no mention of extensions of time for good faith reasons. Under the statute, the CPPA can find a violation through a probable cause hearing if it provides notice by service of process or registered mail with return receipt to the company “at least 30 days prior to the Agency's consideration of the alleged violation.” The notice must contain a summary of the evidence, inform the company of their right to be present “in person and represented by counsel.” The “notice” clock starts as of the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. It’s possible this process occurs through the forwarding of unverified consumer complaints.

Under the draft rules, a company can request the proceeding be made public if they make a written request at least 10 business days before the proceeding. A company has a right to an in-person proceeding only if it requests the proceeding be made public. Otherwise, the proceeding may be conducted in whole or in part by telephone or video closed to the public. Participants are limited to the company representative, legal counsel, and CPPA enforcement staff. The CPPA serves as prosecutor and arbiter, and the draft rules do not define how the agency preserves its neutrality in its latter role.

The CPPA makes a determination of probable cause at such proceeding “based on the probable cause notice and any information or arguments presented at the probable cause proceeding by the parties.” If a company does not participate or appear, it waives “the right to further probable cause proceedings” (it’s not clear in the draft rules whether that is limited to the facts of that matter, or future alleged violations) and a decision can be made on the information provided to the CPPA (such as through a complainant).

The CPPA then issues a written decision and notifies the company electronically or by mail. Of concern, the draft rules provide that this determination “is final and not subject to appeal.” Under the statute, violations can result in an administrative fine of up to $2500 for each violation, and up to $7500 for each intentional violation or if the violation involves minors. Multiple parties involved can be held jointly and severally liable. It’s conceivable that violations may be calculated on any number of factors that could add up substantially, and as contemplated by these draft rules, there is no process to challenge such judgments, including if there are factual or legal disputes. One can imagine future legal proceedings that challenge a variety of the legal bases for such a structure if these rules are finalized as drafted.

Service Provider Requirements and Restrictions

Data Privacy Addendums Get a Further Tune Up, and Open Question on Whether They Need to be Bespoke. One aspect of state privacy law compliance that has consumed much resources and time are the service provider contracts. Who is a service provider? What must the contract say? What restrictions apply to service providers (or contractors)? The draft rules continue to add more obligations.

One must have a written contract in place that meets all of the requirements outlined below to even qualify as a service provider and contractor. The contract requirements are very granular, and go beyond what most current privacy addendums (or technology provider terms and conditions) look like today, and include:

• Restrictions from selling or sharing the business’s personal information.
• Identify which specific business purposes and services are required for processing the business’s personal information, and that such disclosure occurs only for the limited and specified business purposes set forth in the contract. This cannot be stated generally with reference to the agreement, but rather requires a specific description.
• • This language suggests that a one-size-fits-all data processing agreement for all vendors processing personal information for different business purposes or functions might not be sufficient, which is very concerning from a resource and practicality standpoint.
• Restricting the processing of personal information outside or for any other purpose from those business purposes in the contract, including to service a different business, unless permitted by the CCPA. Awkwardly, the proposed rule suggests that all of the specific business purpose(s) and service(s) identified earlier would need to be restated as part of the restrictions.
• • On this last point, the draft rules underscore this specific example: “a service provider or contractor shall be prohibited from combining or updating personal information received from, or on behalf of, the business with personal information that it received from another source unless expressly permitted by the CCPA or these regulations”
• Requiring compliance with all applicable provisions of the CCPA, including providing the same level of privacy protection as applicable to businesses, to cooperate with the business for handling consumer rights requests, and reasonable data security provisions.
• Reasonable audit provisions to ensure CCPA compliance, such as “ongoing manual reviews and automated scans of the service provider’s system and regular assessments, audits, or other technical and operational testing at least once every 12 months.”
• Notification to the business within 5 business days if the service provider/contractor determines it cannot meet its obligations.
• Providing the business the right to take reasonable steps to stop and remediate any unauthorized use of personal information by the service provider/contractor, such as “to provide documentation that verifies that [the service provider/contractor] no longer retain[s] or use[s] the personal information of consumers that have made a valid request to delete with the business.”
• Provides that the business will notify the service provider/contractor of any consumer rights request and provide the information necessary for the service provider/contractor to comply with the request.

The Limitations on Internal Use of Customer Data by a Service Provider/Contractor. The draft rules provide that a service provider/contractor is restricted from using customer personal data for its own purposes, except for internal use to build or improve the quality of its services, provided that the service provider/contractor does not use the personal information to perform services on behalf of another person in a manner not permitted under the CCPA. This language is notably different from the governing CCPA rules. Based on the examples outlined below, and the admonition above that the service provider cannot combine or update personal information received from another source unless permitted by the CCPA, makes it ambiguous as to when updating personal information crosses the line. From the examples, it suggests that where such functions are to facilitate personalized advertising or data sales, they would not fit within a service provider/contractor role.

Use for Analysis/Data Hygiene (Sometimes). The draft rules set forth two examples that seem to allow some analysis and data correction under particular circumstances. For example, the first illustration emphasizes that the service provider/contractor can analyze how a business customer’s consumers interact with company communications to improve overall services, and the second example highlighted that a service provider/contractor can use customer data to identify and fix incorrect personal information that, as a result, would improve services to others. The draft rules underscore, however, that a service provider/contractor could not compile (e.g., enrich/append) personal information for the purpose of sending advertising to another business or to sell such personal information.

Data Security/Fraud Prevention. Consistent with the statute, the draft rules allow service providers/contractors to use and combine customer personal information “[t]o detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity.”

Other Legal Purposes. The draft rules acknowledge that a service provider/contractor can use customer data to comply with other laws, lawful process, to defend claims, if the data is deidentified or aggregated, or does not include California personal information.

