California Privacy Protection Agency Invites Comments on Expansive Proposed Rules

The California Privacy Protection Agency (Agency) has commenced formal proceedings on its proposed regulations (Proposed Regulations) implementing amendments to the California Consumer Privacy Act (CCPA) that became law in 2020 through the ballot initiative entitled the California Privacy Rights Act (CPRA). The formal rulemaking process includes a 45-day public comment period during which stakeholders and invested parties are encouraged to submit written comments on the Proposed Regulations. The deadline to submit comments is August 23, 2022.

Immediately following the close of the comment period, the Agency will hold a two-day public hearing that will be conducted in Oakland, California and accessible from elsewhere via Zoom video and telephone conference. Members of the public who wish to speak at the hearing must register in advance through the Agency’s website Given the breadth of the Proposed Regulations and the aggressive approach of the Agency in its interpretation of the CPRA, written comments and hearing statements could be particularly important.

Background

The CPRA ballot initiative was designed to broaden and strengthen the privacy protections of the CCPA, which has been in effect since January 2021. The CPRA amendments will be effective in full as of January 1, 2023, and the Agency is charged with promulgating regulations on 22 specific topics set forth in the CPRA. The Proposed Regulations address almost all of those topics, but the Agency has left for a later rulemaking regulations on cybersecurity audits, security risk assessments, and automated decision-making technology.

The Proposed Regulations will affect millions of companies across the United States and beyond. As amended by the CPRA, the CCPA applies to any business, regardless of place of establishment, that collects personal information about California residents (defined in the law as “consumers”) and that has gross revenues exceeding $25 million a year. In addition, the law applies to businesses that either (1) buy, sell, or share the information of 100,000 or more consumers or households; or (2) derive 50% or more of their annual revenue from selling or sharing consumers’ personal information.

Key Provisions in the Proposed Regulations

The topics covered in the Proposed Regulations include (among others):

• The purposes for which a business can collect, use, retain, and share consumer personal information consistent with consumers’ expectations.
• Procedures businesses must follow to make their privacy notices and other information required to be provided to consumers easily understandable by the average consumer.
• Requirements for business to facilitate consumers’ requests to access or correct their personal information, or have it deleted.
• Requirements for businesses to facilitate a consumer’s request to opt-out of sale/sharing of personal information or to limit the use or disclosure of “sensitive” personal information, including specifications for the design and functionality of an opt-out preference signal and how businesses must respond to the signal.
• Restrictions on the use or disclosure of a consumer’s sensitive personal information.
• The business purposes for which service providers and contractors may use consumers’ personal information pursuant to a written contract with a business.
• Procedures for filing complaints with the Agency and for the Agency’s administrative enforcement of the CCPA.
• The scope and process for the exercise of the Agency’s audit authority as well as the criteria for selecting businesses that would be subject to an audit.

How the Proposed Regulations deal with all of these topics merits attention; below we focus on a select few.

Notices of Personal Information Collection by Third Parties

The Proposed Regulations place a new burden on each business to disclose in its privacy notice either the names or the “business practices” of third parties collecting personal information on the business’ behalf.

Under the CCPA, every business must provide consumers with a notice, at or before the time of collecting personal information from or about the consumers, regarding, among other things, the business’ purpose for the collection, the anticipated uses and disclosures of the personal information, and, with respect to disclosures, the “third parties” to whom such disclosures may be made. “Third parties,” as defined under the CPRA, are persons who do not meet the definition of either a “service provider” or a “contractor” of the business. “Service providers” and “contractors” are only persons who have entered into contracts with the business pursuant to which personal information received from the business may be used or disclosed only for limited “business purposes.”

Currently, businesses may describe the third parties to whom disclosures are made by reference to types of entities (rather than naming specific third parties). Under the Proposed Regulations, however, if a business allows a third party to control the collection of personal information, the business must disclose the name of such third party, or, alternatively, “information about the third party’s “business practices.”¹ The Proposed Regulations do not explain what “business practices” are relevant for this disclosure, but given that the CCPA requires businesses to disclose categories of third parties, a disclosure of “business practices” would appear to involve something more. Whether that might entail describing the third party’s data privacy practices, or the fact that the third party has made contractual commitments to data protection, is not clear.

With respect to naming third parties who control the collection of personal information, the Agency indicates that should not be a significant burden, because each business is already required to “enter into contracts with all third parties that it sells, shares, or discloses personal information to.”² That statement would appear overbroad, however, given the language in the CPRA about the circumstances when a contract with a “third party” is required. Under the CPRA, “[a] business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party . . . shall enter into an agreement with the third party.”³ The Agency’s suggestion that contracts are required with all businesses to whom personal information is disclosed (which, as discussed further below, is not synonymous with “shared” under the CPRA) thus does not appear consistent with the statute.

Clarity on what the Proposed Regulations require with respect to disclosing third party “business practices” may be a worthwhile request to be made to the Agency through public comments.

