The California Privacy Protection Agency (CPPA) Board will hold its third public hearing on February 3, 2023, at 10 am PST.

The meeting will open with the Chairperson’s Update, during which CPPA Chairperson Jennifer Urban will likely address the status of the delayed California Privacy Rights Act (CPRA) regulations. Chairperson Urban is also a Clinical Professor of Law, the Director of the Samuelson Law, Technology & Public Policy Clinic, and the Co-Director of the Berkeley Center for Law and Technology at the UC Berkeley School of Law. Hopefully, we will see further guidance on the technical requirements of the CPRA and the implementation standards.

Long-awaited amendments and the possible adoption of final CPRA rules are on the agenda. The agenda includes preliminary rulemaking activity for new regulations on risk assessments, cybersecurity audits, and automated decision-making. The fact that the CPPA is undertaking other rulemaking activities may indicate that the Board hopes to adopt the final CPRA regulations at this meeting. Fingers crossed. Members of the public can join the meeting on Zoom.

Members of the public attending will be given the opportunity to comment on each agenda item before any Board action. To view the agenda and learn more about how you can attend, click here

Readers of this blog know that we’ve been closely following the California Privacy Rights Act (CPRA) rulemaking process. California passed the law in 2020 to update the California Consumer Privacy Act of 2018 with additional consumer rights and business obligations. The CPRA also established a new government agency, the California Privacy Protection Agency (CPPA), responsible for enforcing the law and drafting regulations.

Unfortunately, writing detailed regulations while balancing the work of breaking ground on a new agency has most likely overwhelmed the CPPA. The CPRA is now effective as of the first of the year, and businesses are still working on compliance and implementation from the proposed regulations. While much of the draft regulations are likely to remain the same, there are some technical compliance points that companies have to figure out without explicit guidance.

For example, the proposed regulations require businesses to treat “Do Not Track” browser signals as opt-out requests from the consumer. However, processing a “Do Not Track” signal differs from processing specific CPRA data requests. Typical CPRA requests include the consumer’s name and contact information, which the business can check against its records. “Do Not Track” signals only come bundled with specific technical identifiers (such as IP address and operating system) that aren’t necessarily associated with a consumer in the business’s records. The conditions change again when the consumer is known to the industry and has opted into tracking, making the technical aspects of compliance even more complicated. Companies will need to develop a strategy to address this requirement (unaided by an industry standard for responding to “Do Not Track” signals.) Faced with the January 1 deadline for CPRA compliance, the industry is now hewing as close to the EU’s General Data Protection Regulation (GDPR) controls and implementation as possible. The CPPA may continue to let the standard develop parallel to the GDPR as the path of least resistance for both businesses and regulators.

Readers of this blog know that we’ve been closely following the California Privacy Rights Act (CPRA) rulemaking process [view related post]. California passed the law in 2020 to update the California Consumer Privacy Act of 2018 with additional consumer rights and business obligations. The CPRA also established a new government agency, the California Privacy Protection Agency (CPPA), responsible for enforcing the law and drafting regulations.

Unfortunately, writing detailed regulations while balancing the work of breaking ground on a new agency has most likely overwhelmed the CPPA. The CPRA is now effective as of the first of the year, and businesses are still working on compliance with and implementation of the proposed regulations. While much of the draft regulations is likely to remain the same, there are some technical compliance points that companies have to figure out without explicit guidance.

For example, the proposed regulations require businesses to treat “Do Not Track” browser signals as opt-out requests from the consumer. However, processing a “Do Not Track” signal differs from processing specific CPRA data requests. Typical CPRA requests include the consumer’s name and contact information, which the business can check against its records. “Do Not Track” signals only come bundled with specific technical identifiers (such as the IP address and operating system) that aren’t necessarily associated with a consumer in the business’s records. The conditions change again when the consumer is known to the industry and has opted into tracking, making the technical aspects of compliance even more complicated. Companies will need to develop a strategy to address this requirement (unaided by an industry standard for responding to “Do Not Track” signals.)