Advertising Service Provider Functions Look Limited. The draft rules acknowledge a business can engage a service provider/contractor for advertising/marketing services if the services do not combine opted out consumer data from other sources. The draft rules also affirmatively reiterate that an entity who provides cross-contextual behavioral advertising is a third party and not a service provider/contractor.

• As an example of what would cross the line, the draft rules provide that a service provider/contractor can provide non-personalized advertising based on aggregated or demographic information (ads based on gender, age range, or general geographic location), but could not, for example, share the business’s customer information with a social media platform to “identify users on the social media company’s platform to serve advertisements to them.” This example is stated without qualification to what commitments the platform has provided on its own use and restrictions as to such data, or if and how any other permitted “business purposes” under the CPRA may apply.
• In another example, the draft rules provide that an advertising agency can be a service provider/contractor by providing contextual advertising services. Again, this example is set forth without reference to any other business purposes that may apply. However, one wonders whether the enforcement structure may inhibit broader interpretations where functions involve personalized advertising and analytics.

Notice at Collection. The draft rules have new language that, in the context of “notice at collection” provide that when more than one party controls personal information collection, such as in connection with digital advertising, all such parties must provide a very detailed “notice at collection” that accounts for all parties’ business practices. As an example:

• A “first party may allow another business, acting as a third party, to control the collection of personal information from consumers browsing the first party’s website. Both the first party that allows the third parties to collect personal information via its website, as well as the third party controlling the collection of personal information, shall provide a notice at collection.”

Honoring Opt Outs. Section 7051 provides that third parties are directly obligated to honor opt outs, including as conveyed through a global privacy signal or otherwise on a first-party business’s site hosting the third party’s tag collecting personal information, unless the first-party business informs the third party that the consumer has consented to the sale/sharing, or “the third party becomes a service provider or contractor that complies with the CCPA and these regulations.”

• This latter provision is interesting because it suggests implicit support for frameworks, such as IAB’s LSPA, where a contract that contains commitments around use of personal data post-opt outs can support a continued service provider role.

* * *

JOIN US

Separately, join us as Kelley Drye privacy lawyers provide observations on the proposed regulations, including which would pose the biggest challenge for businesses if implemented, and will offer strategies to plan efficiently for compliance in the face of these proposals. Register here.

In the absence of a federal privacy law, privacy has been at the forefront of many states’ legislative sessions this year. Against this backdrop, state attorneys general continue to initiate investigations into companies’ privacy practices, and state agencies continue to advance privacy rulemakings under existing law. Aaron Burstein, Laura VanDruff and Paul Singer, presented this webinar to help learn about the latest developments in state privacy law, make sense of these developments and understand their practical impact.

To view the webinar recording, click here or view it on the new Ad Law Access App.

Subscribe to the Ad Law Access blog to receive real-time updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

For easy access to all of our webinars, posts and podcasts, download our new Ad Law Access App.

Note: Our team will discuss these issues, along with practical suggestions for how companies can tackle privacy challenges, in a January 26 webinar at 4 pm ET. Please tune in! You can register here.

• State privacy developments will continue to drive much of the U.S. privacy debate.
  • California and Colorado will launch rulemakings to implement their laws, setting an example for other jurisdictions and prompting industry changes even beyond their borders. Meanwhile, companies will be gearing up for the effective dates of all three state laws (January 1, 2023 for California and Virginia, and July 1, 2023 for Colorado).
  • With multiple bills already pending in other states, we may see additional state laws by year’s end. Draft bills introduced thus far suggest a range of approaches that vary from existing laws, suggesting compliance may become even more complex in the coming year.
  • Even states without comprehensive privacy laws will seek to use their “unfair and deceptive” trade practice authority in increasingly creative ways to address privacy. A recent example is Arizona’s effort to challenge Google’s collection and use of location data.
• The FTC will pursue an aggressive privacy agenda, pushing the boundaries of its legal authority and seeking to move the goalposts governing data collection, use, and sharing.
  • It will launch a broad “surveillance” rulemaking under its Magnuson-Moss procedures, seeking strict limits on personalized advertising, lax security practices, and algorithmic discrimination. (As we discuss here, though, the rule will likely take years to complete.)
  • It will increase enforcement of sectoral privacy laws and rules (e.g., FCRA, COPPA, GLB Privacy, Red Flags), so it can get monetary relief, post AMG. It also will try to obtain settlements for alleged violations of the Health Breach Notification Rule – which it “clarified” in a 2021 policy statement covers virtually all health apps.
  • It will focus on tech platforms and other large companies, through both aggressive enforcement and high-profile studies, such as its upcoming report on social media companies.
  • In all of its privacy cases, the FTC will seek stringent remedies, including data deletion, bans on conduct, notices to consumers, stricter consent requirements, individual liability, and significant monetary relief based on a range of creative theories. (See our scorecard on the FTC’s use of such theories here.)
• Other federal agencies will flex their muscles on privacy and data security, scrutinizing and regulating companies within their areas of jurisdiction.
  • For example, the CFPB recently ordered the tech giants to turn over information regarding the data practices of payments systems they operate. The FCC just moved to update breach reporting requirements under the CPNI rules. And the SEC just fined eight broker-dealers and investment companies for their “deficient cybersecurity procedures.”
  • Expect these types of actions to accelerate in the coming year, as privacy continues its ascent as a top regulatory, consumer protection, and risk management issue.

