California Privacy Protection Agency Modifies its Proposed Regulations
In Short
The Situation: The California Privacy Protection Agency ("CPPA" or "Agency") has modified its proposed regulations implementing many key California Privacy Rights Act ("CPRA") requirements.
The Result: The modifications have resulted in an additional 15-day public comment period until November 21, 2022. The Agency then will consider those comments before it adopts the final regulations and sends them to the California Office of Administrative Law for review and publication.
Looking Ahead: Businesses have little time left to comply with CPRA before the law goes into effect on January 1, 2023. Although not finalized, the modified regulations provide a blueprint for businesses to start designing a CPRA implementation program.
On November 3, 2022, the CPPA modified its proposed regulations implementing many CPRA provisions, cognizant of CPRA's rapidly approaching effective date of January 1, 2023. The explanations accompanying the modifications note how various regulations have been simplified "at this time" for easier implementation. Some of the most important modifications are highlighted below.
Reasonably Necessary and Proportionate … or Compatible with the Context
The most significant modifications consist of new guidance for complying with CPRA's requirement that businesses minimize their personal information processing. In section 1798.100(c), CPRA requires businesses to collect, use, retain, and share consumer personal information only to the extent "reasonably necessary and proportionate to achieve the purpose[]" for which it was collected or for a "disclosed purpose that is compatible with the context" in which the information was collected.
The proposed modifications provide guidance on “reasonably necessary and proportionate to achieve the purpose” and “disclosed purpose that is compatible with the context” by dividing the statutory language into three concepts.
First, all businesses are required to collect only information that is "reasonably necessary and proportionate" regardless of the purpose for which it is collected. This requirement means that business should collect strictly "minimum" personal information necessary for the purpose, while accounting for "possible negative impacts on consumers" of the collection and any "additional safeguards" business could deploy to overcome the negative impacts.
Second, businesses must confirm that information is processed solely to "achieve the purpose" for which it is collected by considering the "reasonable expectations" of a consumer. These expectations can be based on the nature of the interaction between the consumer and the business, type of personal information at issue, how the personal information was collected, the disclosures provided to the consumer, and the extent to which a consumer is aware of any service providers or third parties in the transaction.
Third, to determine a "disclosed purpose that is compatible with the context," businesses need to consider whether a consumer's reasonable expectations (as discussed above) align with the additional disclosed purpose. As the modifications note in an explanatory example, if a consumer provides a business with personal information for cloud storage services, the business cannot then use the personal information to train its face recognition algorithm. The fact that a purpose is disclosed alone will be insufficient to demonstrate that it is "compatible" with a consumer's reasonable expectations under the CPRA.
Other Notable Considerations
As discussed in our July Commentary, "With New Proposed Regulations, the California Privacy Protection Agency Begins its Rulemaking," the global opt-out preference signal is no longer optional. While the CPPA staff acknowledged that the Agency received comments regarding this requirement, it remains firm that the mandatory nature of the requirement is unchanged. The one minor relevant change here is that a JavaScript object also can act as a global opt-out preference signal. As we saw with the recent California Attorney General's enforcement action, the CPPA and the California Attorney General's office consider this a top priority with which businesses must comply.
The modifications also clarified that CPRA's right to limit the use and disclosure of sensitive personal information does not apply when sensitive personal information is not being used for the "purpose of inferring characteristics about a consumer."
In addition, the modifications provide further guidance on how a consumer's exercise of a CPRA right should be operationalized between a business and its service providers and contractors. Essentially, the modifications clarify that service providers and contractors should not process information beyond the purpose of what they agreed to in their contract with the business.
The modifications also set out key contractual requirements between businesses and their service providers, contractors, and third parties. They include prohibitions on service providers from selling or sharing personal information collected on behalf of a business; identifying the "specific [b]usiness [p]urpose" (emphasis added) for which a service provider is processing personal information for a business; prohibitions on service providers retaining, using, or disclosing personal information for any purpose other than the specific business purpose specified in the contract with a business (subject to some exceptions in the regulations); and provisions granting a business the right to take "reasonable and appropriate steps" to ensure that the service provider is using the personal information consistent with the law. There are similar requirements for contracts between a business and third parties.
Three Key Takeaways:
- Data minimization is a key focus for compliance with the CPRA. Businesses should carefully assess their data collection practices and retention to determine whether adjustments are necessary to prevent overcollection of consumer personal information. This should include a review of a business's contracts with service providers and third parties.
- Businesses should carefully consider their data sharing practices and implement global controls to allow consumers to easily opt out of the sharing of their personal information.
- Businesses should continue to monitor developments with the CPRA regulations and take steps to prepare for the CPRA becoming effective on January 1, 2023.