Requirement for Businesses to Enter Into Contracts with Third Parties

As noted above, the Agency states in its Initial Statement of Reasons that each business is required to “enter into contracts with all third parties that it sells, shares, or discloses personal information to.”⁴ However, consistent with the CPRA’s above-quoted text, the Proposed Regulations, in a section titled “Contract Requirements for Third Parties,” set forth the provisions that must be included in an agreement businesses must execute with any third party to which it sells or shares (rather than “discloses”) personal information. The distinction is important: Under the CPRA, “sharing” does not bear the term’s common meaning; instead, “sharing” personal information means disclosing “personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration[.]”⁵ “Cross-context behavioral advertising,” is defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”⁶

The specific provisions that must be included in contracts with third parties to whom personal information is sold or with whom it is shared include, among others: (1) a description of the specific purposes for which the personal information is being sold or “disclosed” (note that the Proposed Regulations here refer to “disclosure” rather than “sharing”); (2) a requirement that the third party comply with “all applicable sections of the CCPA and the [Agency’s] regulations,”⁷ including by providing the same level of privacy protection to all personal information processed by the third party, complying with consumer opt-out requests, and implementing reasonable security measures; and (3) grant the business the right to require the third party to verify its compliance with its obligations under the agreement, the CCPA, and the Agency’s regulations.

Under the Proposed Regulations, any third party that does not have a contract that complies with the prescribed content requirements “shall not collect, use, process, retain, sell, or share the personal information received from the business.”⁸

The Proposed Regulations also expressly provide that a service provider or contractor “cannot contract with a business to provide cross-contextual behavioral advertising.”⁹ While it is permissible for a service provider or contractor to contract with a business to provide advertising and marketing services, “a person who contracts with a business to provide cross-contextual behavioral advertising is a third party and not a service provider or contractor.”¹⁰

Service Providers and Contractors of Non-Profits and Government Organizations

The Agency purports to have clarified the application of the CCPA to service providers and contractors engaged by non-profits or government organizations, which are expressly excluded from the CCPA’s definition of a “business.” Under the Proposed Regulations, “[a] business that provides services to a person that is not a business, and that would otherwise meet the requirements and obligations of a service provider or contractor . . . , shall be deemed a service provider or contractor with regard to that person or organization . . . . For example, a cloud service provider that provides services to a non-profit organization and meets the requirements and obligations of a service provider under the CCPA and these regulations, i.e., has a valid service provider contract in place, etc., shall be considered a service provider even though it is providing services to a non-business.”¹¹

In its Initial Statement of Reasons, the Agency states that this clarification is needed because the statutory definition of “service provider” and “contractor” excludes persons or entities that service non-profit and government entities. Without the changes made by the Proposed Regulations, the Agency states, “entities that process personal information for non-profits and government entities may be required to comply with consumer requests even though those non-profits and government entities . . . are not required to do so.” As the Agency observes, “[t]his unintended and undesired consequence will lead to significant disruption in the functioning of those non-profits and governmental entities and is not in furtherance of the purposes of the CCPA, which explicitly excluded non-profits and government entities from being subject to the CCPA.”¹²

Means for Consumers to Opt-Out of the Selling or Sharing of Personal Information

Under the CCPA, businesses that sell personal information must provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website that allows consumers to submit an opt-out request. Under the Proposed Regulations, businesses that sell or share consumer personal information must post a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website, or use an alternative, equally effective and simple mechanism, that allows consumers to opt-out. Neither the CPRA itself nor the Proposed Regulations address whether it would be compliant for a business that “shares” personal information but never “sells” such information (or sells but never shares), to provide an opt-out that refers only to “sharing” (or only to “selling”). For such a business, having to display to consumers a “Do Not Sell or Share My Personal Information” link (or the equivalent), rather than just a “Do Not Sell” or “Do Not Share” link would seem awkward if not misleading to consumers.

Consumers may also submit opt-out requests through a user-enabled global privacy control, which is a mechanism that allows consumers to signal their privacy preferences to multiple businesses at a time, rather than having to individually reach out to each one. The Proposed Regulations clarify that businesses must treat such opt-out preference signals as valid, subject to certain requirements. Specifically, businesses must process any opt-out preference signal as valid if (1) the signal is in a “format commonly used and recognized by businesses,” such as a HTTP header field, and (2) the platform, technology or mechanism that sends the opt-out signal makes clear to the consumer in its configuration or disclosures that the “use of the signal is meant to have the effect of opting the consumer out of the sale and sharing of their personal information.”¹³ The configuration and disclosures do not need to be specific to California or refer to California.

Mechanisms for Consumers to Limit the Use of Sensitive Personal Information

The Proposed Regulations also clarify the mechanisms through which consumers may limit the use of their “sensitive personal information”—a term introduced by CPRA as a subcategory of personal information.¹⁴ The Proposed Regulations establish the concept of a “Limit the Use of My Sensitive Personal Information” link, which operates in a similar manner to the “Do Not Sell or Share My Personal Information” link discussed above. Under the Proposed Regulations, businesses that use or disclose sensitive personal information, subject to certain exceptions, such as using sensitive personal information to detect security incidents or to perform services on behalf of the business, must provide two or more methods for submitting requests to limit. At minimum, however, businesses that collect sensitive personal information online must allow consumers to submit a request to limit through a form accessible via the “Limit the Use of My Sensitive Personal Information” link.