• Developments in and around the tech platforms will continue to have ripple effects across the entire marketplace.
  • The tech platforms (yeah, them again) will continue to tighten their rules governing data sharing, third-party cookies, use of identifiers, and access to their platforms, forcing other companies to develop new ways to market their brands.
  • “Big tech” antitrust challenges will advance through legislatures and the courts, requiring policymakers and enforcers to finally confront the tension between competition interests (which seek to expand access to data) and privacy interests (which seek to limit access).
• Cross border data transfers will become ever more difficult, as Privacy Shield remains unresolved and the EU accelerates GDPR enforcement.
  • For example, Austria’s DPA recently held that Google Analytics violated the GDPR when it transferred to the U.S. EU citizens’ IP address and identifiers in cookie data, notwithstanding Google’s claim that it had protective measures in place.
  • Further, the record fines being obtained for GDPR violations (a reported seven-fold spike in 2021) will increase the peril for multinational companies that transfer data as part of their operations.
• The plaintiff’s bar will continue to test the limits of addressing privacy in private litigation, despite some setbacks in 2021.
  • The setbacks include the high bar set by the Supreme Court regarding the proof of harm necessary to confer standing in privacy cases. In addition, neither Virginia nor Colorado included a private right of action in their comprehensive privacy laws.
  • However, the California law includes a private right of action for data breaches, and pending legislative proposals in other states include private rights of action for privacy, security, or both. Plaintiffs also are employing other statutory frameworks to address privacy, such as the contract laws cited in the recent class action against Zoom, and the call recording laws cited in session-replay lawsuits.

• Congress will continue to debate whether to pass a federal privacy law.
  • Yes, it’s safe to assume that the never-ending debate will continue! The harder question is whether Congress will finally pass anything.
  • It’s possible. Businesses have never wanted a federal privacy law more – to deal with the specter of more state privacy laws, “overreach” by the FTC, the EU’s heightened enforcement efforts, and the overall confusion created by fragmented privacy regimes (i.e., all of the issues discussed above).
  • The more likely scenario, however, is that Congress will pass something narrower, like a bill to amend COPPA or provide new privacy protections for teens, which could be an area of consensus among Democrats and Republicans. (Another possibility, just proposed by some Democrats, is legislation to ban “surveillance advertising,” similar to the rule that the FTC is planning. However, that would likely be a much more divisive issue in Congress.)

• As defined in the CPRA, “personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. The bill modifies the definition of “publicly available” by removing the apparently superfluous language “or by the consumer.” The change to the definition in the CPRA is as follows:
  • “‘[P]ublicly available’ means: information . . . lawfully made available . . . or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.”
• The bill changes when the California Privacy Protection Agency will assume responsibility for rulemaking from the “earlier” to the “later” of two dates: July 1, 2021 or six months after the Agency provides notice to the Attorney General that it is prepared to begin rulemaking. The change in the CPRA is as follows:
  • “The agency shall perform the following functions: . . . (b) On and after the earlierlater of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities under this title, adopt, amend, and rescind regulations pursuant to Section 1798.185 to carry out the purposes and provisions of the California Consumer Privacy Act of 2018 . . . .”
• The bill also adds an exemption to the consumer’s right to opt out of the sale of their personal information by a third party. A consumer cannot opt out when the information pertains to “vessel information” and ownership information shared between a “vessel dealer” and a manufacturer, if such information is shared for certain purposes. The bill adds definitions for the terms “vessel information” and “vessel dealer.”

The CPRA does not provide much detail on the responsibilities for the Executive Director position, and in fact only mentions the role twice. Particularly, the CPRA states that the Executive Director does not have exclusive oversight of the rulemaking process and must share that responsibility with the Board. Nevertheless, the CPPA board announcement hints that Soltani will have an influential role in enforcement activities, rulemaking, building public awareness, and building and leading the Agency staff.

Soltani’s first year as Executive Director will be a busy one. As we recently reported, the CPRA began its rulemaking process asking for comments on topics such as opt-out rights, automated decisionmaking, right to correct, and any needed changes to CPRA definitions. Significantly, the topics also include the issue of global privacy controls, on which Soltani has been a leading voice and advocate. Though the deadline for comments is not until November 8, we expect to see a substantial number of comments ranging on a number of issues.

Soltani’s public statements give some indication of the policy positions he may take in his role as Executive Director. In a Senate hearing last week, Soltani supported more FTC enforcement resources, including a preemption provision in a privacy bill that would still allow states to craft more restrictive legislation, and more technical expertise consumer protection enforcement. Soltani also stated that he considered core behavior changes to come not from regulatory fines, but injunctions and restrictions imposed on businesses. Though the CCPA/CPRA schemes are different from the FTC Act, Soltani’s comments suggest he might seek to use injunctive relief as a complement to civil penalties under the CCPA/CPRA.

We expect the CPPA Board to announce its appointment of a Chief Privacy Auditor in the near future. These additions and the preliminary rulemaking will allow the agency prepare for the CPRA’s January 1, 2023 effective date. We will continue to monitor this space and post relevant updates.

