California Drafts Regulations to Implement the California Privacy Rights Act Imposing New Compliance Requirements for Businesses

July 28, 2022

On July 8, 2022, the California Privacy Protection Agency (“CPPA”)1 published draft regulations in the California Regulatory Notice Register (“Draft Regulations”)2 mandated by the California Privacy Rights Act (“CPRA”).3 The Draft Regulations amend prior regulations adopted under the California Consumer Privacy Act (“CCPA”) to provide additional rights to consumers in their personal information and expand the obligations of businesses processing such personal information.4

Under the CPRA, the Draft Regulations are to become effective January 1, 2023.

I. Application of CCPA to Businesses and Information Collected

As amended by the CPRA, the CCPA applies to for-profit businesses that conduct business in California, collect and process consumers’ personal information, and satisfy at least one of the following requirements: within one calendar year, (1) have gross annual revenues over $25 million; (2) buy, sell or receive personal information from at least 100,000 California consumers or households (expanding the current threshold of 50,000); or (3) make at least half of their annual revenue by selling or sharing California consumers’ personal information.5

Notably, the CCPA does not apply to information processed by financial institutions (such as banks, broker-dealers, investment advisers, and certain “FinTech” companies) pursuant to the Gramm-Leach-Bliley Act (“GLBA”), and its implementing regulation, Regulation S-P.6

There are, however, certain categories of information collected by financial institutions (that meet the coverage thresholds above) that are subject the CCPA. These categories include:

• Personal information of employees who live in California;
• Personal information collected from the financial institution’s website; and
• Prospective customer information from consumers who do not have a pre-existing relationship with the financial institution.7

If adopted, the Draft Regulations would require such covered financial institutions to comply with requirements that differ from prior CCPA requirements, which could include some or all of the following:

• Update their privacy policy to ensure that it is clear and not misleading;
• Implement procedures to detect and process “opt-out preference signals,” which are signals from a consumer’s browser or device communicating that the consumer does not consent to the sale or sharing of their personal information;
• Add new link(s) to the header or footer of the homepage of their website related to the consumers’ right to opt-out of the sale or sharing of their personal information and the right to limit the use of their personal information;
• Provide an opportunity for consumers to submit requests to correct their collected personal information and limit the use of their sensitive personal information;
• Update their data processing agreements with their service providers, contractors and third parties to prohibit third parties from selling data and to respond to customer requests under the CCPA; and
• Perform due diligence on service providers, contractors and third parties to assess these parties’ compliance with the CCPA.

II. CPRA Expands the Privacy Rights Established by the CCPA

The CCPA established notable privacy rights for individuals who are California residents, such as:

• The right to know what information is being collected and how it is used;
• The right to delete certain collected personal information;
• The right to opt-out of the sale of such consumer’s personal information; and
• The right to exercise these rights without facing discrimination.8

The CPRA expands the right of consumers under the CCPA to delete certain personal information and to opt out of the sale of personal information. The CPRA also defines new consumer rights, including:

• The right to correct inaccurate information;
• The right to limit the data collected and/or processed by the business;
• The right to object to automated decision-making; and
• Expansion of the notification requirements.9

Furthermore, the CPRA creates additional obligations on businesses not previously included in the CCPA, such as data security requirements, annual cybersecurity audits, and restrictions on transferring data to third parties.10

III. Penalties for Noncompliance

Either the CPPA or the California Attorney General may enforce the CCPA. If businesses fail to comply with their duty to implement security procedures and practices and consumer data is exfiltrated, stolen or disclosed in contravention of the CCPA, they could be civilly liable for up to $750 per violation.11 Additionally, businesses that violate the CCPA may incur administrative fines of up to $2,500 per unintentional violation and $7,500 per intentional violation.12

IV. Key Takeaways

As summarized below, the Draft Regulations build upon the CCPA regulations currently in effect.

a. Processing Limitations & Notice and Disclosure Requirements

Providing a new standard not expressed in the current CCPA regulations, the Draft Regulations state that a business’s use, retention, or sharing of consumers’ personal information must be reasonably necessary and proportionate to realizing the business’s stated purposes of collecting or processing that information. The processing of personal information will be deemed necessary and proportionate if the processing of consumers’ personal information is consistent with what an average consumer would expect when such personal information was collected. If the processing of personal information is not necessary and proportionate to achieving the business’s stated purpose at collection, explicit consumer consent is required.13

The Draft Regulations clarify requirements regarding disclosures made in a business’s privacy policy, which must be available through a conspicuous link.14 Notably, a business’s privacy policy would need to provide a more descriptive explanation of consumer rights than what is currently required under the CCPA, a description of how consumers can exercise these rights, a comprehensive description of the business’s online and offline practices relating to personal information processing, and the date the privacy policy was last updated.15 In a notable update, the policy would need to disclose whether the business uses or discloses sensitive personal information16 for reasons not explicitly outlined in the regulations.17

