In brief
Finalized regulations under the amended California Consumer Privacy Act (“CCPA”) are one step closer to becoming a reality. On February 3, 2023, the California Privacy Protection Agency (the “Agency”) voted to submit its proposed regulations to the Office of Administrative Law, which is one of the last steps before the regulations become law. The Office of Administrative Law will review the proposed regulations to ensure they are clear, necessary and based on valid legal authority. Further modifications may be necessary as the draft rules move toward the finish line. Nevertheless, we expect the current version of the proposed regulations to be a good proxy for the finalized version. This is because the amended CCPA grants the Agency broad authority to formulate its own regulations, and the Office of Administrative Law proposed few substantive edits to the California Attorney General’s proposed CCPA regulations in 2020. Below we outline 7 key takeaways from the Agency’s proposed regulations if they are adopted in their current form.
In depth
1. A business must obtain a California resident’s consent to process their personal information for purposes outside of the CCPA’s “data minimization” criteria. The CCPA and proposed regulations do not use the term “data minimization,” but we use the term to refer to Cal. Civ. Code § 1798.100(c), which requires a business’ personal information processing to be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected.” The Agency’s proposed regulations outline a series of factors that a business must consider when assessing whether the business’ processing will meet these criteria. Businesses should document their data minimization assessments in writing to support that the criteria are met. Where these criteria are not met, the regulations require a business to obtain the data subject’s consent before engaging in the processing. Consent must be specific, informed, unambiguous and given freely without the use of dark patterns (see #2 below). Acceptance of general or broad terms of use or similar document does not constitute consent.
2. A business must avoid using dark patterns when seeking consent or offering data subject rights. U.S. regulators are increasingly using the term “dark patterns” as a catch-all to cover a variety of misleading, deceptive or unfair practices, but the Agency provides some relatively structured guidance on how to avoid the use of dark patterns. In particular, the regulations require a business’ methods for obtaining consent or submitting CCPA data subject requests to be easy to understand, symmetrical in choice, straightforward, non-manipulative, and easy to execute. The regulations provide some explanations and examples that help to clarify what these principles mean in practice.
3. A business should carefully review the regulations when drafting privacy notices. The Agency’s CCPA regulations define five main classes of privacy notices that businesses must provide: (1) Notices at Collection; (2) Notice of Right to Limit; (3) Notice of Right to Opt-out of Sale/Sharing; (4) Notice of Financial Incentive; and (5) a Privacy Policy. The regulations enumerate the elements that the Agency expects to see in each of these classes of privacy notices. Not all of the elements enumerated in the regulations are found in the statutory text of the CCPA. For example, the regulations state that a Notice at Collection must include a link to the business’ Privacy Policy. The regulations also prescribe how and where these notices must be provided to California residents. Because the privacy notices that a business must provide under the CCPA may vary substantially from those that the business provides to comply with other laws, businesses should consider whether to draft privacy notices addressed specifically to California residents for the purposes of complying with the CCPA, and should consider structuring the notices so that they present required information in the same order that the Agency’s regulations list elements required to be included in notices.
4. Service providers, contractors and third parties must also delete personal information in response to data subject requests. The Agency’s regulations make it clear that a business that gives effect to a California resident’s request to delete personal information must also instruct its service providers and contractors to delete the personal information, and that these service providers must delete the personal information and instruct their own downstream service providers and contractors to delete the personal information. If the business sold or shared personal information to third parties, it must also instruct those third parties to delete the personal information unless doing so would be impossible or involves disproportionate effort. The regulations define “disproportionate effort” to mean, essentially, where the time and resources required to respond to the request would significantly outweigh the reasonably foreseeable impact to the data subject by not responding, and the definition specifically states that a business, service provider, contractor or third party that has failed to implement “adequate processes and procedures” to receive and process data subject requests “cannot claim that responding” to a request would involve disproportionate effort.
5. A business that sells or shares personal information must honor opt-out preference signals as a valid request to opt-out of selling or sharing. For the business to be required to honor the opt-out preference signal, the signal must meet the following conditions: (1) It must be in a format commonly used and recognized by businesses, such as an HTTP header field or JavaScript object; and (2) The technology that sends the signal must make clear to users that sending the signal is meant to have the effect of opting them out of the sale and sharing of their personal information. The regulations include detailed rules about how to interpret an opt-out preference signal in different circumstances, such as if the business can only associate the signal with a browser or device but not a particular individual, or if the signal clashes with the individual’s participation in a business’ financial incentive program. The regulations also impose detailed technical requirements on businesses that wish to process opt-out preference signals in a “frictionless manner.” A business that processes opt-out preference signals in a frictionless manner can consolidate some of its CCPA disclosures and methods of receiving opt-out requests.
6. A business should carefully review the regulations when negotiating data-related provisions with other parties. The CCPA requires businesses to include certain elements in their contracts with service providers, contractors and third parties to whom they disclose personal information or de-identified information, sell personal information, or share personal information for cross-context behavioral advertising. The regulations include some examples of what these elements should entail. For example, the CCPA requires the business to reserve the contractual right to take reasonable and appropriate steps to stop and remediate the recipient’s unauthorized use of personal information. The proposed regulations indicate that a business may satisfy this requirement by obliging the recipient to produce documentation that verifies that it has honored a data subject request if the business instructs the recipient to comply with the request.
7. The Agency has shed light on its enforcement procedures and powers. For example, the Agency appears to commit to responding to every sworn complaint regarding an alleged violation of the CCPA. The Agency has also reserved broad powers to investigate, audit and commence enforcement proceedings against persons alleged to have violated the CCPA.
Many of the underlying CCPA requirements on which the Agency’s regulations expound have been in force since January 1, 2023, so companies have had to pursue compliance despite significant uncertainty around the applicable rules. Even if one round of finalized regulations now appears imminent, companies will have to continue to navigate an uncertain regulatory landscape since the Agency has signaled that it will release additional CCPA regulations in the future, including with respect to privacy and security risk assessments and automated decision-making technology.