• Opt Out Rights The CPRA expands consumers’ rights related to their personal information held by businesses, including adding a new right to opt out of “sharing” of personal information for cross context behavioral advertising, and a new right to limit the use and disclosure of sensitive personal information. The CPPA requests comments on how to allow consumers to limit use of sensitive personal information, how to apply opt-out rights to certain minors, and how to enable consumers who have opted out to consent to uses of their personal information. The CPPA also requests comment on how to interpret certain exemptions to the right to limit use and disclosure of sensitive personal information.The CPPA also delves directly into a debate on global privacy controls, asking “what requirements and technical specifications should define an opt-out preference signal sent by a platform, technology, or mechanism.”
• Intentional Interaction Standard Closely related to the CCPA’s opt-out right, an important, broad exemption to a “sale” involves an “intentional interaction” in which a consumer demonstrates through an interaction that the consumer agrees to the transfer of their personal information to a third party. The CPPA solicits comment on whether it should further refine the definition of “intentionally interacts.”
• Risk Assessments The CPPA has the authority to require businesses that engage in activities that present a significant risk to consumer privacy or security to perform regular cybersecurity audits and privacy risk assessments (similar to DPIAs required by GDPR and data protection assessments under Virginia’s and Colorado’s privacy laws – the VCDPA and ColoPA, respectively).The CPPA solicits comments on the meaning of “significant risk” and the types of requirements that should apply to these regular audits and assessments. The CPPA also asks whether activities deemed an undue risk should be restricted or prohibited.
• Automated Decisionmaking The CPPA solicits feedback on how it should implement its authority regarding automated decisionmaking technology, including how to define “automated decisionmaking,” the types of disclosures that should be provided to consumers, and any rights to opt out. Like risk assessments, this concept could mimic existing EU law. Article 22 of the GDPR restricts automated processing that produces legal effects or has a similarly significant effect on the individual. The VCDPA and ColoPA import similar concepts through their provisions on “profiling.” It remains to be seen whether the CPPA will interpret its automated decisionmaking authority consistent with GDPR, Colorado, and Virginia.
• Service Provider Restrictions on Combining Data from Multiple Customers The CPPA seeks comments on the definition of “business purposes” for which service providers and others may “combine” personal information obtained from different sources. Although this issue was addressed in the AG’s rulemaking process, the invitation for comment raises the question on whether the CPPA may further limit a service provider’s ability to combine personal information. Further restrictions could have a broad impact on everything from security to the development and improvement of artificial intelligence systems.

• Right to Correct: The CPPA solicits feedback on necessary adjustments to the CCPA rules to incorporate the new consumer right to correct inaccurate personal information.
• Lookback: The CPPA requests comment on how to operationalize the twelve-month lookback, focusing in particular on what it means for a company to deny a request for information from beyond twelve months based on the “impossible” or “disproportionate effort” standards described in the CPRA.
• Audit Authority: The CPPA seeks feedback on its authority to audit compliance with CPRA.
• Definitions: The CPPA solicits feedback on any necessary changes to CPRA definitions, including the definition of personal information, sensitive personal information, “specific pieces of information obtained from the consumer” (e.g., what must be provided in response to an access request), deidentified, unique identifier, precise geolocation, and dark patterns.

How does the measure stack up against the VCDPA and the CCPA (as amended by CPRA)? The good news is that, in broad terms, ColoPA generally does not impose significant new requirements that aren’t addressed under the CCPA or VCDPA, but there are a few distinctions to note..

• Establishing consumer rights. As with the VCDPA and the CCPA, ColoPA provides rights for access, deletion, correction, portability, and opt out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. Unlike CCPA, which permits an authorized agent to submit any consumer requests, under ColoPA, authorized agents can only submit sale opt-out requests.
• Universal opt-out requests. ColoPA also requires the Attorney General to establish technical specifications for a universal targeted advertising and sale opt-out (e.g., global privacy control) by July 1, 2023, which controllers must honor starting July 1, 2024. Note there also will be CPRA regulations on this point with compliance likely due by January 1, 2023. Unlike CPRA, which makes the global privacy control optional, controllers must comply with the universal opt-out under ColoPA.
• Appealing consumer rights decisions. Like Virginia, ColoPA requires controllers to set up mechanisms permitting consumers to appeal a controller’s decision not to comply with a consumer’s request. The controller must then inform the consumer of its reasons for rejecting the request and also inform the consumer of his or her ability to contact the Attorney General “if the consumer has concerns about the result of the appeal.”
• Requiring data protection assessments. Similar to GDPR, and consistent with the VCDPA, ColoPA requires data protection assessments (“DPAs”) for certain processing activities, namely, targeted advertising, sales, certain profiling, and processing of sensitive personal data. As with Virginia, the Colorado Attorney General has the right to request copies of a controller’s DPAs.
• Consent for certain processing. Again following Virginia’s lead, ColoPA requires opt-in consent for the processing of sensitive personal information, which covers categories such as racial or ethnic origin, religious beliefs, citizenship, or genetic or biometric data used for uniquely identifying an individual. ColoPA also requires consent for processing children’s data, with a “child” being any individual under the age of 13. Unlike the VDCPA, ColoPA does not require COPPA-compliant consent for such processing, but ColoPA does exempt from the law personal data that is processed consistent with COPPA requirements.
• Right to cure. ColoPA allows controllers to cure violations and is unique by establishing the longest right to cure, at 60 days, and also because the statute repeals the provision on January 1, 2025. By this date, the Attorney General may have established rules to issue opinion letters and guidance that businesses can rely on in good faith to defend an action that would otherwise violate the law. Such rules must go into effect by July 1, 2025.
• Establishing controller duties. ColoPA establishes certain duties for controllers, including the duties of transparency, purpose specification, data minimization, care, avoiding unlawful discrimination, and duties regarding sensitive data. These duties create related obligations, such as providing a privacy policy, establishing security practices to secure personal data, and obtaining consent prior to processing sensitive data or children’s data.
• Consent for secondary use. ColoPA also establishes a “duty to avoid secondary use.” This duty requires consent to process personal data for purposes “not reasonably necessary or compatible with” the original purposes for collection. This requirement suggests that businesses need to keep detailed records of the personal data that they are collecting, the purposes for initially collecting such personal data, confirm such purposes are consistent with disclosures made to consumers, and track the scope of consent in connection with such data uses.

Given the significant overlap among the three privacy laws, companies subject to ColoPA should be able to leverage VCDPA and CCPA implementation efforts for ColoPA compliance. If ColoPA is any example, other state privacy efforts may not veer too far from the paths VCDPA and CCPA have forged. The key will be to closely monitor how CalPPA and the Colorado Attorney General address forthcoming regulations and whether they add new distinct approaches for each state. Check back on our blog for more privacy law updates.

The message did not stick. Voters overwhelmingly enacted the CPRA, apparently judging that its provisions – including those that apply to employers – were worth an additional two-year waiting period. The effective date of the new law is January 1, 2023.

