California Privacy Agency Launches CPRA Rulemaking Process – Publications



September 08, 2022

Businesses operating in California should follow the evolving California Consumer Privacy Rights Act regulations because, unless they change significantly, they will likely put California at the forefront of US privacy regulations.

A public hearing on the proposed rule implementing the California Consumer Privacy Rights Act of 2020 (CPRA) concluded on August 25, 2022. The proposed rule, published July 8, 2022, in a notice of proposed rulemaking by the new California Privacy Protection Agency (the Agency), introduce a number of new features that expand the statutory provisions of the CPRA.

Meaning of this step

The Notice of Proposed Rulemaking kicked off the formal comment period on the CPRA Proposed Rule, which concluded with the public hearing. Since the draft settlement contains many significant deviations from the CPRA text, there were many comments, both in writing before the hearing and during the hearing itself. In the coming months, the Agency will publish the final regulations, with any revisions resulting from public comments.

As the 1 July 2022 statutory deadline for adopting the regulations has passed, the Agency is seeking to act quickly, which is necessary to give companies time to prepare for compliance by 1 January 2023. That said, the agency hasn’t promulgated rules on cybersecurity audits, risk assessments, or automated decision-making technology at this time, but has indicated that it will do so in the future.

Main provisions of the draft regulation

The draft regulations outline the Agency’s priorities and how it will assess a company’s privacy regime. A few important provisions are particularly worth mentioning:

  • Data gathering: CPRA added new limits such as the collection and use of data must be “reasonably necessary and proportionate” to the business purpose. The proposed regulations adopt a “reasonable person” standard, based on “what the average consumer reasonably expects”. The draft regulations give the example of a flashlight app that collects geolocation data (which is clearly not necessary to provide light), indicating that it would not be a collection or reasonably necessary and proportionate use of consumer data. However, an internet service provider may collect geolocation data from its consumers if it uses it to “maintain network health”.
  • New consumer rights: Consumer rights to correct personal information, limit the use of sensitive personal information, and opt out of data sharing (in addition to data sales, which were included in the CCPA) are new in the CPRA. The Agency’s draft regulations provide guidance on how to operationalize these new requests. An interesting development is that these rights can be limited to the extent that “disproportionate effort” is required for a business to comply. It is essentially a balancing test that weighs the consumer’s right to a given request against the burden that complying with the request might place on the business. The regulations give some examples (e.g. consumer data that is not in a searchable format), but they also warn that a company’s allegation of disproportionate effort cannot be based on an inability to create adequate processes to respond to consumer demand.
  • Obtain consumer consent: CPRA has added “symmetry of choice” requirements in seeking consumer consent regarding the use of personal data. Companies must avoid manipulative language and cannot make opt-out more complicated than consent. For example, it is not acceptable to postpone the possibility of withdrawing with options such as “Ask me later” or “No, I don’t want to save money”. Providing a “Yes” button in a larger font or a more attractive color or format than the “No” button would also constitute a lack of choice symmetry. The draft regulations also provide that withdrawing consent must be as simple as giving it in the first place.
  • Increased transparency: The proposed regulations include new notice requirements designed to increase transparency for consumers. Privacy notices should specify the categories of sensitive personal information collected and the data retention periods.
  • Requirements for working with third parties: Privacy policies shall include notification of data collection by third parties, including identification of third parties. There are also expanded contractual requirements for third-party service providers and contractors. Agreements with third-party service providers should state the “specific” purpose for disclosing personal information – a statement “in generic terms” is not sufficient. Therefore, many companies may need to modify their existing service provider agreements.
  • Enforcement: The Agency is proposing several enforcement mechanisms for the newly amended CCPA. He will accept individual complaints, but they must be sworn under penalty of perjury. It can also launch its own investigations, which could lead to probable cause proceedings that will be closed to the public. The Agency may also undertake audits, announced or unannounced, to investigate possible breaches, protect consumer privacy or safety, or review the practices of entities with a history of non-compliance with privacy laws. .

Does this proposal differ from the draft rule?

The July 8 draft rule does not differ materially from the draft rule that the Agency published in May 2022.

Next steps for businesses

Companies subject to the CPRA will face significant new confidentiality obligations. They should therefore start laying the groundwork now by developing an outline of a compliance program to meet the new requirements, even if the regulations remain a work in progress. CPRA’s effective date of January 1, 2023 is fast approaching, with enforcement beginning July 1, 2023.

For more information on the CPRA and other data privacy laws, visit our US Consumer Privacy Acts resource page.


Comments are closed.