Faced with the January 1 deadline for CPRA compliance, the industry is now hewing as close to the EU’s General Data Protection Regulation (GDPR) controls and implementation as possible. The CPPA may continue to let the standard develop parallel to the GDPR as the path of least resistance for both businesses and regulators.

As companies hustle to follow the new California Privacy Rights Act (CPRA) regulations, they’ve hit a substantial hiccup: there aren’t any yet. The California Privacy Rights Agency (CPPA), the newly-created body with administrative authority over the CPRA’s implementation, has yet to release its finalized regulations. The CPRA takes effect on January 1, 2023, and covered businesses are in the final stretch of completing their compliance programs.

The CPPA has released two draft proposals so far, and the more recent draft is in a public consultation period until November 21, 2022. To make matters even more opaque, the CPPA removed several requirements from the first draft to “simplify implementation at this time,” leaving businesses guessing as to which conditions they will eventually need to follow. Many of these proposed rules define technical requirements for websites and mobile applications, so companies will need a runway to achieve a seamless implementation. Luckily, the CPPA has signaled that it will give businesses a soft grace period before pursuing significant enforcement actions. The CPPA’s most recent draft proposal says that it may “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.” Responsible businesses, though, should proceed as if the most recent draft regulations are the law and plan to update once the final draft is released. Otherwise, they might find themselves scrambling to push out complicated technical updates against the January 1, 2023 deadline.

Last week, the California Privacy Protection Agency (CPPA) released updated California Privacy Rights Act (CPRA) draft regulations and a summary of the changes. The regulations remain in the proposal stage and it is unclear when to expect finalized rules, although it is likely that this version will include near final requirements and prohibitions.

While most of the changes from the previous incarnation are technical, the modified proposal also softens one of the more revolutionary requirements: universal opt-out signals. Previously, the regulations required all CPRA-subject businesses to treat browser-based opt-out settings as the consumer’s signaled consent. They also required companies to add a dynamic icon to their website to indicate whether they had responded to the signal. Under the modified rules, businesses will only need to respond to browser opt-out signals if they sell or share personal information and have the option to display the status icon, but no longer are required to.  Instead, companies can offer consumers choices about the cookies and other tracking technology used on their website, which offers greater transparency for the consumer.

The modified rules also throw businesses a bone on a few other issues. For example, the CPPA removed some statutory privacy and security requirements for business service providers because the CPRA already requires certain provisions in service contracts. The CPPA reworked other rules to “simplify implementation at this time,” so that companies would still be wise to prepare for eventual compliance without the rush of meeting the end-of-year deadline. Some of these delayed requirements include disclosing in their online privacy policies the identities of third-party data processors and controllers and technical requirements for implementing the ”Right to Limit” and financial incentive programs. 

The updated rules clarify that enforcement actions against companies that employ “dark patterns,” or interfaces that steer consumers toward opting in (or not opting out), do not require showing the business’s intent. The intent is still a “factor to be considered” at CPPA’s discretion, but offenses in this area pose strict liability against the companies using these technologies.  The Board of the CPPA will meet in public sessions on October 28 and 29. See the modified rules and explanations.

On Friday, the newly created California Privacy Protection Agency (CPPA) issued its first proposed regulations under the California Privacy Rights Act (CPRA).

The proposed rules have drawn criticism for requiring companies to treat browser-based “Do Not Track” signals as consumers asserting their opt-out rights. This rule came as a surprise to many observers because, as passed, the statute would have given companies the option to honor or ignore these signals. The draft would additionally require businesses to serve their disclosures in “eye-catching” colors, another area not explicitly prescribed by the CPRA statute.

Perhaps to balance the scales, the proposal also includes a new term of art, “disproportionate effort,” describing situations in which the burden of responding to a consumer request would “significantly outweigh” the consumer’s benefit. A business claiming this exception must give the consumer a detailed explanation that includes enough facts to provide a “meaningful understanding” as to why the business cannot honor the consumer’s request. This exception may also insulate companies from consumers who might abuse the request process. A business could likely claim “disproportionate effort,” for example, if a group of protestors coordinated to overwhelm it with requests.