As companies build their roadmap to CPRA compliance, that assessment should also take into account planning for employee and job applicant privacy changes. The new law imposes first in the nation obligations that grant employees and job applicants new rights to access, correct, delete, and opt out of the sale or sharing of their personal information. The law also prohibits discriminating against employees or job applicants who lodge privacy rights requests.

In this post, we provide an overview of topics that employers should know as the sunset of the employer exception to CCPA approaches.

Why Would CCPA Apply to Employers?

The California Consumer Privacy Act of 2018 (CCPA), which became effective on January 1, 2020, originally applied to employers. The law defines a “consumer” as a natural person who is a California resident. This includes employees, job applicants, contractors, or other staff of a business.

In 2019, the California legislature amended the CCPA with a stopgap measure – for one year, the CCPA would not apply to employers. The measure, AB 25, said that personal information collected by a business in the course of the person acting as an employee, job applicant, or contractor in connection with the consumer’s employee, job applicant, or contractor role is exempt from the CCPA. Also exempt is emergency contact information or information necessary to administer benefits.

Last year, California voters extended the employer exemption for another two years to January 1, 2023 in the CPRA ballot initiative.

What Employers are Covered by California Privacy Law?

If a business is covered by the CCPA for consumer data, it is covered for employee data. Starting in January 2023, the CPRA thresholds for coverage are as follows:

• Annual gross revenues in excess of $25 million in the preceding calendar year,
• Buys, sells, or share personal information of 100,000 or more California consumers or households, or
• Derives 50 percent or more of its annual revenues from selling or sharing California consumers’ personal information.

Also, employers that have existing obligations as business associates under the Health Insurance Portability and Accountability Act (HIPAA) may also be exempt with respect to any medical, protected health information (PHI), or covered benefits information that they maintain, use, or disclose.

In general, employers are also not required to comply with CPRA obligations that conflict with other federal, state, or local laws or legal obligations, or restrict an employer’s ability to exercise or defend legal claims. For example, affirmative legal obligations to gather and maintain certain information, such as EEO-1 reports or compensation-related information may directly conflict with CPRA.

What Constitutes Employee Personal Information?

The definition of employee “personal information” includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular employee.

This may include name, contact information, identifiers, protected classifications (like gender, race, or sexual orientation), financial or medical information, account log in, religious or philosophical beliefs, union membership, commercial information, biometric information, internet or electronic network activity information, geolocation data, audio, electronic, visual, thermal, olfactory, or similar information, professional or employment-related information, education information, and inferences drawn from any of this information about the employee.

The contents of an employee’s mail, email, and text messages constitutes sensitive personal information, a sub-category of personal information, unless the employer is the intended recipient of the communication.

What Obligations Apply Starting in January 2023?

All CPRA obligations apply. These include:

• Notice: Employees will be required to provide a comprehensive notice of their collection of personal information from employees, job applicants, and contractors, including description of the categories of personal information collected, the purposes of collection, details on disclosure of personal information, and information about retention of personal information.
• Right to access: Provide employees with a right to access categories of personal information and specific pieces of personal information. This includes any inferences drawn from personal information to create a profile reflecting the employee’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
• Right to correct: Provide employees with the right to correct their personal information using commercially reasonable efforts.
• Right to delete: Provide employees the right to delete their personal information. However, numerous statutory exemptions may apply, including allowing an employer to retain personal information reasonably anticipated by the employee within the context of an ongoing relationship with the employer, to perform a contract between the employee and employer, or to comply with a legal obligation.
• Right to restrict uses of sensitive personal information: Sensitive personal information includes a social security number, account log in, financial information, geolocation, racial or ethnic origin, religious beliefs, sexual orientation, health information, biometrics, and the contents of employee communications unless the employer is the intended recipient of the communication. Starting in January 2023, an employee may be able to direct an employer to limit certain uses of sensitive personal information for specific business purposes, as well as to direct an employer to limit disclosure of sensitive personal information, absent a qualifying exemption.
• Right to opt out: Provide employees the right to opt out of the sale of personal information to third parties. The term “sale” is a broad term, and includes disclosing employee information to business partners, vendors, and contractors absent a written agreement containing specific terms restricting the third party’s use of that data, or a qualifying exemption.

What Steps Should Employers Take to Prepare?

Given the complexity of HR data and systems, as well as the sensitivity of employee data generally, it is not too early for employers to prepare for CPRA. Such efforts might include, for example:

• Privacy Stakeholders: Determine the legal, HR, and technology support (internal resources or external technology solutions) responsible for the efforts necessary to build a privacy compliance program and respond to privacy rights requests.
• Data Mapping: Understand the information that the business collects, the categorization of data (whether personal information or sensitive personal information), the location of the data, and the steps to access, correct, or delete the data. A major part of this effort should also include determining which data practices identified are subject to applicable exemptions from CPRA.
• Contract Review: Review partner contracts to correctly classify service providers and contractors from third parties, and that the contracts include the necessary restrictions depending on the classification. This effort might prioritize those partners that present more risk to the company, whether due to the nature of the processing, type, or volume of data in scope. Updating these contracts, however, might wait until there is more insight on the forthcoming CPRA regulations by the California Privacy Protection Agency (CalPPA) as to necessary terms, although the CCPA regulations are instructive.
• Response Procedures: Develop procedures for responding to employee requests, including managing sensitive requests while maintaining personal information as confidential and accessible to internal personnel only on a need-to-know basis.
• Retention Policy: Develop and document a retention policy that complies with applicable employer data retention obligations.
• Notice: Draft an employee privacy policy that complies with new statutory obligations under CPRA, as well as forthcoming regulations by the CalPPA.

