California Privacy Protection Agency Releases Draft CPRA Regulations

California Privacy Protection Agency Releases Draft CPRA Regulations

Client Alert

Contributors

On May 27, 2022, the California Privacy Protection Agency (CPPA) released draft regulations for the California Privacy Rights Act (CPRA) (Draft Regulations). The Draft Regulations come roughly two months before the agency is required to adopt final regulations for the law (by July 31, 2022) and almost seven months before the CPRA is set to go into effect on January 1, 2023. The CPPA had previously announced that the final regulations may be delayed until fall 2023, and it is unclear whether these new Draft Regulations will put them on track to meet the statutory deadline. In terms of next steps, the Draft Regulations will be subject to extensive public review and comment and will be discussed during the CPPA’s next board meeting on June 8.

The biggest takeaway for businesses is that they now have a road map for CPRA compliance. The Draft Regulations use the already-effective California Consumer Privacy Act (CCPA) regulations as a starting point and implement edits mandated by the CPRA on top of the CCPA’s requirements. Businesses subject to the CCPA can use the same strategy and rely on their current CCPA compliance framework as a starting point for the CPRA.

Still, CPRA compliance may prove to be a significant undertaking for some businesses, especially when compared with the compliance efforts required by the other state laws set to go into effect (in Virginia, Colorado, Utah and Connecticut). The text of the CPRA is already more prescriptive than that of the other laws, and the Draft Regulations build on these already-detailed statutory requirements by prescribing more details through regulations. Additionally, the CPRA expands on the CCPA in meaningful ways, and the Draft Regulations reflect that. Notable additions in the Draft Regulations compared with the previous CCPA regulations include new requirements on dark patterns, opt-out preference signals, requests to correct and third-party contracts. 

Compliance should also be a priority for businesses because penalties under the CPRA can be as high as $7,500 per intentional violation. While this is the same amount as under the current CCPA, it is likely that there will be more enforcement actions under the CPRA because there are now two regulators in charge of enforcement (the CPPA and the California Attorney General’s office, though only the CPPA has rulemaking authority).

The good news is that businesses can get a head start on compliance by implementing the Draft Regulations to their privacy practices, to the extent applicable. And while the Draft Regulations can potentially be modified (and likely will be, to some extent), the CCPA’s rulemaking history indicates that these changes are likely to be minimal, which means that the Draft Regulations can likely provide a solid compliance foundation for businesses.       

Notably, the Draft Regulations do not address all the areas where the CPPA has rulemaking authority. Specifically, they do not address many of the topics that are exclusive to the CPRA (as opposed to also being addressed in the previous CCPA regulations), including cybersecurity audits, requirements related to automated decision-making technology, and data protection risk assessments. It is possible that the CPPA will address these topics in future iterations of the CPRA regulations.

Below are the key highlights from the Draft Regulations. We have also summarized in more detail the most notable points from each of the major sections of the Draft Regulations. We will continue to keep you posted on the CPRA and are happy to answer any questions you may have about CPRA compliance. To stay updated with our writings on this topic, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.  