The Proposed Regulations also provide businesses with the option to provide consumers with a single link, instead of two separate links, that allow consumers to exercise both their right to opt-out of the sale or sharing of personal information and the right to limit the use of their sensitive personal information. As specified in the Proposed Regulations, single opt-out links may be titled “Your Privacy Choices” or “Your California Privacy Choices,” but must include the specific opt-out icon identified in the Proposed Regulations.

Prohibition on Identity Validation for Opt-Out Requests and Requests to Limit

In addition to providing consumers with the right to opt-out and limit certain uses of personal information, the CCPA gives them rights to access their personal information or to have it corrected or deleted. Upon receipt of a consumer’s request to exercise any of those rights, a business is required to verify the identity of the requesting consumer. However, under the Proposed Regulations, it is impermissible to seek to verify a consumer’s identity in responding to the consumer’s request to opt-out of the selling or sharing of personal information, as well as requests to limit the use of sensitive personal information. Businesses may ask consumers for information necessary to complete the request, such as the consumer’s name, but may not require a consumer to provide any documentation for identity verification. This will facilitate consumers opting out of the sale and “sharing” of their information and limiting the use of their sensitive personal information. According to the Agency, the potential harm to consumers from non-verified requests is minimal and “requiring verification requests … unnecessarily impedes consumers exercising their rights.”¹⁵

Consumer Requests and Consents: Prohibition on “Dark Patterns”

The CPRA gives the Agency authority to include in its regulations provisions designed to facilitate consumers’ exercise of their CCPA rights, and amended the CCPA to include a new definition of consumer “consent.” In drafting the Proposed Regulations, the Agency picked up on the statement in the CPRA “consent” definition that an agreement obtained through the use of dark patterns does not constitute consent, and included in the Proposed Regulations restrictions on “dark patterns.” The Proposed Regulations define “dark patterns” as an “interface [that] has the effect of substantially subverting or impairing user autonomy, decision making, or choice, regardless of a business’s intent.”¹⁶ Under the Proposed Regulations, to avoid dark patterns, a business must design a user interface to (1) be easy to understand, (2) provide symmetry in choice, (3) avoid language or interactive elements that are confusing to the consumer, (4) avoid manipulative language or choice architecture, and (5) be easy to execute. The Proposed Regulations caution that any method for submitting CCPA requests and obtaining consumer consent that does not comply with CCPA requirements may constitute a dark pattern.

California is not alone in its increased scrutiny of dark patterns. The Federal Trade Commission (FTC) has recently signaled that it will be paying closer attention to dark patterns, the increased use of which the FTC has identified as a “particular concern” in its efforts to update its guidance document “.com Disclosures—How to Make Effective Disclosures in Digital Advertising,” which provides guidance to marketers on how to make clear and conspicuous disclosures to consumers for goods and services offered on the internet. The FTC is currently seeking public comment on whether dark pattern techniques in digital advertising should be addressed in the updated guidance document.

Requirements Related to Service Providers, Contractors, and Third Parties

The Proposed Regulations include several new requirements related to service providers, contractors, and third parties, including direct obligations imposed on all three of those categories of entities, regardless of their status as “businesses” under the CPRA. The imposition of direct obligations on non-“businesses” underscores the extremely broad reach of this California statute, which initially purported to regulate only “businesses” directly.

Processing Requests to Delete Personal Information

Among other things, the Proposed Regulations impose additional burdens on businesses, service providers, contractors, and third parties regarding requests to delete. A business that receives a deletion request must now notify its service providers, contractors, and any third parties to whom the business has shared personal information of the request and instruct them to delete the personal information as well. Although businesses may forego notifying third parties if doing so would be “impossible or involve disproportionate effort,” they must then provide the affected consumer with a detailed explanation of the basis for not notifying. And to the extent the consumer’s request may be denied based on a CCPA exception to the obligation to delete upon request, a service provider or contractor must refrain from using the information the consumer sought to have deleted for any purpose other than the purpose provided by the exception.

In addition, service providers and contractors have downstream obligations to pass on the deletion request to any of their own service providers, contractors, or third parties that may have accessed personal information from the service provider or contractor, unless the information was accessed at the direction of the business or such notification would be impossible or involve disproportionate effort. If the service provider or contractor claims that passing the deletion request on would be impossible or disproportionately burdensome, they must provide the business with a detailed explanation, which the business must relay to the consumer. According to the Agency, these additional requirements are necessary to properly effectuate a consumer’s request to delete.

Conclusions and Next Steps

One of the Agency’s goals is to provide clarity to consumers, businesses, service, providers, contractors, and third parties. As indicated above, there remain areas where the Agency could helpfully provide further clarification. Given the extensive additional obligations imposed by the Proposed Regulations, businesses impacted by the CCPA should consider submitting comments on the Proposed Regulations. Not only is this the time to seek clarifications, but also to take a stand on policy choices the Agency has made in drafting the Proposed Regulations.

© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.