California Privacy Protection Agency Posts Preliminary Proposed Regulations
The California Privacy Protection Agency Board (the "CPPA Board") announced on May 27, 2022, that it would hold a public meeting on June 8 to discuss, among other things, a set of detailed proposed regulations to "Implement, Interpret, and Make Specific" the California Consumer Privacy Act ("CCPA").1 The CPPA Board's release of these proposed regulations (the "Proposal") marks another step forward in the preliminary stage of rulemaking authorized under the California Privacy Rights Act ("CPRA") but does not trigger the notice-and-comment period that signals the official start of the rulemaking process. That will come later. While the Proposal is extensive—comprising 66 pages—it does not cover all of the topics that the CPRA directed the CPPA to address, leaving for later provisions on cybersecurity audits, privacy risk assessments, and automated decision-making technologies. These topics may be addressed in a subsequent draft being worked on by the New Rules Subcommittee. In the meantime, we can see from the Proposal that the CPPA appears to be veering far afield from the direction that other recently enacted state privacy laws have taken, potentially imposing a number of prescriptive requirements and impractical obligations that will not align well with many businesses' operations. Moreover, the Proposal offers some insight into how the CPPA potentially will exercise its enforcement and audit authority.
The Proposal
Below we offer some highlights and takeaways to consider in advance of the CPPA's upcoming June 8 meeting:
Businesses May Have to Make Numerous Consumer-Facing Disclosures2
Among other things, the Proposal would expand the requirement to provide a "notice at collection" to include not just businesses that collect personal information from consumers but also those that control the collection of such information. This includes third parties that collect personal information from consumers who visit first parties' websites. First parties would need to include in their privacy policies either the names of all such third parties or a description of such third parties' business practices. The Proposal also makes clear that the notice of the right to opt out of sale and sharing and the notice of the right to limit the use and disclosure of sensitive personal information would need to be provided no matter the technology through which the consumer interacts with the business. Specifically, the Proposal states that smart devices and augmented reality and virtual reality services and devices would have to provide notices in a manner that ensures the consumer will encounter them. One can imagine some creative ways in which notices could be provided in an AR/VR environment, but smart devices may prove challenging depending on the size of the device and the way the consumer uses it.
Cookie Banners or Cookie Controls Will Not Suffice Alone as Opt-Out or Limit Mechanisms3
Because cookie banners address the collection of personal information and not the sale, sharing, use, or disclosure of such information, businesses would not be able to rely on cookie banners alone to satisfy their obligation to provide opt-out or limit mechanisms.
The CPPA Is Serious About Dark Patterns
Under the CCPA, consumers cannot provide valid consent through an "agreement obtained through the use of dark patterns."4 A "dark pattern" is a user interface "that has the effect of substantially subverting or impairing user autonomy, decisionmaking, or choice, regardless of a business's intent."5 Thus, perfectly well-intentioned design choices that substantially – but inadvertently – impair user choice can vitiate the consumer's consent to, for instance, share personal information, leaving the business vulnerable to an enforcement action. The Proposal sets out the following principles that businesses would need to consider as they design their user interfaces to present choice mechanisms to consumers:
- Make consent mechanisms easy to understand. The mechanisms must use language that is "easy for consumers to read and understand."
- Provide symmetry in choice. The path for a consumer to exercise a more privacy-protective option must not be longer than the path to exercise a less privacy-protective option. The proposed regulations explain that a website banner that provides two options, "accept all" and either "more information" or "preferences," would not be considered symmetrical. A symmetrical choice instead would provide the options "accept all" and "decline all."
- Avoid language or interactive elements that are confusing to the customer. For instance, businesses would need to ensure that they do not provide choices using double negatives, such as by presenting a choice of "Yes" or "No" next to the statement "Do Not Sell or Share My Personal Information."
- Avoid manipulative language or choice architecture. Don't use language that "guilts or shames" the customer into making a particular choice, such as by offering the choice between "Yes" and "No, I don't want to save money," or including consent to incompatible uses.
- Make the choice easy to execute. Don't require a consumer to scroll through unnecessary text to find the opt-out mechanism after clicking on the "Do Not Sell or Share My Personal Information" link.
Several of the other state privacy laws that have been enacted recently also prohibit businesses from obtaining valid consent through the use of dark patterns, and the European Union similarly has made "dark patterns" a priority. Businesses therefore do not need to wait for final regulations before they start to review and update their consent mechanisms to ensure that they are not inadvertently obfuscating or impairing user choice.
Requests for Information May Not Be Limited by a Twelve-Month Lookback6
The Proposal would require businesses to produce to consumers who request access to "specific pieces" of personal information all personal information collected and maintained as of January 1, 2022, unless doing so "proves impossible" or would involve a "disproportionate effort" (i.e., if the "time and/or resources expended by the business to respond to the individualized request" would be significantly higher than the material impact on the consumer if the business were to deny the request). Businesses would have to provide a detailed disclosure to consumers explaining why producing the information would be "impossible" or involve a "disproportionate effort" if they chose to rely on this exception. This expanded requirement could incentivize businesses to get rid of data that they no longer need.
