The Bottom Line
- California has released a second version of draft regulations for the CPRA, a mere 10 weeks before the law is to take effect.
- This latest draft has changes that are both beneficial to businesses and increase the complexities of compliance.
- Given the fact that the regulations have not yet been finalized, no business can be completely CPRA compliant at this time.
California Issues Second Draft of CPRA Regulations
The California Privacy Protection Agency (CPPA) released the second version of draft regulations under the California Privacy Rights Act (CPRA) on Oct. 17. Because California was initially required to provide final regulations by July 2022, having another draft issued just three months before CPRA takes effect in January 2023 creates challenges for businesses preparing for CPRA compliance. Adding further frustration, many changes within the updated draft regulations include qualifying language that certain requirements were removed “to simplify implementation of these regulations at this time.” This seemingly leaves the door open to additional CPRA compliance requirements in the future.
The updated draft regulations also include new emphasis on ambiguous standards, frequently referencing the importance of the “necessary and proportionate” collection and use of personal information and “reasonable expectations of the consumer.” These ambiguous standards present challenges to entities scrambling to comply with non-finalized regulations as the deadline to do so approaches.
While there are dozens of material changes to the draft regulations and too many to outline in one alert, below we identify and explain some of the more significant changes. These are in addition to the significant issues we identified in our alert covering the first version of the draft regulations.
Updates to Restrictions on the Collection and Use of Personal Information
The updated draft regulations contain several revisions to the restrictions discussed in Section 7002(b) regarding the collection and use of personal information. The revisions focus on the purposes for which personal information is collected.
The updated draft regulations now specify that the purposes for which personal information is collected or processed shall be consistent with the reasonable expectations of the consumer, based on several factors:
- The relationship between the consumer and the business;
- The type, nature and amount of personal information collected or processed by the business;
- The source of the personal information and the business’s method for collecting or processing it;
- The specificity, explicitness and prominence of disclosures to the consumer about the purpose of collection or disclosure;
- The degree to which the involvement of service providers, contractors, third parties or other entities in the collection and processing of personal information is apparent to consumers.
- This last factor may present a challenge for ad tech providers, whose “behind the scenes” operations may not be apparent to consumers.
Of course, the updated draft regulations do not define “reasonable expectations of the consumer,” and it’s unclear how regulators will enforce this ambiguous standard.
Service Provider Right to Build and Improve Services
The previous draft regulations severely limited the service providers’ ability to use personal information collected under contracts with businesses to improve services.
The updated draft regulations revise Section 7050(a)(3) to clarify that service providers and contractors may use personal information collected per their contracts with businesses to build or improve the services they provide, even if such purpose is not specified in those contracts.
This change provides an important right for service providers, enabling them to leverage personal information collected to develop new, and enhance existing, products and services. This is particularly significant to the advertising ecosystem, where many service providers rely on data, including personal information, to provide products and services that benefit the entire advertising industry.
Importantly, the updated draft regulations do contain restrictions on the use of personal information to build and improve services – service providers cannot use the personal information provided by one business to provide services to another.
Changes to Third Parties’ Obligations
The updated draft regulations provide significant changes with respect to third party obligations.
- First, the updated draft regulations remove much of the confusing language previously included with respect to third party obligations, replacing that language with the requirement that third parties follow requirements for businesses under the CCPA and CPRA.
- Second, and perhaps most significantly, the updated draft regulations remove the contractual requirement for third parties to check for and comply with consumer opt-out preference signals to simplify implementation at this time. Again, the regulators appear to leave the door open to reinstate the requirement later on. For now, if finalized, the removal of this requirement will significantly and positively impact the advertising ecosystem, as respecting opt-out preference signals presented one of the greatest compliance challenges to many ad-tech players that will likely lose their service provider status under the CPRA.
New Emphasis on Use of “Self-service” Methods
The updated draft regulations place a new emphasis on allowing self-service methods in several contexts.
- First, the updated draft regulations revise Sections 7022(b),(c) and 7024(i) to explain that service providers and contractors can use self-service methods, enabling the business to delete personal information collected by service providers or contractors per their contracts with the business.
- Second, the updated draft regulations revise Section 7051(a)(10) to clarify that service providers and contractors can use self-service methods that enable the business to comply with consumer requests directly.