If the business sells, shares, or receives, for a commercial purpose, the personal information of more than 10 million consumers annually, it would also need to provide a link to required reports regarding that data, which include (among other things) the number of requests to know, delete, correct, opt-out and limit that the business received, complied with, and denied in a calendar year.18

b. Obtaining Consumer Consent & Dark Patterns

The Draft Regulations include a new section that would require businesses to obtain consumer consent and provide methods for consumers to make requests in a manner that does not substantially subvert or impair consumer autonomy, decision making, or choice. Examples of this behavior include the use of double negatives, circular links, and an opt-in button that is more prominent than the opt-out button. Therefore, businesses would need to ensure that their consent-seeking procedures are easy to understand, provide symmetry in choice, avoid confusing language and interactive elements, avoid manipulative language or choice architecture, and consumer requests are easy to execute.19

c. Right to Opt-Out and Opt-Out Preference Signals

Building on the right to opt-out of data sales established by the CCPA, under the Draft Regulations, businesses that sell or share consumers’ personal information would have to notify consumers of their right to opt-out of the sale or sharing of that information.

This notice could be effectuated through a “Do Not Sell or Share My Personal Information” link at the header or footer of the business’s homepage, which is more inclusive than the previous CCPA link that was only concerned about the sale of personal information. Alternatively, a business could provide a new alternative opt-out link labeled “Your Privacy Choices” or “Your California Privacy Choices” (linking to a webpage that describes their rights to opt-out and an interactive mechanism through which the consumer can submit his or her request) with the opt-out icon pictured in the Draft Regulations or may satisfy this obligation by honoring an opt-out preference signal in a “frictionless manner.”20

If a business were to detect or receive an opt-out preference signal, which is a signal sent by a platform, technology, or mechanism on behalf of the consumer that communicates the consumer’s choice to opt out, the business would be required to treat that signal as a valid request by the consumer to opt-out of the sale or sharing of their personal information. An example of this would be an HTTP header field. The business would be obligated to display whether it has processed the signal, in addition to other requirements set forth in the Draft Regulations.21

d. Right to Limit

The Draft Regulations would require businesses to provide notice to consumers of their right to limit the use and disclosure of their sensitive personal information and the ways to exercise that right.22 Under the Draft Regulations, a business would need to provide a new link titled “Limit the Use of My Sensitive Personal Information” that allows consumers to exercise this right. The link would need to be conspicuous and placed in the header or footer of the business’s homepage. Alternatively, a business could use the new alternative opt-out link, so long as the notice of the consumer’s right to limit remains accessible. The notice itself would need to include a description of the right to limit, instructions on how to effectuate this right, and, if online, an interactive form to submit a request to limit.23

The Draft Regulations prohibit businesses from requiring a consumer to create an account or disclose information beyond what is necessary to process the request to limit the use and disclosure of his or her sensitive personal information. Businesses would also need to notify relevant third parties to comply with the request to limit. The Draft Regulations also impose a twelve-month waiting period during which a business would not be able to ask a consumer who has already exercised their limitation right “to consent to the use or disclosure of sensitive personal information for purposes” where consent is required.24

e. Right to Request Correction

Consumers would have the right under the Draft Regulations to request that a business correct inaccurate personal information. Businesses would be obligated to provide two methods for consumers to submit these requests, one of which must be a toll-free telephone number. If the business has a website, it would also need to provide the opportunity to submit requests through their website.

The Draft Regulations would require a business to respond to a request within 45 calendar days of its receipt. If the business could not verify a consumer’s request within 45 days, the business could request an additional 45 days to accommodate the request.25 A business would be able to deny such a request if the totality of the circumstances demonstrate that the contested personal information is likely accurate, the business has denied a consumer’s request to correct the same contested information within six months, or the business has a good-faith, reasonable and documented belief that this request is fraudulent. Other guidance and requirements for businesses responding to requests to correct, including notice and documentation requirements, are specified in the Draft Regulations.26

f. Service Providers, Contractors and Third Parties

Expanding on the CCPA regulations, the Draft Regulations would require businesses to include certain contractual provisions limiting the use and disclosure of the personal information collected by the business by “service providers,” “contractors,” and other “third parties.” “Service Providers” are entities that process consumers’ personal information for a contractually identified business purpose. “Contractors,” a new definition added by the CPRA, are entities to whom personal information is made available for a contractually identified business purpose. A “Third Party” is defined as a third-party entity that is not a service provider, contractor, or “[t]he business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer’s current interaction with the business.”