Opt-Out Preference Signals Would Be Mandatory7
The Proposal makes clear that businesses would be required to honor a request to opt out of the sale or sharing of personal information when communicated by a signal that (1) is in a format commonly used and recognized by the business (such as an HTTP header field); and (2) is sent by a platform, technology, or mechanism that makes clear to the consumer that the signal will opt the consumer out of the sale or sharing of their personal information. Businesses could forgo providing the "Do Not Sell or Share My Personal Information" link (or an alternative opt-out link) to consumers provided that they honor the signals in a "frictionless manner," meaning that they could not charge a fee or other valuable consideration; provide a different or unequal experience; or display notification, pop-ups, graphics, animation, or other messaging (with some exceptions) to consumers who used the opt-out preference signal. Businesses would be required to explain in their privacy policies how consumers can use the opt-out preference signal and provide a means by which consumers could confirm that the business had honored the signal. (The Proposal suggests but does not require that a business could fulfill this requirement by displaying "Opt-Out Preference Signal Honored" when a consumer visits the website.) Further complicating compliance, businesses would be required to notify downstream recipients of the consumer's personal information that the consumer had exercised the right to opt out.
Request to Correct Would Require Assessment of Consumer's Claim8
The Proposal would allow businesses to deny consumers' requests to correct personal information if, based on the "totality of the circumstances," the business were to conclude that the contested personal information was more likely than not accurate or, among other things, that the business has "a good-faith, reasonable, and documented belief that a request to correct is fraudulent or abusive." In doing so, the business would be required to accept, review, and consider any documentation that the consumer provided and explain the denial to the consumer. Businesses would need to flow down to service providers and contractors any corrections made.
Extensive Contractual Requirements for Service Providers, Contractors, and Third Parties9
Provisions regarding contractual arrangements with service providers, contractors, and third parties are extensive. Among other things, any transfer of personal information to another party—whether as a sale, for cross-context behavioral advertising, or for a business purpose—would have to be governed by a contract that limits the receiving party's use of the personal information to the specific uses outlined in the agreement, requires the receiving party to grant the disclosing party the right to take "reasonable and appropriate steps" to both ensure that the receiving party is using the personal information consistent with its contractual obligations and to stop and remediate any unauthorized use, and requires the receiving party to notify the disclosing party if it can no longer meet its obligations.
The entities most likely to be impacted by these changes are entities that facilitate information exchange between parties and participants in the advertising ecosystem. That's because all parties must track personal information precisely to avoid impermissibly combining information or using it for purposes not specified in their agreements. Companies that rely heavily on "master agreements," where it is difficult to foresee all potential uses of information, would need to consider how to address these disclosure requirements.
In addition, adtech companies would be contractually required to identify and respond to opt-out signals and in many cases may not be able to rely on service provider or contractor status to avoid a "sale." And they would need to reassess their terms of use because they would have to comply with requirements applicable to third parties.
Prediction: This would renew interest in defining what information constitutes "de-identified information" so that parties can avoid complicated contractual relationships.
Enforcement and Audits10
Many companies in the U.S. have enjoyed relative freedom from regulatory scrutiny and enforcement related to data privacy compared to what companies experience in other jurisdictions. That's about to change. The Proposal suggests that the CPPA is still developing its approach to enforcement and how it will exercise its authority, but it is considering opening investigations based on anonymous and nonsworn complaints from consumers, in addition to referrals from government agencies, private organizations, and on its own initiative; making probable cause proceedings regarding violations final and not subject to appeal (but generally non-public ); and conducting audits—announced or unannounced—of businesses, service providers, contractors, third parties, and persons whose processing of personal information presents a "significant risk" to consumer privacy or security and who have a history of non-compliance with the CCPA or any other privacy protection law.
Next Steps
The CPRA directed the CPPA to finalize regulations no later than July 1, 2022, allowing for a six-month compliance window ahead of the law's effective date on January 1, 2023. To initiate a formal rulemaking action, the CPPA must file a notice of proposed rulemaking along with the proposed regulations. That will trigger a 45-day minimum public comment period, during which the Board has expressed an intent to hold several meetings and public hearings to discuss and receive feedback on the proposed regulations before submitting a final rulemaking package. Once officially initiated, the CPPA must complete the rulemaking process and submit the completed rulemaking file to California Office of Administrative Law within one year. Although CPPA Executive Director Ashkan Soltani previously acknowledged that completion of the process will extend "somewhat past" the statutory schedule, the Board has not announced what, if any, relief it might offer to businesses that are forced to guess how best to come into compliance before the January 1, 2023, effective date in the absence of final rules.
FOOTNOTES
1 The CCPA, as amended by the CPRA, directed the CPPA to promulgate regulations by July 1, 2022. Cal. Civ. Code § 1798.185(d). The CPPA has acknowledged that it will not complete the rulemaking process by the statutory deadline and expects to publish final regulations in the third or fourth quarter of 2022.
2 Section 7010.
3 Sections 7026, 7027.
4 Cal. Civ. Code § 1798.140(h).
5 Section 7004; see also Cal. Civ. Code § 1798.140(l) (a dark pattern is a "user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice, as further defined by regulation").
6 Section 7024.
7 Section 7025.
8 Section 7023.
9 Sections 7050-7053.
10 Sections 7300-7304.