The CPRA Regulations: A Journey That Will Extend Well Beyond 2023

Hashed & Salted | A Privacy and Data Security Update

Key Takeaways

1. The updated timeline for initial California Privacy Rights Act (CPRA) regulations is as follows: A vote on final regulations should occur at the end of January/beginning of February 2023. The California Privacy Protection Agency (CPPA) expects the regulations to be approved by the California Office of Administrative Law (OAL) and finalized by early April 2023.
2. The CPPA has the discretion to consider the time between the effective date of the statutory or regulatory requirements and possible violations of those requirements. It will also consider good faith efforts to comply.
3. The rule-making process will be ongoing. Businesses should be prepared for change. New regulations could be issued yearly or more frequently based on the CPPA’s observations of how companies are operationalizing their requirements. 

Where Are We With the CPRA Regulations?

If you’re reading this, you’re (hopefully) very well aware of the wait for the CPPA to issue final regulations to the CPRA. The CPPA held its last meeting of the year Dec. 16. Executive Director Ashkan Soltani provided an update on the rule-making process during his remarks, noting that the CPPA received 55 comments (totaling 450 pages) in the last round of comments. The agency staff completed their initial review of the comments and were preparing responses and updates to the Statement of Reasons. Director Soltani did not anticipate needing to recommend further changes to the draft regulations but said changes are still possible. The CPPA hopes to have a final rules package for review by mid-January/early February. Assuming there will be no further changes, the finalized rule package will be submitted to the OAL by mid-to-late February. The OAL has 30 business days to review. Director Soltani believes the earliest the regulations will be in effect is April 2023. If the OAL does not approve the rules package, the CPPA will have 120 days to fix any issues. The OAL can approve some regulations and require fixes to others on a case-by-case basis. 

Current CCPA regulations will remain in effect until the OAL finalizes the new regulations. 

How Did We Get Here?

As we experienced with the regulations issued under the California Consumer Privacy Act (CCPA), the CPRA regulations will provide meaningful detail concerning the CPRA’s obligations and, in some cases, will add requirements that are new or materially different than the plain language of the statute. The timeline for issuing final regulations was July 1, which would have given companies six months to make the operational changes needed to address the requirements. Instead, we are days away from the CPRA’s effective date of Jan. 1, and the first package of regulations remains in draft form. The delay in issuing final regulations has left many companies in limbo. Companies must find a balance between addressing the CPRA’s requirements and not wasting time and resources on obligations that may change.   

This round of rule-making has provided an eye-opening look into the difficult task of creating regulations. Now that rule-making authority has been transferred to the CPPA and the Bagley-Keene Open Meeting Act governs the process, all agency meetings must be noticed and conducted in public unless specifically authorized by the act to meet in closed session. We have listened to each public meeting of the CPPA. The agency appears to be grappling with the desire to get final regulations out to the business community (an acknowledgment that the regulations are material to business operations), their mission to protect consumer privacy, and the need to draft clear, transparent rules that align with the scope of the CPPA’s authority. Every word has a meaning and is subject to debate by members of the agency’s board. The regulations are extremely prescriptive (including dictating the specific language to be used in connection with opt-outs and the specific options available to address the right to correction). However, it is clearly challenging to prescribe process requirements that can realistically be applied equally to all businesses. 

What To Expect From the Changes

Below are some highlights of the changes the agency staff is currently finalizing.

Service providers, contractors and third parties

• Modifications clarify that a party can be a service provider or contractor in one context and a third party providing cross-context behavioral advertising services in another. The regulations still make it clear that a party is not acting as a service provider or contractor when it provides cross-context behavioral advertising.
• Modifications clarify service provider and contractor business purposes, specifically around detecting security incidents and improving services. 

Dark patterns

• Modifications attempt to map the language of the regulations to the statute (e.g., definitions of consent and dark patterns in CPRA).
• Modifications attempt to broaden the description of symmetry and choice to note that the path for a consumer to exercise an option shall not be “more difficult or time-consuming” or foreclose other paths to exercise choice.
• Modifications attempt to avoid gotcha violations by noting that “unnecessary friction” in the CCPA request process occurs when a business knows of but does not remedy circular or broken emails and links (as opposed to finding broken links alone to be a violation). 

Notice at collection 

• Modifications remove the requirement for businesses to list the names of third parties that are allowed to control the collection of personal information in the notice at collection. This does not nullify the fact that the third party controlling personal information collection must also provide a notice at collection.

Responding to a detected opt-out preference signal

• Modifications clarify that businesses must treat an opt-out preference signal as a valid request for pseudonymous profiles and known visitors.
• Modifications simplify implementation by making it optional to display the user’s choice after honoring the request (such as displaying a “We No Longer Sell Your Personal Information” link in the website footer).

What Comes Next?

In the last two meetings of the CPPA, the board has made it clear that this rule-making process will be ongoing. We expect the CPPA to begin to take comments on rules to address cybersecurity assessments, audits and automated decision-making requirements in 2023. However, as board member Alistair MacTaggart noted, there will always be a new rule bubbling. During the October meeting, the board directed the staff to consider many items for future rules packages. The board also directed staff to keep a close eye on how compliance with certain obligations plays out in the marketplace. The items to watch include:

• Whether businesses should display the consumer’s opt-out choice (such as a “We No Longer Sell Your Personal Information” link) so consumers can be confident their choice has been honored.
• In the employee context, staff should consider interpretations of business purposes and prohibit employee data from being used for health-related research.
• Whether businesses should disclose the number of third parties that personal information is shared with instead of those parties’ names. Staff will watch how things play out in the marketplace, especially in light of data minimization and contract requirements introduced by CPRA.
• Offline collection notice fatigue and whether notice obligations can be minimized where a business only uses personal information as reasonably expected by the consumer. 
• Creating contract templates that can be incorporated by reference by covered entities. It would help smaller businesses that don’t have deep pockets for lawyers.
• Regulations specifically for connected TVs and cars.
• B2B regulations that promote privacy and workability. There is less concern from board members about employee data because substantial protections already exist.
• Whether to require businesses to direct consumers to contact the CPPA if they have concerns with the business’s privacy practices. 
• Whether businesses are adding too much friction to the opt-out process when an opt-out is submitted via an opt-out preference signal. Staff will monitor businesses to ensure they do not abuse this regulation. If the business takes the consumer through seven steps before it processes the opt-out preference signal, that is too much friction. 

What Should You Do Now? 

On the consumer side, companies should update their privacy policies to address the right to correct, opt out of sharing and limit the use of sensitive personal information (where applicable).  The regulations addressing the requirements for the Privacy Policy and Notice at Collection are likely to remain the same at this point and should be considered as companies make their annual privacy policy updates. Companies should also update their Do Not Sell mechanism to include the right to opt out of “sharing.” Finally, the California Attorney General is already enforcing the requirement to honor browser-based opt-outs. Companies should update their websites to receive the Global Privacy Control (currently, the only browser-based opt-out preference signal that the California Attorney General has expressly recognized). 

Between January and July, companies should work to update their service provider, contractor and third-party agreements to address the CPRA requirements, as detailed in the regulations. Companies should also review their website copy and consumer journey to identify any potential dark patterns and review their internal practices to confirm alignment with the purpose limitations outlined in the regulations. Companies should document their practices and the decisions made to address the changes in the law. While the 30-day cure period will no longer be available, companies that can at least demonstrate a good faith attempt to comply with the law and a justification for their compliance efforts will likely be in a better position to address inquiries from the CPPA.