With less than three months until the California Privacy Rights Act goes into effect on January 1, 2023, the California Privacy Protection Agency (the “Agency”) released updated proposed regulations on October 17, 2022 (the “Regulations”).  The Regulations govern compliance with the California Consumer Privacy Act of 2018, which will be amended by the California Privacy Rights Act (collectively, the “CCPA”). The Regulations modify the initial proposed regulations that were released on July 8, 2022. We discuss the key changes from both versions below.

Important: The written comment period will not end until November 21.  Accordingly, it is possible these Regulations may change again.

Necessary and Proportionate, Including Data Minimization (§ 7002).

The Regulations now require a business’s processing of personal information to be reasonably necessary and proportionate to achieve the purpose the information was collected or processed or for another disclosed purpose that is compatible with the context in which the information was collected. The determination of whether such purpose is reasonably necessary is based on what the consumer reasonably expects under the circumstances. Factors to consider for a consumer’s reasonable expectation include:

  • The relationship between the consumer and the business;
  • The type, nature, and amount of personal information sought by the business;
  • The source of the personal information and the method of collection and processing by the business;
  • The specificity, explicitness, prominence, and clarity of disclosures to the consumer (including the Notice at Collection or Privacy Policy); and
  • How apparent involvement of service providers, contractors, or third parties is to the consumer.

Once the above factors are considered, the business must then only collect, use, retain, and/or share consumers’ personal information in a reasonably necessary and proportionate manner to achieve that purpose. The collection, use, retention, and sharing of personal information must then be based on the following:

  • The minimum personal information that is necessary to achieve the purpose;
  • The possible negative impacts on the consumers posed by the business’s collection or processing of that information; and
  • The existence of additional safeguards for the personal information to specifically address the possible negative impacts.

Requirements for Methods for Submitting CCPA Requests and Obtaining Consumer Consent (§ 7004).

Business must design and implement methods for submitting CCPA requests and obtaining consent that incorporate the following principles:

  • Language that is easy to understand;
  • Symmetry in choice, meaning the business shall not make it more difficult to exercise a more privacy-protective option than a less-privacy protection option;
  • Avoid language that is confusing to the consumer;
  • Avoid using choice architecture that impairs or interferes with the consumer’s ability to make a choice; and
  • Designed in a way that it is easy to execute.

Cookie Banners. An example provided by the Regulations states that a website banner that only provides two choices when seeking the consumer’s consent is not consistent with this section if the two options only allow “accept all” and “more information.” This is not considered equal or “symmetrical” because it allows one to accept all options but does not allow for a symmetrical option for declining. While this language does not specifically call out cookie banners, this is broadly drafted to apply to “obtaining consumer consent.” Therefore, businesses should review current cookie banners or keep this in mind if implementing cookie banners in the future.

Dark Patterns. Any use of “dark patterns” does not comply with Section 7004. A dark pattern is a user interface that “has the effect of substantially subverting or impairing user autonomy, decision-making, or choice.” Additionally, a business’s intent in designing the interface is not a determinative factor in whether it is a dark pattern.

Disproportionate Effort. The Regulations further specify when a business is not required to exercise a right to access, delete, or correct. A “Disproportionate Effort”, within the context of a business, service provider, contractor or third party responding to a consumer request, means that the time and/or resources expended by such entity to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding. Such determination must take into account the size of the entity, the nature of the request, and the technical limitations impacting their ability to respond.

Privacy Policy (§ 7011) and Notice at Collection (§ 7012).

The Regulations require additional content to be included in a Privacy Policy. This includes information regarding (i) how opt-out preference signals will be processed, including in a “frictionless manner,” if applicable, (ii) a general description of the process used to verify a consumer request, including the information required by the consumer; (iii) the use and disclosure of sensitive personal information, and (iv) the sale or sharing of personal information of consumers under 16 years of age.