Employers may have an obligation to provide a notice at or before collection of personal information that details the categories of personal information that they collect and the purposes for which personal information will be used.

However, due to an apparent drafting error in the CPRA ballot initiative, this privacy notice obligation is muddled by a textbook case of unclear statutory construction.

Here’s what happened. Originally, AB 25 required employers to provide a privacy notice to employees. However, the CPRA ballot initiative from last year changed a critical code section reference in an apparent drafting error. In so doing, the CPRA ballot initiative left unclear whether the employer privacy notice is required.

AB 25 said that employers would be required to provide a privacy notice based on Cal. Civ. Code 1798.100(b). The CPRA ballot initiative changed the reference to Cal. Civ. Code 1798.100(a). It is possible that the drafters intended to point to subsection (a) because in the CPRA ballot initiative this code section also requires a privacy notice. But the CPRA ballot initiative version of the code section is not actually the law until January 1, 2023.

That’s a problem because under current law (effective until December 31, 2022), Cal. Civ. Code 1798.100(a) talks about a different topic entirely – giving consumers the right to request that a business disclose the categories and specific pieces of personal information the business has collected about a consumer.

What is a reasonable interpretation in light of this problem? When it comes to statutory interpretation of ballot initiatives, courts generally say that the drafter’s intent does not matter. In California, usually a court first looks at the language of the statute. If the language is not ambiguous, the court presumes the voters intended the meaning apparent from the language. If the language is ambiguous, then courts usually look at the ballot initiative voter materials for clues on how voters made their decision.

It is easy to see why a court might agree that the language is ambiguous. The employer exception clearly does not provide a right of employees to access their personal information until January 1, 2023. Giving full effect to 1798.100(a) would be hampered by the fact that the CCPA’s core instructions on how to provide access to personal information and what to provide are subject to the employer exemption.

This brings us back to the ballot initiative materials provided to voters. The arguments against proposition 24 from Californians for Privacy Now warn that employers will be able to secretly gather personal information “for more years to come.” Clearly, there is no recognition in the ballot initiative materials of any interim employee rights.

Bottom line? The law right now is unclear, and so, as a practical matter, it’s a best practice (and required in a few other states) to publish a privacy notice for employees and job applicants.

Final Question: Do Employers Have Privacy Obligations in Other States?

There are no other states that have enacted CPRA-style comprehensive privacy laws that apply to employees; for example, Virginia and Colorado explicitly exempted the employment context without a sunset. But there are some states, such as Connecticut, that do require some form of privacy notice to employees. There are also two-party consent requirements in a number of states that are applicable to recording calls, as well laws that require disclosure about electronic monitoring.

Conclusion

The best way to address navigating these developments is to plan ahead with a compliance roadmap leading to 2023. Figure out what resources you’ll need, including what types of internal and external support will be critical for success. Given the complexities involved, thoughtful (and realistic) preparation is a must.

* * *

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

Why June 14^th Meeting is Significant: While much of the CalPPA’s June 14 agenda focuses on administrative tasks, such as open meeting requirements, the Administrative Procedures Act, conflicts of interest, and subcommittee assignments, this meeting is also expected to mark the CalPPA’s first public steps toward developing California Privacy Rights Act (“CPRA”) regulations. Notably, according to the agenda, the CalPPA plans to provide official notice to California Attorney General Rob Bonta that the Board will assume rulemaking authority as of July 1, 2021, pursuant to CPRA Section 1798.199.40(b). The CalPPA may issue new CPRA regulations as well as “adopt, amend, and rescind regulations” under the CCPA.

What’s Ahead: The CalPPA has until July 1, 2022 to adopt final regulations under the CPRA, and businesses will need to closely track these developments as they design their compliance strategy for CPRA (including how to leverage existing CCPA compliance, and harmonize compliance with Virginia’s new privacy law). The CPRA calls for regulations on a vast array or issues, which could materially impact compliance strategies. Among the different topics include:

• Opt-Outs for Sale, Sharing, and Profiling, and Limiting Use of Personal Information: CPRA grants the CalPPA the authority to adopt regulations that further define consumers’ opt-out rights, and to adopt regulations that define “intentional interactions,” which in turn define the scope of exceptions to “sale” and “sharing.” The CalPPA is also charged with issuing rules about “profiling” opt-out rights, and this area is worth watching closely because it is not aligned with Virginia’s new privacy law. CPRA defines “profiling” as the “automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” A profiling opt-out under CPRA could apply to any first-party data use that meets this definition. (The narrower profiling opt-out right under the Virginia Consumer Data Protection Act is limited to the “furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”)
• Other aspects of opt-out rights that could be initial rulemaking targets include (a) “technical specifications” for global privacy controls; and, with the potential addition of a feature to indicate that the user is under the age of 13 or between 13 and 15 years old; (b) standards for consent to sell or share personal information, or use or disclose sensitive personal information, for businesses that respond to opt-out signals; and (c) “harmonizing” CCPA rules governing privacy notices, opt-out mechanisms, and “other operational mechanisms” to “promote clarify and functionality . . . for consumers.”
• Access Requests: CPRA directs the CalPPA to define the scope of responses to consumer requests for specific pieces of personal information. CPRA suggests that these regulations may exclude system log and other information that “would not be useful to the consumer,” as well as define authentication standards for access to sensitive personal information.
• Business Purposes: It also is possible that the CalPPA will focus initially on “further defining” business purposes for which contractors and service providers may combine personal information from multiple businesses, and whether there are some functions that may relate to interest-based advertising, for example, that can still be within a service provider scope.

While the CPRA’s substantive provisions will not be effective until January 2023, the earlier businesses have insight on how the CalPPA will potentially address these and other areas in the new regulations, the more time there will be to craft, build, and roll out compliance strategies. Stay tuned for further updates. We will continue to keep a close watch on further developments with the Board and the CalPPA’s activities.