Key Highlights

  1. Dark patterns. The Draft Regulations provide specific guidelines for how a business must present consumers with their ability to exercise their rights and obtain valid consent under the law. The Draft Regulations state that any practice that does not comply with these requirements may constitute a “dark pattern.” They further define a dark pattern as a user interface that has the “effect of substantially subverting or impairing user autonomy, decisionmaking, or choice, regardless of a business’s intent” and note that any agreement obtained through the use of dark patterns will not constitute consumer consent. Notably, the Colorado Privacy Act also regulates dark patterns. Compliance with the CPRA in this respect may also give businesses a head start with compliance in Colorado (though the Colorado Attorney General’s office will likely adopt its own regulations on this issue). 
  2. Opt-out preference signals. The CPRA requires businesses to treat opt-out preference signals as valid requests to opt out of the sale or sharing of their personal information. According to the Draft Regulations, a business shall process any opt-out preference signal as a valid request to opt out of sale/sharing if (1) the signal is in a format commonly used and recognized by businesses (such as an HTTP header field) and (2) the platform, technology or mechanism that sends the opt-out signal makes clear to the consumer that the use of the signal is meant to have the opt-out effect (regardless of whether or not the signal is tailored to only California residents). As is the case with dark patterns, opt-out preference signals also fall under the regulatory authority of the Colorado Attorney General for the Colorado Privacy Act, and it is unclear how the requirements in Article 3 of the Draft Regulations will align with the forthcoming Colorado Privacy Act regulations in this regard. 
  3. New notice requirements. The Draft Regulations modify the various notice requirements under the CCPA to bring them in line with the CPRA, including what disclosures are required in a business’s privacy policy. Businesses subject to the law will have to update their privacy policies and other notices accordingly prior to January 1, 2023. 
  4. Requests to correct. In addition to the right of individuals to access and delete their personal information, the CPRA expands upon the CCPA’s individual rights requirements and requires businesses to provide consumers with the ability to correct their information. Article 3 discusses these specific requirements. All the other state laws going into effect next year also provide consumers with the ability to correct their personal information, so CPRA compliance in this respect will also assist businesses in complying with other state laws. 
  5. Requests to limit. The CPRA provides consumers with the ability to limit the use of their sensitive personal information. This is a somewhat different feature of the CPRA (though the privacy law set to go into effect in Utah has a similar requirement). The laws in Virginia, Colorado and Connecticut require consumer consent to process sensitive data in the first instance. Article 3 discusses how a business can comply with this requirement. 
  6. Contracting requirements. One of the key differences between the CPRA and the CCPA is that the CPRA requires certain contractual provisions among all entities to which a business discloses personal information (not just service providers), including a new category of entities called contractors (which are similar to service providers) and third parties. (This is also a notable difference between the CPRA and the laws going into effect in other states, which require certain contractual elements only between contractors and processors.) Article 4 outlines these specific requirements as well as the duties of a third party that receives personal information from a business subject to the law. 
  7. Targeted advertising. The Draft Regulations state that a person who contracts with a business to provide cross-contextual behavioral advertising is a third party and not a service provider or contractor under the CPRA. This is an important clarification, as it requires businesses to provide consumers with the ability to opt out of the sale/sharing of their personal information in relation to any entities to which the businesses disclose personal information for cross-contextual behavioral purposes. Businesses that have treated these third parties as “service providers” under the CCPA will have to modify this approach going forward.
  8. Enforcement. The Draft Regulations include a new section on CPPA enforcement actions. Specifically, this section includes information on how a person can make a sworn complaint to the agency, as well as how the agency can conduct probable cause hearings and audits and enter into stipulated orders. 
Notable Updates by Section

Definitions

The most notable changes to the “Definitions” section of the Draft Regulations are the addition of the new concepts outlined in the CPRA that were not included in the CCPA. These include new definitions for “Request to correct,” “Request to limit” and “Opt-out preference signal.” The Draft Regulations also include new definitions for concepts that will provide guidance to businesses as to the various requirements under the law. These include definitions for “disproportionate effort,” “frictionless manner” and “unstructured.” Finally, the Draft Regulations modify or delete some preexisting definitions from the CCPA, including “affirmative authorization,” “authorized agent” and “household.”

