CPPA Releases First Draft of CPRA Regulations

The Friday before Memorial Day weekend, the new California Privacy Protection Agency (CPPA) released the Draft Proposed CPRA Regulations (the “Regs”). The CPPA notes that this 66-page document is the first of two packages of Regs, with the second  unreleased package expected to cover topics including cybersecurity audits, privacy risk assessments and automated decision making. This first package is mostly a redline of the CCPA that codifies the CPRA, although portions of the Regs go beyond known CPRA provisions. For example, in its proposed regulations for “opt-out preference signals” (previously known as the ‘global privacy control’ but now commonly now referred to as ‘OOPS’), the CPPA takes the position that the OOPS may override the ‘Do Not Sell My Personal Information’ option, which may create significant challenges for the adtech industry who relies on opt-out preferences through cookies rather than (yet to be determined) browser ‘signals’.

Resources We Found Helpful

There is a lot to unpack with these proposed Regs, and while this blog offers analysis of some of the provisions that affect the adtech industry, there is much more that Businesses need to know. Below are a few helpful resources:

• Great breakdown of all the changes: https://www.linkedin.com/pulse/first-you-ccpa-regstry-try-again-odia-kagan/
• LinkedIn posts by Meredith Halama that dives into the effects on adtech:
• Pt1 https://www.linkedin.com/posts/meredith-halama-903a1a7_part-i-of-hot-takes-on-the-draft-cpra-regs-activity-6937960850179641344--3_Y?utm_source=linkedin_share&utm_medium=member_desktop_web
• Pt2 https://www.linkedin.com/posts/meredith-halama-903a1a7_prayersforfederalprivacylaw-prayforwashington-activity-6937961163062140928-BuR6?utm_source=linkedin_share&utm_medium=member_desktop_web
• Article that explains the timeline and next steps: https://www.jdsupra.com/legalnews/california-regulators-take-leap-forward-8915028/

Highlights of the Regs

I. “Opt-out preference signal” (aka the ‘global privacy control’ or ‘OOPS’):

This proposed provision is a little confusing so let me try and break it down in plain English.

Businesses must comply with “opt-out preference signals” that are defined as:

“a signal that is sent by a platform, technology, or mechanism, on behalf of the consumer, that communicates the consumer choice to opt-out of the sale and sharing of personal information and that complies with the requirements set forth in section 7025, subsection (b)”

Businesses must treat these OOPS as valid requests for the opt-out of sale/share where the signal is in a commonly used format. The Regs specifically call out that an HTTP header field, which may be configured by a browser, is an acceptable format.

Further, businesses must not require additional information from the consumer to honor the opt-out preference signal. In other words, there is no capability for websites to validate whether the OOPS is actually coming from a California resident (setting up a potential Constitutionality question).

The Regs noted that the absence of an opt-out preference signal does not qualify as a user’s consent to the processing of their data. Moreover, if the opt-out preference signal conflicts with the choice a consumer previously made directly with the business, the business still must honor the opt-out preference signal. However, the business may notify the consumer of the conflict and if the consumer subsequently consents, then the business may process that consumer’s personal information.

A business should display whether or not it has processed the consumer’s OOPS. The Regs expressly approved of businesses placing the phrase “Opt-Out Preference Signal Honored” on their websites where a consumer has used the OOPS.

Interestingly, a business meeting the above OOPS requirements “is not required to post the ‘Do Not Sell or Share My Personal Information’ link or an alternate opt-out link if it meets the following additional requirements (and this is where it gets really convoluted, so hold tight):

(1) Processes the opt-out preference signal in a “frictionless manner” (this is a term of art that essentially means a business honors the request and doesn’t use dark patterns or attempt to validate their residency)

(2) Includes in its privacy policy the following information:

(A) A description of the consumer’s right to opt-out of the sale or sharing of their personal information by the business;

(B) A statement that the business processes opt-out preference signals in a frictionless manner;

(C) Information on how consumers can implement opt-out preference signals for the business to process in a frictionless manner; AND

(D)Instructions for any other method by which the consumer may submit a request to opt-out of sale/sharing.

(3) Allows the opt-out preference signal to fully effectuate the consumer’s request to opt-out of sale/sharing.”

However, even if the business posts the ‘Do Not Sell or Share My Personal Information’ and ‘Limit the Use of My Sensitive Personal Information’ links, the business must still process opt-out preference signals.

II. Notice of Right to Opt-Out of Sale/Sharing and the ‘Do Not Sell or Share My Personal Information Link:

The draft Regs states that, “the purpose of the notice of right to opt-out of sale/sharing is to inform consumers of their right to direct a business that sells or shares their personal information to stop selling or sharing their personal information and to provide them with the opportunity to exercise that right… Accordingly, clicking the business’s ‘Do Not Sell or Share My Personal Information’ link will either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice.