How to Join CalPPA’s Initial Meeting:

To join the meeting by Zoom videoconference: https://zoom.us/j/94536763262

To join the meeting by telephone: 1 (669)900-9128; Webinar ID: 945 36763262

* * *

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

As it turns out, the answer is surprising. Contractors are nearly identical to service providers, with just two differences: contractors are not data processors; and contractors must make a contractual certification in CCPA contracts. Moreover, contractors are not even new entities, and were already described in existing California privacy law.

Origins of “Contractors” in CCPA

To help explain the origins of the new contractor classification, we start with the California Consumer Privacy Act (CCPA). Under the CCPA, now in effect, each disclosure of personal information from a covered business to another entity is regulated, either via consumer opt out preferences or via contractual restrictions. Altogether, there are three potential data flows described in the CCPA: business to third party, business to service provider, and business to a person who is not a third party. We describe each in turn:

• Business to Third Party: First, when a business discloses personal information to a third party, this constitutes the “sale” of personal information (unless an exception applies, such as in the context of an intentional disclosure). The CCPA grants consumers the right to opt out of such sales of their personal information to prevent these data flows.

• Business to Service Provider: Second, when a business discloses personal information to a service provider, no “sale” occurs and there is no right of consumers to opt out. The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract.

• Business to a Person Who Is Not a Third Party: Finally, there is a rarely discussed third option in the CCPA. The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party. This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms: (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.

As an example, if an authorized reseller furnishes a manufacturer with a list of new orders for fulfillment, and the manufacturer agrees to use the list only to fulfill orders, the manufacturer is not a third party. Because the manufacturer does not determine the purposes and means of processing the personal information it receives, the manufacturer is not acting as a “business.” No sale occurs.

Similarly, if an identity verification service sends personal information to a company to assist that company with confirming the identity of an applicant for service, and the company agrees contractually to limit its use and disclosure of the information for business purposes, the recipient is not a third party or business and no sale occurs from the identity verification service to the business.

Here’s a summary of the entities that may receive personal data under the CCPA:

Criteria	Third Party 1798.140(w)	Service Provider 1798.140(v)	Person Is Not a Third Party 1798.140(w)(2)
Sale?	Yes	No	No unless the recipient is a “business.”
Processor Terms	N/A	The service provider processes personal information on behalf of the business.	N/A
Contractual Terms	N/A	Retain, use, or disclose personal information only for business purposes.	Retain, use, or disclose personal information only for business purposes. Refrain from selling the personal information. Refrain from retaining, using, or disclosing the information outside of the direct business relationship between the person and the business. Certify understanding of and compliance with the above restrictions.

“Contractors” in CPRA

When CPRA becomes effective on January 1, 2023, the new law will incorporate these same classifications of entities that receive personal information.

• Third Party: A third party continues to be a recipient of sales of personal information. A third party that offers cross context behavioral advertising can now be the recipient of “sharing” of personal information, as well.
• Service Providers: Service providers remain entities that process personal information on behalf of a business pursuant to a written contract. CPRA clarifies, however, that a service provider may receive the personal information either directly from or on behalf of the business.

• Contractors: The new term “contractor” refers to a person to whom the business makes available a consumer’s personal information for a business purpose and pursuant to a written contract. This classification largely mirrors CCPA’s classification of a person who is not a third party. In particular, similar to CCPA, contractors are still required to certify their understanding and compliance with contractual restrictions.

Additionally, for both service providers and contractors, CPRA adds three new contractual terms:

• Combination of Personal Information: CPRA adds new contractual restrictions that limit how personal information from a business may be combined with personal information received from other businesses or directly from consumers. Further guidance on this issue is expected as part of the CPRA rulemaking process.
• Contract Compliance Monitoring: CPRA adds an obligation on businesses to monitor contractors and service providers for compliance with CPRA contract terms.
• Sub-processor Obligations: CPRA indicates that service providers and contractors must enter into similar CPRA contracts with any sub-processors that handle personal information, and provide notice to the business of each sub-processor.

Accordingly, in determining which types of contract terms to have in place in various data flow scenarios, it is possible that contractor terms will be used in a more limited way where the recipient of data is not processing personal information on behalf of a data owner.

Here are some examples:

• Sharing customer identifiers in certain product fulfillment use cases.
• Agreements involving joint operations on data.
• Integration agreements to enable independently-performed services on behalf of a common customer.
• Data services offered to a business with restrictions on use of the data for limited business purposes.

If you have questions about the benefits or drawbacks of the contractor classification under CPRA, please contact attorneys in the Information Privacy and Data Security practice group at Kelley Drye.

* * *

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

Inaugural Appointees

The five inaugural nominees of the CPPA Board are:

• Jennifer Urban, who was appointed as Chair of the CPPA by Governor Gavin Newsom. Urban is a clinical professor at UC Berkeley School of Law.
• John Christopher Thompson, who was appointed by Governor Newsom and is Senior Vice President of Government Relations at LA 2028.
• Angela Serra, who was designated by California Attorney General Xavier Becerra. Serra served in a wide range of roles in the California Department of Justice, including overseeing the Consumer Protection Section’s Privacy Unit.
• Lydia de la Torre, who was nominated by Senate President Pro Tem Toni Atkins. De la Torre is a professor of law at Santa Clara University.
• Vinhcent Le, who was designated by Assembly Speaker Anthony Rendon.

The announcement indicates that Urban’s and Thompson’s appointments do not require Senate confirmation.

The CPPA’s Next Milestones

Although the CPPA’s administrative enforcement authority does not become effective until July 1, 2023, the agency is poised in the meantime to become a powerful regulatory and supervisory authority, akin to a European data protection authority. Key dates in the near term are:

• July 1, 2021: CPPA takes over rulemaking authority from the California Attorney General.
• July 1, 2022: Deadline for the CPPA to adopt final regulations required by CPRA.