  • Opt-out preference signals. The Draft Regulations add a definition of an “opt-out preference signal” as a signal sent by a platform, technology or mechanism on behalf of the consumer that communicates the consumer choice to opt out of sale and sharing of personal information and that complies with the requirements set forth in the Draft Regulations. 11 CCR § 7001(r). This section was added because the CPRA requires businesses to comply with consumer requests submitted through universal opt-out mechanisms. The specific requirements for these opt-out mechanisms are outlined in Section 7025 of the Draft Regulations (which we further explain below).
  • New rights under the CPRA. The Draft Regulations add definitions for a “Request to correct” (i.e., a consumer’s right to modify or amend the information a business has on file) and a “Request to limit” (i.e., a consumer’s right to direct a business to limit the use of “sensitive” personal information to certain enumerated purposes). These new definitions correlate with new rights that businesses must offer California residents under the CPRA.
  • Disproportionate effort. Throughout the Draft Regulations, the CPPA does not require a business to comply with its various individual rights obligations if a particular request requires “disproportionate effort.” The Draft Regulations define effort as being “disproportionate” if “the time and/or resources expended by the business to respond to the individualized request significantly outweighs the benefit provided to the consumer by responding to the request.” This definition essentially requires businesses to conduct a balancing test in order to conclude whether a particular request requires a disproportionate effort. Notably, the Draft Regulations state that a business cannot claim that a request requires disproportionate effort if the business “has failed to put in place adequate processes and procedures to comply with [consumer requests].”
  • First party. The Draft Regulations now include a definition of “First party.” This definition is likely included to differentiate between the new obligations that apply to “third parties” under the CPRA (which we detail below).
  • Unstructured data. The Draft Regulations add a definition of “unstructured” data as “personal information that is not organized in a predefined manner, such as text, video files and audio files.” This definition is relevant because, in order to comply with “Requests to correct” under the law, businesses must consider the nature of the personal information (i.e., whether it is objective, subjective, unstructured or sensitive).
  • Removal of old definitions. The Draft Regulations remove the definitions of “household” and “affirmative authorization” because these concepts are now defined in the text of the CPRA (though the law now defines “affirmative authorization” as “consent”).
Article 1: General Provisions

The Draft Regulations impose additional requirements for data processing, consumer communications and consumer request verification. For one, the new regulations require that businesses collect, use, retain and/or share consumers’ personal information in a way that is reasonably necessary and proportionate (i.e., consistent with what an average consumer would expect) to the purposes for which the information was collected. 11 CCR § 7002(a). The collection, use, retention and/or sharing of personal information can also be done for another disclosed purpose if it is compatible with what is reasonably expected by the average consumer. 11 CCR § 7002(a). However, if the data use is unrelated to or incompatible with the purpose for which the information was collected or processed, a business needs to obtain explicit consent from the consumer. 11 CCR § 7002(a). 

The Draft Regulations retain the readability and presentation standards for consumer disclosures required by the CCPA regulations. 11 CCR § 7003. Moreover, the regulations provide principles to guide businesses in designing the methods for submitting CCPA requests and obtaining consumer consent. 11 CCR § 7004(a). If a CCPA request or consumer consent method does not comply with the regulations, it may be considered a dark pattern (i.e., a user interface that has the “effect of substantially subverting or impairing user autonomy, decisionmaking, or choice, regardless of a business’s intent”). 11 CCR §§ 7004(b)(c). Agreements obtained through a dark pattern will not constitute consumer consent under the regulations. 11 CCR §7004(b). Below are some specific guidelines from the Draft Regulations that businesses can adhere to. 

  • Necessary and proportionate, or compatible, uses. Businesses are required to ensure that their collection, use, retention and sharing of consumer personal information is necessary and proportionate to, or compatible with, the purposes for which the information was collected. Otherwise, they must ensure that explicit consumer consent is provided. For example, if a business provides a mobile flashlight application, the business should not collect geolocation information without explicit consumer consent, as this purpose is not necessary or proportionate to, or compatible with, providing flashlight services. 11 CCR § 7002(a).
  • Additional notice for new categories and uses. Businesses must provide new notice at collection if additional categories of personal information are being collected or information is being used for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected. 11 CCR § 7002(b). 
  • Plain, understandable disclosures. Businesses are required to make communications to consumers easy to read and avoid the use of technical or legal jargon. 11 CCR § 7003(a). Communications should also be (1) readable (even on small devices), (2) written in the languages that the business uses in ordinary course and (3) accessible to consumers with disabilities. 11 CCR § 7003(b).  
  • Conspicuous website links. Businesses must ensure that conspicuous links required under the CCPA or the regulations will appear similar to other links on the website homepage. 11 CCR § 7003. And for mobile applications, a conspicuous link should be accessible within the application. 11 CCR § 7003.
  • CCPA requests and consumer consent. Businesses must abide by the principles below when designing CCPA request and consumer consent methods. 11 CCR § 7004.
    • Easy to understand. Make the language in the methods easy to read and understand.
    • Symmetry in choice. Make it as easy for consumers to exercise a more privacy-protective option as it is for them to exercise a less privacy-protective option. For example, the process for submitting a request to opt out of sale should not have more steps than the process for opting in to the sale of information after having opted out previously. Similarly, a symmetrical choice entails giving consumers the choice between “Yes” and “No” (with similar button sizes) rather than a choice between “Yes” and “Ask me later,” or a choice between “Yes” and “No” where the “Yes” button is more prominent.  
    • Confusing language or elements. Avoid language or elements that are confusing, such as the use of double negatives or confusing toggle buttons.
    • Manipulative language. Avoid using manipulative language or choice architecture. The Draft Regulations discourage phrasing choices in a way that shames consumers or bundling choices in such a way that the option to consent to using personal information for reasonably expected purposes also includes consent to using information for incompatible purposes.
    • Easy to execute. Ensure that the CCPA request process has no unnecessary burden or friction. 
  • Dark patterns. A business’s failure to comply with any of the requirements listed above relating to CCPA requests and consumer consent (or as otherwise outlined in Section 7004(a) of the Draft Regulations) may be considered a dark pattern, and any agreement obtained through the use of a dark pattern shall not constitute consumer consent. A user interface may otherwise be considered to create a dark pattern if the interface has the effect of substantially subverting or impairing user autonomy, decision making or choice regardless of a business’s intent. 11 CCR §§ 7004(b)(c). 
Article 2: Required Disclosures to Consumers