III. Service Providers cannot engage in cross-context behavioral advertising:

Where the adtech industry has been using the Service Provider designation as a safe harbor from the requirements of the CCPA’s ‘Do Not Sell’ provisions, these Regs explicitly state that Service Providers cannot engage in cross-context behavioral advertising, thus any disclosure for such a purpose will constitute a sale or a share. This has huge implications for the adtech ecosystem where many companies designated as a ‘Service Provider’ in a contract can freely share consumers’ personal information for targeted advertising with little regulation. If I were a gambler, I’d bet the CPPA receives a ton of comments on this provision.

IV. Requests to Limit Use and Disclosure of Sensitive Personal Information:

This provision doesn’t stray from what we expected. However, it does require that a business that receives such a request forward it to service providers, contractors, and third parties to comply with and further forward where applicable.

V. Restrictions on the Collection and Use of Personal Information:

The draft Regs require “a business’s collection, use, retention, and/or sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed. To be reasonably necessary and proportionate, the business’s collection, use, retention, and/or sharing must be consistent with what an average consumer would expect when the personal information was collected… A business shall obtain the consumer’s explicit consent in accordance with section 7004 before collecting, using, retaining, and/or sharing the consumer’s personal information for any purpose that is unrelated or incompatible with the purpose(s) for which the personal information collected or processed.”

In a world where few consumers “expect” what most tech companies do with data, it’s unclear how this will be interpreted by tech companies. For example, where apps obtain consent for the collection, use, and sharing of personal information for advertising, notably with the iOS ATT consent, it seems entirely consistent with the regulations.  Where there is no such consent, determining whether the sharing of personal information for advertising or measurement is “compatible with what is reasonably expected by the average consumer” would require a fact-specific analysis, notably if any just-in-time notifications other than the ATT were presented at the time of data collection, whether there is alternative advertising-related consent such as through a consent management platform or in-app preferences, or perhaps if the app is entirely, or partially ad supported through a ‘gating’ mechanism and that data sharing for free content ‘quid pro quo’ is well established.

VI. Notice at Collection:

Any business controlling the collection of personal information is obliged to provide a notice at collection, and this may include multiple parties. A first-party that allows another business, acting as a third party, to control the collection of personal information from a consumer shall include in its notice at collection the names of all the third parties that the first party allows to collect personal information from the consumer. Moreover, “both the first party that allows the third parties to collect personal information via its website, as well as the third party controlling the collection of personal information, shall provide a notice at collection.”

This provision seems to be directed at third-party cookies placed on a website. It could also be interpreted to include third-party APIs or SDKs embedded into an app’s code used to collect data for advertising or attribution purposes. We’ll need more guidance on this to know for sure, but it seems clear that (California) consent notices will be more lengthy and complex.

Notices at collection need to include:

• The categories of sensitive personal information you process;
• Retention terms for each category of personal information; and
• The names of all the third parties (and could include a link to the third party’s privacy policy) that the first party allows the collection of personal information from the consumer.

VII. Updates to your privacy policy:

Businesses should add the following to their privacy policies:

• The categories of sensitive personal information you process;
• Retention terms for each category of personal information;
• The new rights to correction, opt-out of sharing, and limit the use of sensitive information; and
• An explanation of how to use the opt-out preference signal (above) and how the business will process the signal.

VIII. Contractual Requirements to be Deemed a Service Provider:

Without going into the specifics, the draft Regs make it much harder to be designated as a Service Provider. When drafting Service Provider contracts make sure to cross your ‘t’s and dot your ‘i’s on this one. Otherwise, you’ll be determined to be a third party business and any disclosure of personal information will be considered a sale or a share, etc.

Timeline

The CPRA mandated that final Regs be adopted by July 1, 2022 (6 months after they go into effect). However, it is not feasible that they will be adopted by the July 1 deadline, especially considering a second package has yet to be released.

We initially expected the CPPA board to vote for the rulemaking process to begin at the June 8 CPPA Board Meeting, and subsequently file the Notice of Proposed Action (NOPA) - which ended up not happening for whatever reason. According to CPPA Executive Director Ashkan Soltani and Acting General Counsel to the CPPA Brian Soublet who spoke at a California Lawyers Association webinar on the CPRA Rulemaking on June 30, 2022, the CPPA has filed the NOPA with the California Office of Administrative Law (OAL) and the OAL will publish the Regs on July 8th, 2022. After the OAL publishes the Regs, the comment period will begin. The comment period must last at least 45 days. At the same event, Soltani and Soublet stated the CPPA will extend the comment period 2 additional days in order to hold public hearings on the Regs. After the comment period ends, the CPPA may open a second comment period to address specific points of the Regs, if so the comment period must last at least 15 days.

Once the Regs are final, the CPPA will prepare the final package, including the Final Statement of Reasons and responses to all public comments, plainly, each comment will be responded to by the CPPA. Next, the CPPA will approve the filing of the final package with the OAL who must approve the Regs. Only after this will they be filed with the Secretary of State with a published effective date.

Realistically, the Regs won't be finalized until fall/winter 2022 (giving little time to implement them before they go into effect on January 1, 2023). However, at the June 8th CPPA board meeting, two board members expressed a desire to delay the enforcement of CPRA. At this point, the timeline is very much in the air.