“Businesses, service providers, and contractors are to comply with not just the letter of the (California Consumer Privacy Act), but the spirit of the law.”
That is according to a new Initial Statement of Reasons issued by the California Privacy Protection Agency (CPPA) that used the word “necessary” 253 times, the word “clarify” 96 times and the word “clear” 66 times.
Here is what you need to know:
“Key Performance Indicators”
- “The proposed regulations provide comprehensive guidance to consumers, businesses, service providers and third parties on how to implement and operationalize new consumer privacy rights and other changes to the law introduced by the CPRA amendments to the CCPA.”
- The ISOR does not believe that these regs will have a significant economic impact on the State of California.
- The Attorney General’s Office can enforce directly against service providers, contractors and third parties.
- The CPRA amendments now restrict businesses from collecting, using, retaining and sharing consumer personal information in a manner that is inconsistent with consumer expectations, unless they obtain the consumer’s explicit consent.
- There is no special registry with the Attorney General’s Office for authorized agents.
- A price or service difference also requires a notice of financial incentive.
- A financial payment is not a price or service difference, but it still may be a financial incentive.
Collection and Use of Data
- To be reasonably necessary and appropriate, the business’ activities must be within the reasonable expectations of an average consumer when the personal information was collected.
- The subsection further clarifies that the business can collect, use, retain and/or share personal information for another disclosed purpose if that disclosed purpose is compatible with what an average consumer would reasonably expect.
- A business that intends to collect new categories of personal information not disclosed in the notice at collection or intends to use it in a new way must provide a separate, updated notice at collection and the compatible use must be compliant with the requirements of the law (necessary and proportionate i.e reasonably expected by consumers).
- If businesses wish to use consumers’ personal information for an unrelated or incompatible purpose, then the explicit consent of the consumer is required.
Disclosures and Communications to Consumers
- Businesses are to provide information to consumers into one place instead of repeatedly stating the same thing in multiple places.
- Businesses should make the link as clear and conspicuous or otherwise accessible as other types of links on a webpage, but it also provides the business flexibility to make it more conspicuous by using the phrase “at least”.
Requirements for Methods for Submitting CCPA Requests and Obtaining Consumer Consent
- Businesses should be testing their methods to ensure that they are functional. This guidance is particularly important because it speaks to the fact that a dark pattern does not require intent to subvert consumer choice, but rather that it has the effect of subversion.
- The examples in the Regs are taken from practices seen in the marketplace.
Required Disclosures to Consumers
- The examples in the Regs are taken from practices seen in the marketplace.
- Notice at collection – upon receiving the notice at collection, the consumer should have all the information necessary to choose whether or not to engage with the business, or to direct the business not to sell or share their personal information and to limit the use and disclosure of the sensitive personal information so that they can exercise those rights at the earliest point in time that the information is collected. To the extent that there are multiple ways a business can provide notice, the business should pick the manner that would best accomplish the purpose of the notice.
- More than one business may control the collection of personal information does not impact a first party’s obligation to comply with a consumer’s request to opt-out of the sale/sharing. A first party that authorizes a third party to jointly control the collection of personal information is still “making available” that personal information to the third party, which may be considered a “sale” or “sharing.” Accordingly, a first party who receives a request to opt-out of sale/sharing must comply with the consumer’s request in accordance with the CCPA and these regulations.
- Although CPRA requires third parties controlling the collection to post the notice at collection on their website, consumers would never be able to learn what these third parties are doing with their information because they do not know where to look. This runs counter to the purpose of the notice at collection and the intent of the CPRA amendments to the CCPA.
- Limiting use – Because using and disclosing a consumer’s sensitive personal information without giving them notice and the opportunity to limit the business’s use goes against the intent and purposes of the CCPA, the business is required to treat personal information collected from the consumer during the time it did not post a notice of right to limit as if the consumer had submitted a request to limit.
Handling Consumer Requests
If a business does not have a consumer’s consent to delete the information rather than correct it, the business should communicate with the consumer to determine whether and how the contested information is negatively affecting the consumer. The list of potential negative impacts on the consumer set forth in the Regs is not intended to be exhaustive.
- In an effort to prioritize drafting regulations that operationalize and assist in the immediate implementation of the law, these regulations only address the opt-out preference signal as an expression of a consumer’s right to stop the sale and sharing of personal information. These regulations do not include limiting the use of sensitive personal information, or how a consumer may express opt-in to the sale or sharing of personal information if the consumer is between the ages of 13 and 16 years or how a consumer’s parent or guardian may express opt-in if the consumer is less than 13 years of age.
- By specifying that the effect of the signal can be explained either in the signal’s configuration or public disclosures, the regulation allows for situations where consumers affirmatively choose products or services that include built-in privacy-protective features because these products or services are designed with privacy in mind. The selection of privacy-by-design products or services is an affirmative step and sufficient to express the consumer’s intent to opt out of the sale and sharing of personal information. Additional steps are not necessary, even if this means that a consumer relies on a privacy-by-default opt-out mechanism that is built into a platform, technology, or mechanism.
- A business that sells or shares personal information is always required to process a consumer’s request via an opt-out preference signal. This regulation is necessary to respond to incorrect interpretations in the marketplace that complying with an opt-out preference is optional for the business. The “option” presented in the statute’s text is between providing a frictionless response to the opt-out preference signal or a non-frictionless response to the opt-out preference signal.
If a business cannot explain why the personal information is necessary, it should not require it from consumers.
Service Providers, Contractors and Third Parties
- If a business cannot explain why the personal information is necessary, it should not require it from consumers
- The failure of a service provider or contractor or third party to comply with the required contract is a violation of the CCPA enforceable by the Agency and the Attorney General’s Office.
- A business that never enforces the terms of the contract nor exercises its rights to audit or test the service provider’s or contractor’s systems may not be able to claim that it did not know or have reason to believe that the service provider or contractor intended to use the personal information in violation of the CCPA. This subsection is necessary to ensure that the provisions required to be in the contract have real meaning and businesses do not shirk their duties to ensure that personal information disclosed to service providers and contractors is used in a lawful manner.
Only price and service differences require a valuation of data. Other kinds of financial incentives where a monetary or specific benefit (e.g., free t-shirt, gift card, etc.) is given for the exchange of data do not require a valuation because the consumer is aware of the value of the good and able to factor it into their decision of whether to provide the personal information.
- The Agency may conduct an audit to investigate possible violations of the CCPA. An investigation may result from complaints submitted to the Agency, self-disclosed violations, media or news reports, or any other evidence gathered by the Agency.
- The Agency may also conduct an audit if the subject’s collection or processing of personal information presents significant risk to consumer privacy or security, or if the subject has a history of noncompliance with the CCPA or any other privacy protection law because non-compliance may indicate a lack of understanding or disregard of the CCPA.