California Privacy Protection Agency published the first set of regulations interpreting CPRA

Published on


The Consumer Privacy Rights Act (“CPRA”) amended the California Consumer Privacy Act of 2018 (“CCPA”). The CPRA also created the California Privacy Protection Agency (“Agency”) to implement and enforce laws for the CCPA. As part of the Agency’s rulemaking authorities, the Agency published their first set of regulations which, among other things, update previous regulations to conform with the amendments to the CCPA through the CPRA.

Prior versions of the Agency’s draft regulations have not changed much but they finally provide businesses with official guidance on complying with the latest amendments. Below are a few of the most noteworthy regulations to assist businesses with compliance with the CPRA.

Privacy notice

The CPRA requires businesses to provide disclosure notices at the point of collection, which must include disclosure of all purposes for which the data is collected and to whom it will be disclosed and obtain consent for that collection and disclosure. The CPRA regulations provide a framework for regulating how businesses can use personal information. This new framework is motivated by an intent to promote “data minimization” in handling personal information by adding new limits on what information can be retained. First, the CPRA regulations require that the collection, use, retention, and sharing of a consumer’s personal information be “reasonably necessary and proportionate” to achieve the original purpose for which the information was collected or processed, or another disclosed purpose that is compatible with the context in which the information was earlier collected.

Further limiting this standard, the CPRA regulations require that “the purpose(s) for which the personal information was collected or processed shall be consistent with the reasonable expectations of the consumer.” The CPRA elaborates that the consumer’s reasonable expectations are based on:

  • The relationship between the consumer(s) and the business. For example, the customer of a car dealership would not expect the business to collect their geolocation data to process their purchase of a vehicle, but may expect the dealership to collect their name, address, date of birth, social security number, driver’s license number, email address, etc.;
  • The type, nature, and amount of personal information that the business seeks to collect or process. For example, if a business collects a consumer’s fingerprint in order to unlock a mobile device, the consumer likely expects the business’s use of the fingerprint is only for unlocking the device;
  • The source of the personal information and the business’s method for collecting or processing it;
  • The specificity, explicitness, prominence, and clarity of disclosures to the consumer(s) about the purpose for collecting their personal information; and
  • The degree to which the involvement of service providers, contractors, third parties or other entities in the collecting or processing of personal information is apparent to the consumer(s)

Additionally, the CPRA regulations further require that a business not retain personal information longer than reasonably necessary to achieve the purpose for which it was requested. Thus, businesses will need to review their data collection and sharing policies against this new framework and possibly update their processes and policies.

Consumer requests and consent

New Guidance for User Interfaces for Consents, Data Subject Requests, and Prohibitions of Dark Patterns.

The CPRA regulations provide guidance regarding how a business can obtain consent for the collection and use of personal information. They state that use of certain “dark patterns” in user interface designs may invalidate consent obtained from them. Dark patterns are user interface designs that attempt to mislead, coerce or pressure users into taking certain actions, such as providing consent or giving up their privacy rights. The regulations define a dark pattern as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.” The regulations further state that use of dark patterns invalidates consent.

In addition to providing extensive guidance on what are and are not dark patterns, with consumers in mind, the regulations mandate that user interfaces:

  • Provide clear and easy-to-understand information about the choices available to customers and the consequences of those choices;
  • Use symmetry and equal prominence in providing choice (i.e. the choice to opt-out shouldn’t take longer or be more difficult than opting in)
  • Use plain language that is appropriate for the intended audience and avoiding technical or legal jargon;
  • Use architecture/design that does not impair or interfere with a consumer’s ability to exercise a choice. For example, it would not be compliant to provide a pre-selected choice that favors business over the consumer, to use deceptive, or misleading language, colors, images, sounds or other elements that could negatively influence a consumer’s choice, or to use negative or discouraging messages on declining options or implying that consumers will lose access to services or benefits if they exercise their rights; and
  • Provide consumers with a simple straightforward way to withdraw consent or change their preferences at any time and provide options are easy to execute. For example, it would not be compliant to require the consumer to click through multiple screens to opt-out.

Failure to abide by these guidelines constitutes a “dark pattern” that cannot be used to provide legally adequate consent.

Further, the regulations provide additional guidance for opt-out links on business webpages. If a business sells or shares personal information, they must post a “Do Not Sell or Share My Personal Information” link. If a business discloses sensitive personal information, outside of permitted purposes in Section 7027(m) of the Regulations, then the business must post a “Limit the Use of My Sensitive Personal Information” link. If a business must post both links, the business may elect to use one alternative link instead which states “Your Privacy Choices” or “Your California Privacy Choices” with the following logo adjacent:

The links must be conspicuous in either the header or footer of the business’s internet Homepage.