In Article 2, the Draft Regulations require businesses to provide updated disclosures to consumers. Below are key highlights from Article 2 that businesses must now follow:

  • Control vs. collect. In general, the provisions now extend to businesses that control consumers’ personal information rather than businesses that collect personal information. 
  • Opt-out notice for sharing. A business’s opt-out notice must cover both the sale and sharing of personal data or the alternative opt-out link (described below). This is consistent with the text of the CPRA. 
  • Updates to the privacy policy. The Draft Regulations also include a number of modifications to businesses’ privacy policies. Most notable in the privacy policy update, the policy must indicate whether businesses use or disclose sensitive information for purposes other than those specified in Section 7027, subsection (l) (see Article 3 below). Additionally, businesses will need to update the consumer rights section in their privacy policy to reflect:
    • Right to delete. Consumers have a right to delete rather than the right to request deletion, which was inherent in the previous privacy policy. 
    • Right to correct. Like in the CPRA, consumers now have a right to rectify or correct inaccurate personal information that a business maintains about a consumer.
    • Right to opt out. The right of consumers to opt out of the sale of their personal information by the business now also reflects a right to opt out of sharing.
    • Right to limit. If the business uses or discloses sensitive personal information for reasons other than those permitted under the law, the consumer has the right to  limit the use or disclosure of sensitive personal information by the business.
    • Right to nondiscrimination. The right to nondiscrimination is now explicit and includes the right not to be retaliated against for the exercise of their CCPA rights and includes employees, applicants and independent contractors.
  • New notice at collection for third parties. The Draft Regulations include a new notice for third parties that “control the collection” of personal information. When a first party (such as a website) allows a third party (such as a website analytics provider) to collect personal information from consumers, the website will need to provide notice and identify the web analytics provider as an entity that collects consumers’ personal information. Additionally, the web analytics provider will also need to provide a notice at collection if it is a third party in relation to the information and “controls” the personal information being collected. 
  • The right to limit the use of sensitive data. The Draft Regulations operationalize the CPRA’s right to limit the use of sensitive personal information. 
    • Businesses will be required to include a link to immediately effectuate the consumer’s right to limit the collection of sensitive information. In the notice, businesses shall include a description of the consumer’s right to limit, as well as instructions on how the consumer can submit a request to limit, the collection of sensitive information. 
    • The notice must be provided in the same manner in which the business collects the sensitive information. A business that uses or discloses sensitive personal information that it collects in augmented or virtual reality, such as through gaming devices or mobile applications, will need to provide notice in a manner that ensures the consumer will encounter the notice while in the augmented or virtual reality environment. Similarly, a business that sells or shares personal information that it collects through a connected device (e.g., smart television or smart watch) will be required to provide notice in a manner that ensures the consumer will encounter the notice while using such a connected device.
    • Businesses will also need to include the description of the right to limit and instructions on how a consumer can submit such a request.
  • Alternative opt-out link. The Draft Regulations include a new option for an alternative opt-out link. Under this option, businesses can provide consumers a single link that includes both “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links. The alternative opt-out link shall direct the consumer to a webpage that informs them of both their right to opt out of sale/sharing and their right to limit sale/sharing, and provide them with the opportunity to exercise both rights.
Article 3: Business Practices for Handling Consumer Requests