- The emphasis on self-service methods may suggest regulators’ increased focus on respecting consumer choices, like global privacy controls.
Removal of Requirement to Provide Notice of Right to Opt-out for Connected Devices, Augmented and Virtual Reality Devices
Section 7013(e)(C), (D) of the previous draft regulations required businesses that sell personal information collected through a connected device, such as a smart television or smart watch, to provide a notice of right to opt-out of sale in a manner that ensures the consumer will encounter the notice while using the device. The previous draft regulations contained an analogous requirement for augmented and virtual reality devices.
The updated draft regulations removes the requirement that businesses that sell personal information provide such notice to simplify implementation of these regulations at this time.
Removal of this notice requirement may signal that California regulators need more time to fully understand the connected device and augmented and virtual reality arenas. Importantly, this revision contains the qualifying language signifying that regulators may adjust this requirement at a later date.
Definition of “First Party” Revised
The updated draft regulations revise the definition of “first party” to clarify that it is possible to have more than one consumer-facing business. The draft definition now states that a first party means “a” consumer-facing business rather than “the” consumer-facing business.
The example provided by the updated draft regulations discusses two businesses co-sponsoring an event or promotion. But the revised definition likely has more far-reaching implications for the advertising technology ecosystem. For example, when a consumer interacts with a major news website where an ad is served on behalf of a major advertiser, there are likely two consumer-facing businesses involved.
The updated draft regulations remove much of the previous language discussing “first parties.” However, the updated draft definition, read alongside the notice at collection requirements outlined in Section 7012, suggests that two or more consumer-facing first-party businesses need to provide a notice at collection, and may provide one on behalf of all first parties.
Changes to Notice at Collection Requirements
The updated draft regulations contain several updates to Section 7012, which addresses notice at collection requirements:
- The updated draft regulations remove the requirement that businesses identify the names of third parties that control collection of personal information within their notice at collection to simplify implementation of these regulations at this time.
- The updated draft regulations clarify that both the first party and the third party may provide a single notice at collection describing their collective information practices.
Processing of Opt-out Preference Signals
The updated draft regulations removed language requiring businesses to display the status of the consumer’s choice, because the revised regulations make this optional, rather than mandatory.
The updated draft regulations further revise Section 7025(c) to allow businesses to optionally notify consumers when opt-out preference signals conflict with consumers’ participation in financial incentive programs to simplify implementation at this time.
That said, the CPRA obligations to comply with and honor opt-out preference signals is one of the more impactful requirements for the advertising industry under the CPRA.
Inferring Customer Behavior
Section 7027(m) of the regulations delineates the purposes for which businesses may collect, use and disclose sensitive personal information without needing to offer consumers a right to limit such collection, use and disclosure.
The updated draft regulations revise Section 7027(m) to clarify what information businesses can infer from customer behavior. By way of example, businesses that sell religious books can use information about customers’ interest in religious content to serve contextual ads for other religious merchandise, so long as those businesses do not use sensitive personal information to create profiles about individual consumers or disclose personal information revealing customers’ religious beliefs to third parties.
Accordingly, the updated draft regulations clarify that businesses may infer certain behaviors, even involving sensitive data categories like religious beliefs, so long as businesses do not disclose that personal information or create consumer profiles with the personal information.
Right to Conduct Audits and Assessments Internally or via Third-party Vendors
The updated draft regulations revise Section 7051(a)(7) to clarify that service providers and contractors can conduct assessments, audits and other technical and operational testing either internally or via third-party vendors.
This change is important, particularly for smaller businesses, because internal audits are far cheaper than third-party audits.
Continued Emphasis on Respecting GPC Signals and Flowing Deletion and Opt-out Requirements
The updated draft regulations continue to emphasize the importance of respecting opt-out preference signals, including Global Privacy Control (GPC) signals. As the recent Sephora settlement makes clear, California regulators are paying close attention to whether entities respect and process consumer opt-out preference signals. The updated draft regulations do not minimize the requirement to respect opt-out preference signals, signaling California’s continued focus on their importance.
Similarly, the updated draft regulations continue to highlight the requirement for businesses to flow deletion and opt-out requests down to service providers, contractors, and third parties to whom the business has sold or shared personal information. Service providers and contractors likewise must notify their own service providers, contractors, or third parties of such requests.