Which Regulations Does CPRA Require the CPPA to Issue?

Section 21 of CPRA (codified in Civil Code section 1798.185) adds fifteen areas of CCPA implementation to be spelled out in regulations to the seven areas that were defined under the initial CCPA. (CPRA also amends existing areas of rulemaking authority. For example, it grants more specific authority to prescribe standards for opt-out mechanisms.)

Although CPRA requires the CPPA to adopt final regulations in these areas by July 1, 2022, it would not be surprising to see the agency set priorities, as the Attorney General’s Office did initially under the CCPA. These priorities could include fundamental elements of the CCPA:

• Opt-Outs for Sale, Sharing, and Profiling, and Limiting Use of Personal Information: CPRA grants the CPPA the authority to adopt regulations that further define consumers’ opt-out rights. Specifically, the agency is directed to adopt regulations that define “intentional interactions,” which in turn define the scope of exceptions to “sale” and “sharing.”The CPPA is also charged with issuing rules about “profiling” opt-out rights, and this area is worth watching closely because it is not aligned with Virginia’s new privacy law or the current text of the Washington Privacy Act. CPRA defines “profiling” as the “automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” A profiling opt-out under CPRA could apply to any first-party data use that meets this definition. The profiling opt-out right under the Virginia Consumer Data Protection Act is narrower. It is limited to the “furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” (The profiling opt-out proposed in the Washington Privacy Act is substantively identical to Virginia’s opt-out.)Other aspects of opt-out rights that could be initial rulemaking targets include (a) the definition of “technical specifications” for a global platform- or browser-based opt-out mechanism; and, with the potential addition of a feature to indicate that the user is under the age of 13 or between 13 and 15 years old; (b) standards for consent to sell or share personal information, or use or disclose sensitive personal information, for businesses that respond to opt-out signals; and (c) “harmonizing” CCPA rules governing privacy notices, opt-out mechanisms, and “other operational mechanisms” to “promote clarify and functionality . . . for consumers.”
• Access Requests: CPRA directs the CPPA to define the scope of responses to consumer requests for specific pieces of personal information. CPRA suggests that these regulations may exclude system log and other information that “would not be useful to the consumer,” as well as define authentication standards for access to sensitive personal information.
• Business Purposes: Finally, it is possible that the CPPA will focus initially on “further defining” business purposes for which contractors and service providers may combine personal information from multiple businesses.

Defining CPPA’s Supervisory Authority

The CPPA will also have considerable supervisory authority. Section 1798.185(15) authorizes the CPPA to issue regulations defining audit and risk assessments for businesses “whose processing of consumers’ personal information presents significant risk to consumers privacy or security.”

Separately, the CPPA must appoint a Chief Privacy Auditor to audit businesses’ compliance with the CCPA. The Auditor’s role will be defined almost entirely through regulations, and the statutory guidance on these regulations is scant: The CPPA will define the “scope and process of the agency’s audit authority,” establish criteria for selecting audit targets, and establish protections against disclosure for the information the auditor collects.

As with other areas of CPPA rulemaking, it is unclear when the agency will turn to establishing the Chief Privacy Auditor’s authority. However, it is worth noting now that the Auditor’s authority is potentially sweeping, as well as considering how a CCPA compliance program will look when it is under the Auditor’s microscope.

Today’s appointments are an important milestone in the development of a new breed of U.S. privacy regulator. We will keep a close watch on further developments with the Board and the CPPA’s activities.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

A roundtable featuring Alexandra Reeve Givens (President and CEO, CDT), Jessica Rich (former Director of the FTC’s Bureau of Consumer Protection), Will DeVries (Google), and William McGeveran (University of Minnesota Law School) surveys the enforcement and policy landscape. The issue also features articles that examine the California Privacy Rights Act, the state (and stakes) of Section 230 reform, privacy issues in contact tracing apps, and applications of economic analysis to privacy. On the international front, authors analyze the first two years of GDPR enforcement and well as privacy and antitrust developments in China.

For additional privacy information and resources, visit Kelley Drye’s Advertising and Privacy Law Resource center.

Clarifying offline opt-out notice requirements. The modifications proposed in October required that any business that collected personal information offline provide notice via an offline method of the consumer’s opt-out right.

• The modified regulations now specify that businesses that sell personal information that they collect “in the course of interacting with consumers offline” must provide an offline notice of the consumer’s right to opt-out, and provide instructions for how the consumer can opt out.
• The same examples of providing notice on a paper form, posting a sign in a store, or giving an oral notice over the phone still apply.

Proposing an optional opt-out button. After delaying the introduction of the opt-out button in the first set of CCPA regulations, the Attorney General’s office has proposed the following blue button for businesses to use in addition to providing an opt-out notice and “Do Not Sell My Personal Information” link:

Use of the button does not absolve a business from posting the opt-out notice or link where otherwise required. Where a business posts a “Do Not Sell My Personal Information” link, the business must also include the button to the left of the link (as shown above) in “approximately the same size as any other buttons used by the business on its webpage.” The button must link to the same landing page as the “Do Not Sell My Personal Information” link itself.

Process and Timing. The deadline to submit written comments to the proposed modifications is 5:00 PM PST on December 28, 2020. The regulations have been a continued work in progress for the Attorney General’s office since their first publication in October 2019. We will continue to monitor any further changes and will provide updates on the blog.

_________________________

Hear Alysa Hutnik and Aaron Burstein discuss some of the overarching CPRA issues and a few particular issues that caught their attention on the Ad Law Access podcast.

Listen on Apple, Spotify, Google Podcasts, SoundCloud, via your smart speaker, or wherever you get your podcasts.