Sneak Peek: California Privacy Rights Act Draft Regulations Released
As previously shared, California voters approved the California Privacy Rights Act (“CPRA”) in November, 2020 in an effort to amend and strengthen the consumer data protections afforded under the California Consumer Privacy Act (“CCPA”). Most CPRA provisions will go into effect on January 1, 2023, and enforcement of the CPRA will commence on July 1, 2023. In the meantime, preliminary draft regulations (the “CPRA Regulations”) were released by the newly created California Privacy Protection Agency (the “CPPA”) on May 27, 2022 for public review and comment. Below is an overview of what we can expect to see in the CPRA Regulations:1. What is the CPPA?
Established by the CPRA, the CPPA is the first independent data protection authority in the U.S. The CPPA includes a 5-member board and has “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA, as modified by the CPRA. While the California Attorney General retains enforcement authority, rulemaking authority has been shifted to the CPPA.
2. What is the status of the CPRA regulations?
The CPRA Regulations are subject to modifications in response to public hearings and public comment before being finalized.
Specifically, the CPPA began collecting hundreds of pages of public comments last year, and the CPPA board held informational sessions and stakeholder sessions earlier this year to collect additional feedback. The CPPA published preliminary draft CPRA Regulations on May 27, 2022 in preparation for its June 8 board meeting, and the formal rule-making process was officially launched on July 8. There will now be at least one 45-day public comment period, and public hearings will be held on August 24 and 25, 2022. It is not clear when the CPRA Regulations will be finalized – by comparison, the CCPA regulations took about 9 months to complete after the first public hearings.
3. What do the draft CPRA Regulations tell us?
The pro-consumer CPRA Regulations have been proposed as a redline of the current CCPA regulations, rather than as a separate set of regulations. Also, the current draft of the CPRA Regulations does not cover all 22 rulemaking topics required by CPRA, so there could be additional drafts to address these.
With the caveat that some or all of this could change during the rulemaking process, the following is a list of key topics included in the current draft of the CPRA Regulations:
- New category of “sensitive personal information”
A new subset of personal information called “sensitive personal information” has been created, which could only be used for one of 7 designated purposes and would include:
- Personal information such as social security, driver’s license and passport numbers;
- Financial account information together with the corresponding PIN, access code or password;
- A consumer’s precise geolocation;
- Racial or ethnic origin;
- Religious or philosophical beliefs;
- Union membership;
- Contents of a consumer’s mail, email and text messages (unless the business is the intended recipient); and
- Genetic data.
- New Rights for Consumers
The CPRA Regulations will address the two additional rights for consumers created by CPRA: (1) the right to correct inaccurate personal information, and (2) the right to limit use and disclosure of sensitive personal information.
- Sharing Data
The proposed CPRA Regulations would restrict the “sharing” of personal information in addition to “selling” such information. “Sharing” is very broadly defined as renting, releasing, disclosing, dissemination, making available, transferring or otherwise communicating a consumer’s personal information to a third party for cross-context behavioral advertising, and payment, monetary or otherwise, would not be required for “sharing” to occur.
- Limits on Use of Personal Information
Requirement that a business’s collection, use, retention and/or sharing of a consumer’s personal information must be “reasonably necessary and proportionate” to achieve the intended purpose for which the information was collected. “Reasonably necessary and proportionate” means the amount of information that an average consumer would expect when their personal information was collected.
A business would be required to obtain explicit consent to collect, use, retain, and/or share a consumer’s personal information, if it would be used for an unrelated or incompatible purpose. With respect to the method of obtaining consumer consent, the CPRA Regulations would also require businesses to:
- Use understandable methods that a consumer can easily execute (such as clear yes and no options)
- Provide for symmetry in choice (such as having the yes and no buttons the same size and color)
- Avoid confusing language and elements (such as double negatives)
- Avoid manipulative or shaming language (such as requiring the consumer to provide reasons for opt-out)
- Privacy Policies
- Disclosing the categories of personal information shared and the categories of third parties who may receive such information.
- Disclosing the use of “sensitive personal information” for non-designated purposes.
- Providing an explanation of new consumer rights to correct inaccurate information, opt out of sharing, and limit use of sensitive personal information
- Consumer Notices
The proposed CPRA Regulations include specific requirements relating to the placement and content of consumer notices, such as notifying consumers when sensitive personal information is being collected, as well as notices relating to third-party collection, opt-out links, and data retention.
- Responding to Consumer Requests
The proposed CPRA Regulations would include specific methods and timelines for responding to consumer requests (such as consumer requests to delete and correct personal information).
- Consumer Opt-Outs
The proposed CPRA Regulations would change consumer opt-outs as follows:
- Disclosure regarding how a business processes opt-out preference signals and how the consumer could use such signals.
- Expanded requirements for consumer opt-outs of selling/sharing personal information.
- Mandated notifications to consumers regarding the opt-out process.
4. How will the CPPA investigate CPRA violations?
CPPA would have the authority to conduct investigations in response to consumer complaints or referrals from government agencies or private organizations. In this situation, the business being investigated would receive notice of such investigation and a hearing. Additionally, the CPRA Regulations would empower the CPPA to perform audits of businesses for the purposes of (a) investigating proposed violations of the CPRA, (b) determining whether there is significant risk to consumer privacy or security, and (c) determining compliance of businesses with a history of non-compliance with privacy laws (including those outside of California).
Although the CPRA’s effective date is still several months away, and the CPRA Regulations are not yet final, businesses subject to this legislation should take steps now to better understand the scope of this pro-consumer legislation and how it will impact their operations. If you have questions about the CPRA or data privacy in general, please contactVirginia Fournier at email@example.com.
A member of our California team, Virginia Fournier is a seasoned technology and privacy attorney with over 25 years of legal and business experience in the industry. She regularly handles a wide range of technology-related matters, including negotiating and drafting complex licensing agreements, compliance, data security and privacy, and intellectual property issues. Virginia is also a Certified Information Privacy Professional (CIPP/US).