In sports, they sometimes call it a rebuilding year – the team hires new players or a new coach, restructures, updates strategy, and prepares for the next season. In the world of California privacy compliance, 2021 was a rebuilding year for many companies. While handling ongoing compliance with the California Consumer Privacy Act (CCPA), businesses were simultaneously planning for the changes coming Jan. 1, 2023, when the California Privacy Rights Act (CPRA) expands the CCPA’s requirements.
Although existing CCPA compliance can be leveraged to meet some of the CPRA’s obligations, other aspects of the updated law may require businesses to rebuild parts of their privacy compliance programs. The CPRA revises the CCPA in many ways, including by:
- Expanding the slate of consumer rights to add a right to correct, a right to opt out of sharing personal information for cross-context behavioral advertising, a right to limit use and disclosure of sensitive personal information, and a right to opt out of automated decision-making and profiling.
- Ending exemptions for employees, job applicants and business-to-business contacts.
- Requiring additional disclosures in privacy policies, including disclosures about sensitive personal information, behavioral advertising, retention periods, vendor data practices and updated descriptions of privacy rights.
- Updating vendor contracts to include new requirements for “service providers” and to address transfers of personal information to “contractors” and “third parties.”
- Undertaking audits and risk assessments for high-risk processing of personal information.
- Creating a new administrative agency, the California Privacy Protection Agency (CPPA or the Agency) charged with rulemaking and administrative enforcement of the law.
On May 27, 2022, the CPPA released initial Proposed Regulations interpreting the CPRA’s new requirements and updating many existing rules. It also published an Initial Statement of Reasons, explaining the thought process behind the Proposed Regulations. On June 8, 2022, the CPPA board approved the draft Proposed Regulations as the basis for the formal CPRA rule-making process, which is expected to continue through the third or fourth quarter of 2022.
The Proposed Regulations include many new or updated requirements compared with the core statutory text of the CPRA. While a thorough review of the Proposed Regulations is critical for CPRA compliance, businesses should pay especially close attention to the following rules:
- Restrictions on Collection and Use of Personal Information. Under the Proposed Regulations, “[a] business’s collection, use, retention, and/or sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed” and “consistent with what an average consumer would expect.” A business is required to obtain explicit consent “before collecting, using, retaining, and/or sharing the consumer’s personal information for any purpose that is unrelated or incompatible with the purpose(s) for which the personal information [was] collected or processed.”
- Browser-Based Opt-Out Signals. Under the Proposed Regulations, all businesses that “sell” or “share” personal information will be required to recognize browser-based opt-out signals, whether or not they post an opt-out link on their websites. Only if a business recognizes browser signals in a “frictionless manner” may it avoid posting the opt-out link. This is a significant change compared with the way many read the text of the CPRA. According to the Agency’s Initial Statement of Reasons, “[t]his regulation is  necessary to address a common misinterpretation of Civil Code section 1798.135, subdivisions (b)(3) and (e), that complying with an opt-out preference signal is optional for the business. Not so. … Whether or not the business posts the opt-out links, the CPRA amendments to the CCPA require a business to always comply with an opt-out preference signal.”
- The Right to Correct. The statutory text of the CPRA includes little detail regarding the right to correct. The Proposed Regulations fill this gap, providing guidance on how a business should determine the accuracy of personal information, specific steps required to handle a request and examples of situations where correction may require “disproportionate effort.”
- The Right to Limit Use and Disclosure of Sensitive Personal Information. The Proposed Regulations describe the procedures to be followed for the CPRA’s new right to limit the use and disclosure of sensitive personal information. For example, businesses must provide at least two methods for exercising this right and will have 15 business days to fulfill a request. They will also need to notify service providers, contractors and third parties that use sensitive personal information for non-exempt purposes. For now, businesses are not required to recognize browser signals as a means of opting out of the use or disclosure of sensitive personal information.
- Contract Requirements. The Proposed Regulations expand on the CPRA’s detailed requirements for contracts between businesses and their “service providers” and “contractors.” They also include illustrative examples that appear intended to demonstrate that some service provider arrangements may not hold up under the new rules, and warn that “a business that never enforces the terms of the contract nor exercises its rights to audit or test the service provider’s or contractor’s systems might not be able to rely on the defense that it did not have reason to believe that the service provider or contractor intends to use the personal information in violation of the CCPA and these regulations.” Finally, the Proposed Regulations include a host of requirements to be included in agreements with third parties that do not qualify as service providers or contractors.
These are only a sample of the rules making an impact on businesses’ compliance with the CPRA. Moreover, this set of Proposed Regulations does not address cybersecurity audits, privacy risk assessments or automated decision-making, which are expected to be covered as part of a future rule-making package.
As businesses rebuild their CCPA compliance programs with an eye toward CPRA compliance, it will be more important than ever to have a thorough understanding of the personal information the company handles, a process in place for responding to privacy rights requests, and ongoing training and procedures to make sure appropriate contractual terms are implemented, privacy notices are kept up to date, and audits and risk assessments are performed when needed.