In addition to revising existing language regarding the methods for submitting requests and timelines for deleting requests, the Draft Regulations also impose additional requirements on businesses. Among other things, the Draft Regulations now include a right to correction in addition to the right to deletion and the right to know, and provide substantial details on opt-out preference signals. Key compliance burdens for companies include ensuring there is a proper oversight mechanism for consumer requests that tracks, among other things, when notification must be given to service providers and third parties of a consumer request and also ensures that there are adequate opt-out preference mechanisms (e.g., a cookie banner by itself is insufficient). Some notable requirements are identified below: 

  • Requests to delete. In addition to requiring that a business permanently erases a user’s information, the Draft Regulations include additional language that creates new obligations for businesses with respect to notifying service providers and contractors of the consumer’s deletion request. For example, a business must notify all third parties to whom the business has sold or with whom it has shared the personal information of the requestor unless it would be impossible to do so or would require a disproportionate effort—the latter of which must be explained in sufficient written detail to the consumer. The Draft Regulations also create a framework for service provider compliance with consumer requests to delete. Though there are instances where a business may refuse a consumer request to delete, the business still has certain obligations to the consumer. For example, when a business refuses a request to delete in reliance on an exception to the CCPA, the business must notify its service providers and contractors that they must delete any consumer personal information that is not subject to the exception and that they may not use that consumer’s information for any purpose other than the applicable exception. 
  • Requests to correct. The Draft Regulations add a new section on how to handle a consumer’s request to correct information. 
    • Denying requests to correct. There are several instances in which a business may deny the request to correct. For example, a business may deny requests to correct if it is unable to verify the requestor’s identity, though it must provide the consumer with notice. If a business denies a request to correct, the business must, among other things, explain the basis for the denial, including any conflict with federal or state law, exception to the CCPA, inadequacy in the required documentation, or contention that compliance proves impossible or involves disproportionate effect. 
    • Accuracy of personal information. In evaluating whether personal information is accurate, businesses must consider the totality of the circumstances including the nature of the information, how it was obtained and documentation relating to the accuracy of the information (which also must meet certain requirements outlined in the Draft Regulations). 
    • Methods of compliance. While businesses may comply with a consumer’s request to correct by correcting the information and ensuring that the information it (and its service providers and contractors) holds remains correct, a business may also choose to delete the information if such deletion does not negatively impact the consumer or the consumer consents to the deletion. 
    • Consumer health information. When a request to correct personal information concerns a consumer’s health, the business must inform the consumer that he or she may provide a written statement to the business to be made part of the consumer’s record and that such statement will be made available to any person to whom the business discloses or sells, or with whom it shares, the personal information that is the subject of the request to correct.
  • Opt-out preference signals. The Draft Regulations note that the purpose of an opt-out preference signal is to provide consumers with a simple method by which consumers can automatically exercise their right to opt out of sale/sharing and specify that businesses shall process any opt-out preference signal that meets certain requirements.
    • Detection of a valid opt-out preference signal. When a business detects a valid opt-out preference signal, the business must treat it as a valid request to opt out of sale/sharing and shall not require a consumer to provide additional information. 
    • Conflicts. The Draft Regulations also provide for notice to a consumer in the event that the opt-out preference signal conflicts with a consumer’s business-specific privacy setting or participation in a business’s financial incentive program. 
    • Frictionless processing. Except as allowed by the regulations, businesses may not charge a fee or require any other consideration for an opt-out, change the consumer experience in response to the opt-out, or display a notification, pop-up, text, graphic, animation, sound, video or any interstitial content in response to the opt-out preference signal (frictionless processing). 
    • Links. A business does not have to post an alternate “Do Not Sell or Share My Personal Information” link or an alternate opt-out link if it processes the opt-out preference signal in a frictionless manner in accordance with the CCPA, includes certain specified information in its privacy policy, and allows the opt-out preference signal to fully effectuate the consumer’s request to opt out of sale/sharing. 
  • Requests to opt-out of sale/sharing. This section of Draft Regulations includes several additions and deletions. Most notably, the regulations state that a notification or tool regarding cookies (i.e., a cookie banner or cookie controls) is not by itself an acceptable method for submitting requests to opt out of sale/sharing. 
  • Requests to limit use and disclosure of personal information. The Draft Regulations add a new section aimed at providing consumers with the ability to limit the use of sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected. Businesses using or disclosing personal information must provide two or more designated methods, in accordance with certain parameters, for submitting requests to limit. At least one of the methods must reflect the manner in which the business primarily interacts with the consumer. Most notably, businesses are permitted to use or disclose sensitive personal information without being required to offer consumers a right to limit in the following instances: 
    • to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services; 
    • to detect security incidents that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal information, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose; 
    • to resist malicious, deceptive, fraudulent or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose; 
    • to ensure the physical safety of natural persons, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose; 
    • for short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business; 
    • to perform services on behalf of the business; or 
    • to verify or maintain the quality or safety of a service or device that is owned, manufactured or controlled by, or manufactured for, the business, and to improve, upgrade or enhance the service or device that is owned, manufactured or controlled by, or manufactured for, the business. 
Article 4: Service Providers, Contractors and Third Parties