It seems clear that the CPPA aims to make privacy-by-default the easiest option for California companies. Companies that collect and sell minimal personal information from consumers and respect “Do Not Track” signals will find it easy to comply with these proposed regulations. On the other hand, companies that wish to engage in data brokering would need to jump through significantly more regulatory hurdles.

The CPPA will likely address other key CPRA aspects, such as dark patterns, algorithmic decision making, and child privacy in future proposals. Click here to view the full proposal.

With the passage of the ballot initiative known as the Consumer Privacy Rights Act (CPRA or Act) in California, we are presenting several blog articles on different topics related to this new law. Last week, we wrote about the newly-added definition of sensitive information. This week we will focus on some key effective dates in the CPRA along with what it will mean to have a separate privacy rights enforcement agency.

CPRA Effective January 1, 2023

The good news is that the CPRA’s effective date is January 1, 2023, so businesses have some time to assess and get ready for the new law while the California Consumer Privacy Act (CCPA) is still in effect and enforceable. The CPRA functions like an overlay to CCPA. Once the CPRA takes effect in 2023, it will become the privacy law of the land in California.

There is one exception to the 2023 effective date and that is with respect to the right of access. The CPRA’s right to know or right of access applies to personal information collected by a business on or after January 1, 2022. The exemptions for employee information and business-to-business information remain in place until January 1, 2023. The CPRA also provides additional rulemaking authority, which may also take place prior to the effective date.

Creation of the California Privacy Protection Agency

Section 24 of the CPRA creates the California Privacy Protection Agency (CPPA or Agency), established in the state government of California. The Agency is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act. Section 1798.199.10(a) states that: “[t]he Agency shall be governed by a five-member board, including the Chair. The Chair and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.” Subsection (b) states that the initial appointments to the Agency shall be made within 90 days of the effective date of the Act.

The board will have the authority to appoint an executive director and the Agency will have broad powers to protect “the fundamental privacy rights of natural persons with respect to the use of their personal information.” Section 1798.199.40 (c). The CPRA allows individuals, businesses, customers, advocacy groups and vendors to file complaints with the Agency regarding the privacy practices of a business. The Agency will have the power to investigate complaints, to hold hearings to determine if a violation has occurred, and to issue orders to: cease and desist, and to pay an administrative fine up to $2,500 for each violation or up to $7,500 for each intentional violation as well as each violation involving the personal information of minor consumers. The Agency also has the power to bring a civil action in the superior court for the purpose of collecting unpaid administrative agency fines.

The Agency also is charged with providing guidance to both consumers and businesses regarding their rights and responsibilities under the CPRA. One final note is that Section 1798.199.100 states that the Agency “shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title.”

Effective Date: January 1, 2023 

Your Rights and Choices

The California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively the “CCPA”) provides California residents with specific rights regarding their personal information. In addition to our Privacy Policy https://www.rc.com/privacy-policy.cfm this webpage further describes your CCPA rights and explains how to exercise those

Since the California Privacy Protection Agency (CPPA) released its draft regulations pursuant to the California Privacy Rights Act (CPRA), the biggest gripe from businesses has been the website tracking opt-out requirements. Recognition of opt-out requests from consumers could potentially cost companies some significant dollars.

The CPRA amends the California Consumer Privacy Act of 2020 and goes into effect on January 1, 2023. One of the amendments included a new consumer right to opt-out of cross-context behavioral advertising (i.e., the ability to request that a website not track the user across time or across websites). There are many ways in which a consumer can opt-out of this sharing of data. One way could be to click on an opt-out button or link on a specific website. Another way could be to download an app, use a specific browser or platform (such as Global Privacy Control (GPC)) to automatically emit opt-out signals for every website visited. However, if a consumer uses GPC but does not turn off the universal opt-out signal, and then visits a website where the consumer actively and knowingly participates in an opt-in rewards program, it remains unclear on how a business should proceed in response to that signal.

