On May 27, 2022, the California Privacy Protection Agency (CPPA) released draft regulations (though still not yet part of a formal rulemaking process) that include what would be seismic changes to California Privacy Rights Act (CPRA) requirements that businesses have been preparing for. Below, we summarize the significant changes that would be ushered in by the CPPA’s draft regulations:
“Symmetry in Choice”: Newly added Section 7004 requires that affirmative consent have “symmetry in choice.” The proposed rule would clearly prohibit the use of certain language that the CPPA has expressly identified as asymmetric (g., “Yes” versus “Ask me later” for an opt-in) but avoids prescriptive rules that define exactly when choices are asymmetric.
Introduction of Right to Limit Use of Sensitive Personal Information: CPRA grants consumers the right to limit the use of their sensitive personal information in certain circumstances. Section 7027 puts some meat on the bones as to how the CPPA expects this limitation right to work, including granting businesses 15 business days to comply with a specific limitation request.
Building the Process around Right to Correct: Likewise, draft regulation Section 7023 operationalizes how a business needs to handle a consumer’s correction request. Once the consumer submits documentation to support their correction, the business can comply, deny or delete the contested data based on the business’s need for the data or if correcting the data creates disproportionate effort. Critically, this draft regulation appears to balance the burden and risks imposed on businesses by providing safeguards in the event of duplicative or fraudulent correction requests.
Embracing Do Not Track Signals: Section 7025 of the draft regulations may catch many by surprise because it attempts to make it mandatory for businesses to recognize and act on some form of a global opt-out signal, despite what many had thought was the CPRA’s express language to the contrary.
Notice of Disproportionate Effort: The new proposed regulations would require a business that is responding to requests to delete (Section 7022) or correct (Section 7023) to provide a “detailed explanation” that “gives a consumer a meaningful understanding as to why” a business cannot notify every third party to whom personal information may have previously been disclosed of a consumer’s right to delete or correct. While the draft regulations attempt to define “disproportionate effort,” it fundamentally leaves the consumer to decide whether they think a business’s explanation is good enough.
Going Beyond the 12-Month Lookback: In Section 7024 (related to requests to know), businesses would now be required to provide “all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including, beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort.”
What information is collected
The purpose for collection
Whether personal information is sold or shared
The retention period for personal information
Opt-out rights for sales and sharing of personal information
In privacy policies, each of these disclosures is typically its own section. So, it is unclear just how a business might comply with this new regulation without further clarification from the CPPA.
The above “highlights” only scratch the surface of the proposed rules. The good news is that these are draft regulations, so there is time for further development of the regulations before they become final. While there is still no word on when formal rulemaking will begin, these draft regulations demonstrate that public comments from businesses will be imperative to make sure that CPRA regulations are both practical and reasonable.
McDermott’s Global Privacy & Cybersecurity team can help you navigate the CPRA’s existing rules and ensure compliance with future rules to come. For assistance, please contact Amy Pimentel or David Saunders.
John Ying, a summer associate in the Atlanta office, also contributed to this article.