The CPRA requires certain contractual provisions between all entities to which a business discloses personal information, including service providers, contractors and third parties. Article 4 of the Draft Regulations outlines these specific requirements. While not identical to data processing agreement requirements under the EU General Data Protection Regulation, Article 28, the articulation of specific terms to be entered into between parties engaging in the sharing or sale of data mirrors the more prescriptive European approach. This section also outlines a third party’s duties to comply with the CPRA with regard to any information it receives from a business pursuant to the law. 

In addition to these contracting requirements, Article 4 of the Draft Regulations clarifies that a person who contracts with a business to provide cross-contextual behavioral advertising is a third party in relation to the business and not a service provider or contractor. This is an important clarification because all businesses that engage in cross-contextual behavioral advertising will be required to provide consumers with the ability to opt out of the sale or sharing of their information. 

  • Contract requirements. 
    • Article 4 sets forth robust requirements for service provider and contractor contracts. The enumerated requirements amount to terms that must be included in such written agreements and functionally extends such requirements to written agreements with subcontractors for service providers and contractors. This section also explicitly states that a person who does not have a contract that complies with these requirements is not a service provider or a contractor—requiring a compliant agreement to define roles under the CPRA. 11 CCR § 7051(c).
    • Article 4 also sets out contract requirements between businesses and third parties to which a business sells or with which it shares consumer personal information. Such contract requirements include specifying the purposes for which the personal information is sold or disclosed and a requirement that a third party must check for and comply with consumer opt-out preferences unless informed of the consent for sale. 11 CCR § 7053. 
  • Third-party duties. Article 4 outlines third-party obligations, including the requirement that third parties honor and comply with consumer requests for deletion, opt-out of sale/sharing, and limitation. 11 CCR § 7052.
  • Specifics regarding cross-contextual behavioral advertising. A service provider or contractor cannot contract with a business to provide cross-contextual behavioral advertising. In other words, a service provider or a contractor cannot combine personal information (where a consumer has opted out of sale) it has collected as a result of its work for the business with personal information received from another person or through its interactions with its customers. Only a third party may contract with a business to provide such cross-contextual behavior advertising. 11 CCR § 7050(c).
Article 5: Verification of Requests

Article 5 establishes rules regarding consumer verification. The CCPA regulations require that businesses establish, document and comply with a reasonable method for verifying that the consumer making a request to delete is the consumer about whom the business has personal information. The Draft Regulations extend this requirement to consumers exercising a request to correct and a request to know. 11 CCR § 7060(a). The Draft Regulations also add that when responding to a request to opt out of sale/sharing or a request to limit, businesses can request information from consumers so long as this request is not burdensome, but businesses should not require consumers to verify their identity. 11 CCR § 7060(b). And for requests to correct, businesses should try to verify consumers based on personal information that is not the subject of the request to correct. 11 CCR § 7060(h).

