With less than three months until the California Privacy Rights Act goes into effect on January 1, 2023, the California Privacy Protection Agency (the “Agency”) released updated proposed regulations on October 17, 2022 (the “Regulations”). The Regulations govern compliance with the California Consumer Privacy Act of 2018, which will be amended by the California Privacy Rights Act (collectively, the “CCPA”). The Regulations modify the initial proposed regulations that were released on July 8, 2022. We discuss the key changes from both versions below.
Important: The written comment period will not end until November 21. Accordingly, it is possible these Regulations may change again.
The Regulations now require a business's processing of personal information to be reasonably necessary and proportionate to achieve the purpose the information was collected or processed or for another disclosed purpose that is compatible with the context in which the information was collected. The determination of whether such purpose is reasonably necessary is based on what the consumer reasonably expects under the circumstances. Factors to consider for a consumer's reasonable expectation include:
Once the above factors are considered, the business must then only collect, use, retain, and/or share consumers' personal information in a reasonably necessary and proportionate manner to achieve that purpose. The collection, use, retention, and sharing of personal information must then be based on the following:
Business must design and implement methods for submitting CCPA requests and obtaining consent that incorporate the following principles:
Cookie Banners. An example provided by the Regulations states that a website banner that only provides two choices when seeking the consumer's consent is not consistent with this section if the two options only allow “accept all” and “more information.” This is not considered equal or “symmetrical” because it allows one to accept all options but does not allow for a symmetrical option for declining. While this language does not specifically call out cookie banners, this is broadly drafted to apply to “obtaining consumer consent.” Therefore, businesses should review current cookie banners or keep this in mind if implementing cookie banners in the future.
Dark Patterns. Any use of “dark patterns” does not comply with Section 7004. A dark pattern is a user interface that “has the effect of substantially subverting or impairing user autonomy, decision-making, or choice.” Additionally, a business's intent in designing the interface is not a determinative factor in whether it is a dark pattern.
Disproportionate Effort. The Regulations further specify when a business is not required to exercise a right to access, delete, or correct. A “Disproportionate Effort”, within the context of a business, service provider, contractor or third party responding to a consumer request, means that the time and/or resources expended by such entity to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding. Such determination must take into account the size of the entity, the nature of the request, and the technical limitations impacting their ability to respond.
The Regulations clarify that sensitive personal information is not subject to requests to limit if such information is collected or processed without the purpose of inferring characteristics of a consumer.
The “Alternative Opt-Out Link” allows businesses to provide the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links as a single, clearly-labeled link. The Alternative Opt-Out Link shall direct the consumer to a new webpage that details both options to opt out of the sale or sharing and the option to limit the use of sensitive personal information. The Alternative Opt-Out Link must be titled “Your Privacy Choices” or “Your California Privacy Choices” and shall include the opt-out icon.
When determining the accuracy of the information subject to the customer's request to correct, the business shall consider the totality of the circumstances. The totality of the circumstances includes:
If the business is not the source of the information and the business has no documentation to support the accuracy of the information, the assertion of inaccuracy by the consumer may be sufficient. Additionally, a business may delete the contested information as an alternative to correcting the information if the deletion does not negatively impact the consumer and the consumer consents to such deletion.
The Regulations require businesses to honor opt-out preference signals. Businesses only have a choice in how these signals are processed. Generally, businesses that process opt out preference signals in a “frictionless manner” are not required to provide opt out links for the sale or sharing of personal information or for the right to limit sensitive personal information. Among other requirements, processing a preference signal in a “frictionless manner” means that a business shall not:
The Regulations include additional requirements for Service Provider and Contractor agreements. Such agreements must now include:
The Regulations contain a few additional verification requirements, such as (1) a business cannot require a consumer to verify their identity for a request to opt-out of the sale or sharing of personal information or a request to limit sensitive personal information and (2) for requests to correct, the business shall make an effort to verify the consumer based on information that is not subject to the request.
We will continue to monitor the Regulations as the public commentary period for the current version of the Regulations ends on November 21, 2022.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.