First Round of California Privacy Rights Act Regulations Go Into Effect, March 31, 2023
By Aaron Charfoos, Jacqueline W. Cooney, & Jeremy Berkowitz
On March 30, 2023, the California Office of Administrative Law (OAL) formally approved regulations that will govern the applicability and enforcement of the California Privacy Rights Act (CPRA). The California Privacy Protection Agency (CPPA), responsible for overseeing and enforcing the CPRA, developed these regulations through a series of meetings and rulemakings during the past nine months.
California Governor Gavin Newsom signed the California Consumer Privacy Act (CCPA) into effect in 2018. It was the first comprehensive statewide privacy law in the United States to govern the collection and processing of California residents’ personal data. The CCPA’s framework, including its principles and rights granted to California residents, was modeled after comprehensive privacy laws outside the United States, most notably the European Union’s General Data Protection Regulation (GDPR). California voters agreed in a November 2020 referendum to pass the CPRA, which built upon the CCPA’s scope. Key updates provided by the CPRA included: 1) a new definition of “sensitive data,” 2) expanded individual rights to both correct personal data and limit the use of sensitive data, and 3) establishment of the CPPA to enforce the law, rather than the state Attorney General’s Office.
The CPRA went into effect on January 1, 2023, and the CPPA was tasked with implementing regulations that would further supplement the requirements of the CPRA.
The regulations are largely focused on providing clarity around how the CPRA will be enforced. Some highlights include:
The regulations prevent businesses from attempting to manipulate individuals in sharing their personal data through the use of “dark patterns.” Businesses should design their websites to allow for provision of individual consent and exercise of data subject rights to be 1) “easy to read”; 2) “symmetrical”; 3) accessible for all individuals including those that may be affected by disabilities; and 4) not meant to manipulate individuals. The regulations are clear that if a business is aware of a dark pattern but chooses not to remedy it, the business is liable for a violation of the law, regardless of whether it intended to trick individuals into sharing more personal data. The regulations provide examples of dark patterns, including 1) the “bundling” of choices; 2) requiring individuals to click through multiple screens to confirm choices regarding data use, so-called “circular links;” and 3) any other methods that could add “unnecessary burden or friction” to making a choice.
Opt-Out Preference Signals
The CPPA recognizes the growing number of individuals choosing to opt-out of sharing their personal data through browser settings or plug-ins (e.g. Global Privacy Controls). The regulations require that any detection of such preference signals must be treated as valid requests by individuals to opt-out of sharing of data. Such signals must be in a format that is regularly recognized (e.g. an http header). The regulations also allow businesses to inform individuals that a requested opt-out may withdraw them from financial incentive programs and then to confirm with those individuals on whether they really want to take that action.
Limit Use of Sensitive Data
The regulations provide guidance for businesses on how to offer individuals the right to limit the processing of sensitive data, including how to post a link on their websites to provide individuals with that choice. The regulation also lists six exemptions under which businesses are allowed to process sensitive data without having to honor limit requests, including:
- “To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services” (e.g. a customer that needs directions via an app would need to provide their geolocation);
- Preventing fraud or illegal activities;
- Investigating security incidents;
- Protecting the physical safety of individuals;
- “Short-term transient use” including, but not limited to, “non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer;” and
- Engaging in activities necessary for the business to operate.
The regulations update the original CCPA regulations around notice requiring disclosures of sensitive data processing and offering the right to opt-out of selling/sharing of personal data to third parties. They also provide language around the right to limit use of sensitive data.
The regulations add definitions for a variety of new terms to reflect CPRA updates, including “right to limit” and “right to correct.” The term “disproportionate effort” is also added in context of allowing businesses to refuse individual requests where they could have “material impacts” to both parties.
The regulations provide guidance to the CPPA on how to conduct investigations and hearings, and issue actions against businesses. They also discuss how individuals can file complaints with the CPPA.
While the CPRA went into effect on January 1, 2023, it included a 12-month lookback window. However, enforcement actions will not begin until July 1, 2023, including compliance with these new regulations. The CPPA has acknowledged in these regulations and several public statements that early enforcement efforts will factor in the shortened period of time businesses may have to ensure compliance with the new regulations.
What Companies Should Do Now
- Review websites and take steps to align them with the regulations. This includes ensuring that consent and rights request portals 1) are easy to understand, 2) provide the opportunity for individuals to offer unambiguous and informed choices regarding the processing of their data, and 3) are accessible to all individuals;
- Review protocols for processing opt-out requests to ensure that websites can process such requests coming from browser signals or plug-ins; and
- Review and update notices to account for new regulations and definitions.
Our Data Privacy and Cybersecurity practice regularly advises companies on how to meet the requirements of new laws and their regulations like this one. If you have any questions concerning this law or any other data privacy or cybersecurity laws, please do not hesitate to contact any member of our team.