But generally, the Draft Regulations maintain the same standards outlined in the CCPA regulations for verification requests. Businesses should, where possible, match the identifying information provided by the consumer to the personal information maintained by the business, or use a third-party identity verification service, and avoid collecting certain sensitive consumer information. Like the CCPA regulations, the Draft Regulations also distinguish between verification requests from password-protected accounts and requests that come from non-account holders, leaving the guidance largely intact. 

Article 6: Special Rules Regarding Consumers Under Age 16

The CCPA regulations created requirements for businesses that sell the personal information of children; the Draft Regulations extend these requirements to businesses that also “share” the personal information of children (i.e., for cross-contextual behavioral advertising purposes). But generally, the Draft Regulations maintain the same requirements as the previous CCPA regulations. Businesses that know they sell or share the personal information of children younger than age 13 should establish, document and comply with a reasonable method for determining that the person consenting to the sale or sharing of the personal information about the child is his or her parent or guardian. 11 CCR § 7070(a)(1). And businesses that know they sell or share the personal information of children between ages 13 and 16 should establish, document and comply with a reasonable process for allowing such consumers to opt in to the sale or sharing of their personal information. 11 CCR § 7071(a). 

Article 7: Nondiscrimination

Article 7 is lightly amended in the Draft Regulations compared with the previous CCPA regulations. In Article 7, the CPPA omits the use of “financial incentive” to describe discrimination based on financial incentives. Instead, the CPPA defines that “[a] price or service difference is non-discriminatory if it is reasonably related to the value of the consumer’s data.”

Article 8: Training and Record-Keeping

Article 8 modifies the record-keeping regulations for businesses that sell, share or otherwise make available for commercial purposes the personal information of 10 million or more consumers in a calendar year. Such businesses will be required to now keep records of:

  • the number of requests to correct that the business received, complied with in whole or in part, and denied; 
  • the number of requests to limit that the business received, complied with in whole or in part, and denied; and
  • the median or mean number of days within which the business responds to requests to correct, delete, know and opt out of the sharing or selling of data or opt-out limit.

The rest of the training and record-keeping requirements are otherwise identical to those of the previous CCPA regulations.

Article 9: Investigations and Enforcement 

Article 9 is completely new compared with the previous CCPA regulations. It focuses on how the newly formed CPPA conducts investigations and enforcement proceedings. Specifically, it discusses how a person can file a sworn complaint with the CPPA, as well as how the agency proceeds with investigations, conducts probable cause hearings, issues stipulated orders and audits businesses. 

  • Sworn complaints. The CPRA allows individuals and businesses to file sworn complaints against businesses they believe to be in violation of the law. The Draft Regulations outline the procedures for how a person can make such complaints, including the information they must submit to the agency. 11 CCR § 7300. 
  • CPPA investigations. The Draft Regulations clarify that the CPPA may also commence investigations based on its own initiative. 11 CCR § 7301. 
  • Probable cause hearings. The CPRA allows the CPPA to conduct probable cause hearings when evidence supports a reasonable belief that the CPRA has been violated. 11 CCR § 7302(a). The Draft Regulations outline the procedures that the CPPA must follow to conduct these hearings. 11 CCR § 7302 et seq. 
  • Stipulated orders. The Draft Regulations permit the CPPA to enter into a stipulated order with a person who is under investigation (in lieu of an administrative hearing). 11 CCR § 7303(a). The stipulated order has the force of any other order issued by the CPPA. 11 CCR § 7303(c). 
  • CPPA audits. The Draft Regulations state that the CPPA may audit a business, service provider or contractor for compliance with the CPRA and that a subject’s failure to cooperate during the agency’s audit may result in the CPPA issuing a subpoena, seeking a warrant or otherwise exercising its powers to ensure compliance with the CPRA. 11 CCR § 7304. 

Contributors