The Regulations also require additional content in the Notice at Collection. The additional required information includes (1) the categories of sensitive personal information, (2) whether the categories of personal information collected are shared or sold, and (3) the length of time the business intends to retain each category. The Notice at Collection must be provided where a consumer will encounter it at or before the point of collection of personal information. The Notice at Collection may be given to a consumer online by providing a link to the Privacy Policy; however, the link must take the consumer to the specific section that contains the required Notice at Collection information. Taking the consumer to the beginning of the Privacy Policy is not sufficient.

Right to Limit the Use and Disclosure of Sensitive Personal Information (§7027).

The Regulations clarify that sensitive personal information is not subject to requests to limit if such information is collected or processed without the purpose of inferring characteristics of a consumer.

Alternative Opt-Out Link, Return of the Opt-Out Icon (§ 7015).

The “Alternative Opt-Out Link” allows businesses to provide the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links as a single, clearly-labeled link. The Alternative Opt-Out Link shall direct the consumer to a new webpage that details both options to opt out of the sale or sharing and the option to limit the use of sensitive personal information. The Alternative Opt-Out Link must be titled “Your Privacy Choices” or “Your California Privacy Choices” and shall include the opt-out icon.

Requests to Correction (§ 7023).

When determining the accuracy of the information subject to the customer’s request to correct, the business shall consider the totality of the circumstances. The totality of the circumstances includes:

  • The nature of the personal information (objective, subjective, unstructured, sensitive, etc.).
  • How the business obtained the information.
  • Documentation relating to the accuracy of the information.

If the business is not the source of the information and the business has no documentation to support the accuracy of the information, the assertion of inaccuracy by the consumer may be sufficient. Additionally, a business may delete the contested information as an alternative to correcting the information if the deletion does not negatively impact the consumer and the consumer consents to such deletion.

Opt-Out Preference Signals (§ 7025).

The Regulations require businesses to honor opt-out preference signals. Businesses only have a choice in how these signals are processed.  Generally, businesses that process opt out preference signals in a “frictionless manner” are not required to provide opt out links for the sale or sharing of personal information or for the right to limit sensitive personal information. Among other requirements, processing a preference signal in a “frictionless manner” means that a business shall not:

  • Charge a fee or require any valuable consideration for processing the signal;
  • Change the consumer’s experience on the website or service as a result of the signal; or
  • Display a notification or pop-up in response to the signal, unless such pop-up is only to notify the consumer of their opt-out preference.

Service Provider and Contractor (§ 7050-7051).

The Regulations include additional requirements for Service Provider and Contractor agreements. Such agreements must now include:

  • The specific business purposes for the processing. It is not sufficient to state “as described in the agreement.”
  • Specifically state that the service provider or contractor must comply with all applicable sections of the CCPA and the Regulations, including providing the same level of privacy protection as required of the business under the CCPA.
  • Require the service provider and contractor to notify the business if the service provider and contractor make the determination that it can no longer meet the obligations under the CCPA.
  • Allow the business to take appropriate steps to ensure the service provider and contractor are complying with the requirements of the CCPA and the Regulations. These steps may include manual reviews and automated scans of the service provider and contractor systems.

Verification (§ 7060).

The Regulations contain a few additional verification requirements, such as (1) a business cannot require a consumer to verify their identity for a request to opt-out of the sale or sharing of personal information or a request to limit sensitive personal information and (2) for requests to correct, the business shall make an effort to verify the consumer based on information that is not subject to the request.

Investigations and Enforcement (Article 9).

  • Sworn Complaints (§ 7304). Sworn complaints may be filed with the electronic complaint system available on the Agency’s website or by mail. Such complaints must:
    • Identify the business or other entity;
    • State the facts that support each alleged violation and include any documents;
    • Authorize the alleged violator and Agency to communicate regarding the complaint;
    • Include the name and current contact information of the complainant; and
    • Be signed and submitted under penalty of perjury.
  • Agency Audits (§ 7304). The Agency now has the ability to audit any business, service provider, contractor or person to ensure compliance with the CCPA. These audits may occur to investigate possible violations of the CCPA or to determine if the business’ collection or processing of personal information presents a significant risk to consumers. Most importantly, the audits may be announced or unannounced.

We will continue to monitor the Regulations as the public commentary period for the current version of the Regulations ends on November 21, 2022. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.