The distinction between these types of entities brings the CCPA in closer alignment with the data controller/data processor distinction of the GDPR.27

Both Service Providers and Contractors would be prohibited from selling or sharing personal information. Third Parties would be able to sell or share personal information if the business provides consumers with the opportunity to opt-out of the sharing or selling of their personal information with the third party. The Draft Regulations specify certain requirements that would need to be included in contracts with third parties that protect consumers’ rights, including the requirement that the third party comply with requests to limit personal information transmitted from the business to the third party. The Draft Regulations also emphasize that business would have to conduct due diligence on service providers, contractors and third parties to effectively establish a defense against claims that the business is liable for a service provider, contractor or third party’s violation of the CCPA.28

Notably, the Draft Regulations do not provide guidance on the CPRA’s provisions relating to consumer opt-out rights in the context of automated decision-making technology, data security requirements, and privacy assessments to protect consumer information.29

***

Seward & Kissel LLP will continue to monitor developments related to the CCPA, CPRA, and the Draft Regulations.  If you have any questions about the issues discussed in this memorandum, other issues relating to the CPRA, or questions regarding privacy law generally, please contact Casey Jennings and/or your relationship attorney.

______________________________________________________

1 The CPPA is a new agency established by the CPRA that will enforce the regulations when they go into effect in the new year.

2 The Draft Regulations are available here: https://cppa.ca.gov/meetings/materials/20220608_item3.pdf.

3 The California Privacy Rights Act (“CPRA”) was passed as a ballot initiative in California in 2020 and is available here: https://www.oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf. The public comment period is open for 45 days following publication.

4 For more information on the California Consumer Privacy Act of 2018 (CCPA) and the privacy rights it protects, see the CCPA page on the Attorney General of California’s website: https://oag.ca.gov/privacy/ccpa.

5 Cal. Civ. Code § 1798.140 (2021).

6 Pub. L. No. 106-102 (1999). For guidance on compliance with the Gramm-Leach-Bliley Act, see the Act’s Business Guidance page on Privacy and Security on the Federal Trade Commission’s website: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act.

7 Cal. Civ. Code § 1798.145(e) (2021) (“This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102) . . .”).

8 For more information on the CCPA and the privacy rights it protects, see the CCPA page on the Attorney General of California’s website: https://oag.ca.gov/privacy/ccpa.

9 See generally the California Privacy Rights Act of 2020.

10 See generally the California Privacy Rights Act of 2020.

11 Cal. Civ. Code § 1798.150(a) (2021).

12 Cal. Civ. Code § 1798.155 (2021).

13 See sections 7002 and 7003 of the Draft Regulations.

14 See sections 7003, 7010, 7011 and 7012 of the Draft Regulations.

15 See section 7011 of the Draft Regulations.

16 Sensitive personal information is defined as information that reveals a “consumer’s social security, driver’s license, state identification card, or passport number,” financial account numbers and log-in credentials, geolocation, religious and philosophical beliefs, ethnic and racial background, union membership, mail, email and text message contents and genetic information. It also includes biometric data that concerns a consumer’s health, sex life and sexual orientation. Cal. Civ. Code § 1798.140(ae) (2021).

17 See sections 7010, 7011 and 7027(l) of the Draft Regulations.

18 See sections 7011 and 7102 of the Draft Regulations.

19 See section 7004 of the Draft Regulations.

20 See sections 7012, 7013 and 7015 of the Draft Regulations.

21 See sections 7001, 7013, 7025 and 7026 of the Draft Regulations.

22 The right to limit is defined as the right of consumers to request that businesses who collect sensitive personal information limit the use of that “information to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services….” Cal. Civ. Code § 1798.121 (2021).

23 See sections 7001, 7010, 7014, 7015 and 7027 of the Draft Regulations.

24 See sections 7001, 7014, 7015 and 7027 of the Draft Regulations.

25 See sections 7001, 7020, 7021, 7023 and 7060 of the Draft Regulations.

26 See sections 7001, 7023 and 7060 through 7063 of the Draft Regulations.

27 Under the GDPR, data controllers (like businesses and third parties) are entities that decide how and why personal information is processed and are subject to stricter regulation than data processors (like service providers and contractors), which only process personal information on behalf of the data controller. See Cal. Civ. Code §§ 1798.140(j), (ag), (ai) (2021); sections 7050 through 7053 of the Draft Regulations; Council Regulation (EU) 2016/679, art. 4, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119/34), available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&qid=1657037318458&from=EN.

28 See sections 7050 through 7053 of the Draft Regulations.

29 See generally the California Privacy Rights Act of 2020.