On October 17, 2022, the California Privacy Protection Agency (CPPA) released its much-anticipated updates to the proposed California Consumer Privacy Act (CCPA) regulations in response to the hundreds of public comments received by the CPPA to its originally proposed regulations. This alert summarizes the revised regulations, which will be the subject of four days of CPPA board meetings occurring on October 21 to 22, 2022, and again on October 28 to 29, 2022. The revisions will also likely trigger an additional comment period, and further changes are possible. We will continue to provide updates as they occur.
While some onerous provisions remain, many changes to the proposed regulations will lessen the burden on businesses as compared to the originally proposed regulations. For example:
- Many of the previously "mandatory" technical requirements are now "permissive";
- The changes either eliminate or ease requirements to flow down rights requests (such as "Do Not Sell" requests);
- There is now clarification that the right to limit the use or disclosure of Sensitive Personal Information (SPI) only applies to SPI used to make an inference about an individual; and
- Service providers are no longer required to explicitly state in contract that they may use personal information to build or improve the quality of their services, or to prevent, investigate or detect security incidents and other malicious activity.
However, several more burdensome requirements have not changed, including:
- The Global Privacy Control remains mandatory; and
- There remain strict limitations on processing for "incompatible" purposes.
We describe the changes in more detail below.
SOME ONEROUS PROVISIONS REMAIN
Despite support in the public comments for certain changes, some of the more onerous regulatory provisions remain.
Opt-Out Preference Signal Remains Mandatory: Although many hoped that the requirement to honor Global Privacy Control (GPC) signals would be made optional, the modified regulations continue to require businesses to honor GPC signals (i.e., user-enabled online signals about a user's opt-out preferences).
Stringent "Compatible Processing" Limitations Remain: Many had also hoped that modified regulations would ease strict limitations on processing data for unrelated purposes. Although the CPPA did add more "factors" to provide flexibility, the regulations continue to require consent for businesses to process personal information for purposes beyond (i) what a reasonable consumer would expect and (ii) where there is a weak link between the initial purpose and that secondary purpose. For example, a weak link exists between the consumer's reasonable expectations that the personal information will be collected to provide a requested cloud storage service and the use of that same information to research and develop an unrelated facial recognition service.
Contracts Required with all Data Recipients: Although often overlooked, the CPRA amendments to the CCPA would require contracts not only with contractors and service providers but also with "third-party" data recipients. The regulations now both (a) require businesses to execute contracts with third parties to whom data is sold or shared and (b) prohibit third parties from collecting, using or otherwise processing personal information absent such a contract.
MOST OTHER CHANGES LESSEN OPERATIONAL BURDENS
Most of the regulation changes will lower compliance burdens on businesses, even if the changes do not go as far as many had hoped. Key examples include:
- Section 7002 has been substantially modified to provide "factors" that businesses (and the CPPA) will use to determine whether data use by a business was "reasonably expected" by the consumer or, if not, whether a business needs to obtain consent to engage in such secondary data uses.
- Section 7012 no longer requires businesses to disclose the identity or privacy practices of third parties that directly collect information from consumers via the business's digital or physical properties.
- Sections 7014 and 7027 confirm that the right to limit SPI uses and disclosures does not apply to sensitive personal information unless the SPI is used to infer characteristics about a consumer.
- Section 7022 lessens the operational burden for service providers/contractors to provide a "detailed explanation" why deletion requests cannot be flowed down to service providers/contractors (or why the service providers/contractors cannot comply).
- Section 7023 eliminates the requirement for businesses to flow down contested correction requests.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.