Without more clarity under the CPRA regulations on how companies should respond on a TECHNICAL LEVEL, it may be difficult to achieve full compliance with consumers’ opt-out choices. This means that the potential for a violation and subsequent liability will increase beginning in the new year.

The CPPA has not wavered on its ‘do not track’ requirement, saying that a plain reading of the CPRA indicates flexibility for site-specific opt-out links. As currently written, the draft regulations would not require businesses to add opt-out links on their websites if they in fact do process opt-out signals from external apps in a “frictionless” manner. A “frictionless” manner means that the business does not:

  1.  Charge a fee for recognizing an opt-out signal
  2.  Change the consumer experience with the product or service
  3.  Display pop-ups, notifications, graphics, etc., in response to the signal

Businesses that should include opt-out links on their websites process external ‘do not track’ signals in a “non-frictionless” manner, which means that the signal is processed in a way that could change the user experience. Even the use of “non-frictionless” (which essentially means “with friction”) convolutes the issue and creates confusion among companies that are trying to comply before the end of the year. We will continue to watch for updates on the final regulations and further technical guidance on ‘do not track’ signals and consumer choice when it comes to the same

California law will soon require businesses to treat their employees and business partners as consumers under the California Consumer Privacy Act (CCPA). The CCPA and its successor legislation, the California Privacy Rights Act (CPRA), grant California consumers dignitary rights over their personal information collected and processed by commercial entities that do business in California. The CCPA applies to to such entities that do business in California and collect California consumers’ personal data, have annual gross revenues over $25 million, possess the personal information of 100,000 or more consumers, or earn more than half of their yearly income from brokering data.

Employee, Job Applicant and 1099 Contractor Data

Previously, the CCPA excluded employee data; however, this exemption is set to expire on December 31, 2022. The California State Legislature defied expectations by ending the 2022 legislative session without passing an extension. While the legislature may pass a new exemption in its next legislative session, businesses subject to the CCPA should prepare to process employee CCPA requests as of January 1, 2023.

Fortunately, most businesses already have HR processes to allow employees to access and correct their personal data. Existing OSHA and EEOC record-retention-requirements will also cover most employee data, meaning that it will likely be exempt from deletion requests under the CCPA (i.e., the data cannot be deleted in order to “comply with a legal obligation”).  However, companies must now also allow job applicants to know, view, delete, and correct personal information, and EEOC regulations require businesses to retain applicant records for one year. Businesses must keep close track of when that obligation ends and allow applicants to delete their data as soon as that is legally permissible.

B2B Data

The CCPA also included an exemption for business-to-business (B2B) data collected from agents or representatives of other businesses. However, this exemption also is set to expire on December 31, 2022. As of January 1, 2023, California B2B contacts have the right to know, view, correct, and delete personal information. Some personal information may be exempted as necessary to “complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.” However, companies will need to think outside the box when responding to these requests. Unlike employee and general consumer data, which companies typically collect in a centralized system, B2B data might be scattered across systems tracking emails, contracts, accounts payable, and countless other business processes.

How Can You Prepare?

  • Inventory Your Employee + B2B Data: Businesses should review employee and applicant information (as well as 1099 contractors) to confirm that their privacy notice correctly describes the categories of personal information they collect and process in order to identify “sensitive personal information” subject to the new CPRA right. Businesses should pay special attention to B2B data and clearly document which categories of personal data are stored and on which systems.
  • Enter into Data Processing Agreements with Service Providers: Businesses that use third-party HR software such as Workday and ServiceNow should add data processing addendums that include specific required terms to their contracts. The CCPA requires these agreements with all service providers, including providers that process employees’ personal information.
  • B2B Portals or Websites: If your business collects B2B contact information via a portal or website, you may need to update your privacy policy and include specific provisions required under the CCPA/CPRA.

These are just basic steps. However, if you haven’t assessed whether the CCPA applies to your business, now is the time. And, after that assessment is done, it could mean implementation of a compliance program to avoid fines and penalties and private actions against your business.