California Privacy Agency Releases Proposed CPRA Rules – Key Takeaways
On May 27, 2022, the California Privacy Protection Agency (CPPA) released a long-awaited first try of some of the planned regulations implementing California Privacy Rights Act (CPRA).1 The press release accompanied the CPPA announcement its next public meeting on June 8, 2022, during which the agency will consider, among other agenda items, possible actions regarding the draft regulations and the delegation of regulatory authority functions to the executive director of CAPP. Prior to this meeting, on June 3, CAPP released a Draft Initial Statement of Reasons (ISOR) to accompany the Proposed Rule, which provides an explanation of the purpose and need for the Proposed Rule, as well as ‘a FAQs providing further information on the proposed rulebook and the rulemaking process. Although the formal CPRA rulemaking process has yet to officially begin, we expect to hear more about a potential timeline for the notice and comment period on the rules at the meeting of ACPP on June 8.
Key points to remember
- The draft rule outlines existing CCPA rules. While the changes are significant, some provisions have been left largely intact with minimal alterations, particularly with respect to financial incentive notices, claim verification requirements, rules regarding consumers under 16 years, non-discrimination provisions and training and record keeping requirements. Nevertheless, it is always possible that these provisions will be modified by CAPP in future draft regulations.
- The draft regulation is subject to significant changes during the next public notice and comment period. That said, it is unclear if they will ultimately be finalized before the CPRA comes into force on January 1, 2023, placing businesses in an uncertain compliance posture.
- CAPP signaled at its last board meeting that it will publish additional bylaws in future packages. This first cycle does not cover important topics such as data security audits, privacy risk assessments, or access and opt-out rights as they relate to automated decision-making, but we anticipate that these will be covered in future batches. Indeed, ISOR indicates that the draft rules have amended certain terms to reduce confusion between references to put/share options and automated decision-making options, signaling that the future set of rules will provide a discussion more in-depth on consumer rights regarding automated decision-making. -manufacturing. The draft regulations also lack the final technical specifications for opt-out preference signals.
- The proposed regulations require companies in certain circumstances to obtain explicit (i.e. opt-in) consent, potentially exceeding legal requirements for opt-out consent.
- Despite wording in the CPRA statute that supports the interpretation that compliance with opt-out preference signals (i.e., automated signals sent by a platform, technology or mechanism that communicates opt-out opt-out) is optional, the proposed regulations require all businesses to honor opt-out preference signals. We expect this tension to be discussed during the next notice and comment period.
- In response to a demand-to-know, the proposed regulations would require companies to disclose everything personal information collected and maintained about the consumer on or after January 1, 2022 (even if this includes information beyond the 12 month period preceding the request), unless this proves impossible or does not involves a disproportionate effort. This requirement goes beyond CPRA law, which states that consumers may ask a company to provide personal information beyond the 12-month period.
- The proposed rule introduces new obligations for CPRA’s new right to correct inaccurate personal information, including a requirement that businesses provide consumers with the name of their data source if the business receives a request for correction of personal information. information of which she herself was not the source. The lack of detailed data trails can be difficult for many companies to comply with and could have a profound impact on the data brokerage industry.
- The proposed regulations introduce a new concept of “frictionless” opt-outs, which would require honoring a consumer’s opt-out preference signal and not charging a fee, altering the consumer experience or display any content in response to the signal other than an acknowledgment. that the consumer has opted out. While a business can comply with requirements to provide “frictionless” opt-out options, among other obligations, the proposed regulations maintain that a business is not required to provide opt-out links (“Do not sell…” , etc.) on its home page.
- It is important to note that the new notification obligations in the proposed Regulations would apply to both first and third parties at the time of collection. For example, if a Company allows third parties, such as advertising providers, to control the collection of Personal Information on the Company’s website or mobile application, the Company must provide in its Notice of Collection or the names of any third parties it authorizes to collect personal information or provide information about third party business practices. These onerous GDPR-compliant notification requirements, if retained in the final version of the regulation, would likely have a significant impact on ad technology providers.
- Finally, the proposed regulations add to the already granular contractual requirements of the CPRA Act and create new obligations for businesses that disclose personal information to service providers, contractors and third parties. For example, the proposed regulations require contracts with service providers to identify the specific business and service purposes for which personal information will be processed and prohibit generic descriptions of those purposes, such as general reference to the entire contract. Businesses would also be required to exercise due diligence on service providers, contractors and third parties in order to take advantage of CPRA’s statutory liability protection for compliance failures. of the service provider, contractor or third party without the knowledge of the company. These requirements are likely to add significant friction to contract negotiations between companies and their service providers and third parties, as well as impose potentially impossible compliance requirements on small and medium-sized businesses that lack the expertise. or the resources to reasonably audit entities.
For a more in-depth analysis of the main components of the proposed regulations, please consult our Data Advisor Article.
Please stay tuned for our next webinar on recent CPRA developments. Further information will be published on the Wilson Sonsini Goodrich & Rosati Events page and invitations will be sent by e-mail.
We encourage companies affected by the proposed CPRA rule to submit their comments to the CPPA. Wilson Sonsini Goodrich & Rosati routinely assists businesses with complex data privacy and security issues and will monitor CPPA guidelines, enforcement and litigation in accordance with the CPRA to help clients achieve compliance. For more information or advice regarding your CPRA compliance efforts, please contact Tracy Shapiro, Maneesha Mithal, Eddie Holman, Amanda Irwin, Clinton Oxfordor any member of the cabinet privacy and cybersecurity practice.
 The proposed draft rule is referred to as the “CCPA rule” instead of the “ACPL rule”. This is because the CPRA was a ballot initiative that changed the CCPA; it did not create a separate new law. To that end, the proposed rule proposes to update the existing CCPA rules and add new rules to implement and interpret the CCPA text, as amended by CPRA. We refer to these Proposed CCPA Rules as “Proposed Rules” in this alert.