Processing opt-out signals

The CPRA also introduces a new opt-out framework. A global opt-out signal or opt-out preference signal is a signal sent by a platform, technology, or mechanism, on behalf of the consumer, that communicates the consumer choice to opt-out of the sale and sharing of personal information. The regulations now mandate businesses to update their software to respond to opt-out signals. Specifically, if a business sells or shares personal information, the business must treat the opt-out signal as a consumer opting out of the sale and sharing of their personal data.

The CPRA expands the definition of “sale” to include “sharing” of personal information for cross-contextual behavioral advertising, which is targeted advertising based on a consumer’s activity across different websites, applications, or services. The CPRA requires businesses that sell or share personal information to provide consumers with a clear and conspicuous link titled “Do Not Sell or Share My Personal Information” on their websites or mobile applications. Consumers can click on the link to submit a request to opt out of both sales and sharing of their personal information.

The CPRA Regulations also discuss the use of privacy opt-out signals that can be sent by consumer’s browsers.

One example of an opt-out preference signal is the Global Privacy Control (GPC), which is an open standard that allows users to signal their opt-out preferences through a browser extension or setting. The GPC is currently recognized by the California Attorney General’s current CCPA regulations as a valid opt-out mechanism, and the CPRA Regulations will further require businesses to honor the GPC and other similar controls for both sales and sharing of personal information, as well as limiting the use of sensitive personal information. By recognizing global privacy controls as valid opt-out requests under the law, the CPRA and CPRA Regulations enhance consumer choice and convenience while reducing privacy risks.

Responding to requests to correct

The Regulations provide guidance on responding to requests to correct inaccurate information, which is a new consumer right provided by the CPRA. Businesses are given the right to deny requests if they determine the information is more likely accurate than not based on the “totality of circumstances”. If a business determines that it will deny a request to correct, the business must explain its rationale to the consumer. If the information is corrected, the business must also instruct its service providers and contractors to make the necessary corrections.

Obligations with third parties

For purposes of compliance with the CCPA, it is important to know whether a business is sharing information with a “third party” as opposed to a service provider or contractor. This is particularly important because a business sharing information with a “third party” can trigger the requirement for consumer notice (See Cal. Civ. Code § 1798.110(a)(4)). However, the CCPA specifically excludes “service providers” and “contractors” from being classified as third parties.

Name alone and internal classifications are not enough to classify a third party as a service provider or contractor under the CCPA. The CCPA mandates that businesses must have a written contract with service providers, and it is arguable that the lack thereof can lose the advantages of being classified as a service provider. The regulations provide further insight regarding the contents of the contract.

Businesses should take note that the regulations emphasize that third party contracts should contain specific terms that avoid generic language. Specifically, the Agency is looking for contracts that identify the limited and specified purpose for making personal information available. This means that a boilerplate contract for all vendors would be disfavored under the CCPA.

Further, businesses must forward consumer requests under the CCPA to any third party to whom the business has sold or with whom it has shared private information, unless doing so is “impossible or would involve disproportionate effort.” Service providers and contractors are also obligated to honor requests to delete and continue passing down the request to any service provider, contractor or third party that received the information from them as well.

Next steps

This only the first set of regulations. The Agency is already working on their second set of regulations which will seek to address cybersecurity audits, risk assessments and automated decision-making.

The full text of the CPRA regulations is available on the CCPA website. If your business falls within the definition of a covered business under the CCPA, you should contact a qualified attorney or privacy professional to develop a compliance plan.

The CPRA and the CPRA Regulations will have a significant impact on the data privacy landscape in California and beyond. Businesses that collect, use, retain, or share personal information for advertising purposes will need to comply with new and enhanced consumer rights and business obligations under the law. Businesses will also need to monitor future rulemaking by the CPPA for future rule proposals as well.

If your business is involved in behavioral advertising activities, its leadership should start preparing for compliance with the CPRA and its proposed final regulations as soon as possible.

In preparation for the new CPRA Regulations, companies should:

  • Evaluate its data collection policies and procedures.
  • Update its privacy notices.
  • Implement mechanisms for honoring consumer requests.
  • Ensure contractual safeguards with service providers, contractors and third parties.
  • Adopt data minimization policies and data retention principles.
  • Conduct data protection impact assessments.

Covered businesses under CCPA must ensure they are compliant as enforcement for CPRA will begin on July 1, 2023. With the development of privacy laws, it is important to stay ahead of the curve. Scali Rasmussen assists clients in identifying, managing, and mitigating data privacy and cybersecurity risks, from early planning and assessment to managing incident response and resulting litigation.