May 31, 2022
California Privacy Protection Agency Releases Draft Proposed CCPA Regulations
7 Min Read
The California Privacy Protection Agency (CPPA) released their proposed California Consumer Privacy Act Regulations (the proposed Regulations) ahead of their upcoming board meeting on June 8, 2022. The proposed Regulations will be put forward for the consideration of the CPPA ahead of issuing a notice of proposed rulemaking and public consultation.
The proposed Regulations include several amendments to the terminology used by the California Consumer Privacy Act (CCPA) including how businesses should handle consumer rights such as the right to know, correction, and deletion as well as Do Not Sell or Share preferences. The proposed Regulations have a focus on enforcement, agency audit rights, and Dark Patterns, however, do not address automated decision making, cybersecurity audits, or privacy risk assessments introduced by the California Privacy Rights Act (CPRA): these are expected to be addressed in a second rulemaking package. The timeline for the rulemaking process still remains unclear but it is expected to go beyond the scheduled date of July 1, 2022, and the proposed Regulations are still subject to change before they are released for public consultation.
What do the draft proposed California Consumer Privacy Act Regulations say?
Right to know, correct, and delete
Throughout the proposed Regulations, updates have been made to CCPA terminology and concepts. Notably in relation to consumer rights and how businesses handle these requests. For instance, the proposed Regulations include a requirement for businesses to notify service providers and contractors of a deletion request as well as all third parties with which the business has sold or shared that personal information. Additionally, requirements for handling requests to correct inaccurate personal information have been detailed in the proposed Regulations. These include grounds on which to deny correction requests, third-party notification, and requirements for supporting documentation.
Opt-out of Sale or Share and Limit the Use of Sensitive Personal Information
The proposed Regulations outline prescriptive methods for providing consumers with the opportunity to opt out of the sale or sharing of their personal information and the right to limit the use and disclosure of their sensitive personal information. These include providing consumers with ‘Do Not Sell My Personal Information’ and ‘Limit the Use of My Sensitive Personal Information’ links as well as alternative opt-out links, toll-free numbers, or a dedicated email address. The proposed Regulations also highlight offline methods for consumers to make an opt-out request that includes in-person forms or via physical mail. Cookie banners and similar tools are not an acceptable method for submitting requests to opt out of sale or sharing or limiting the use of sensitive personal information under the proposed Regulations. Methods for submitting these requests must address the sale and sharing of personal information or the specific right to limit.
Requirements for filing a sworn complaint and Agency-initiated investigations are provided under Article 9 of the proposed Regulations. Sworn complaints can be filed with the Enforcement Division of the CPPA via an electronic complaint system in person, or via mail when a violation of the CCPA is believed to have occurred. A sworn complaint must:
- Identify the business, service provider, contractor, or person who allegedly violated the CCPA
- State the facts that support each alleged violation and include any documents or other evidence supporting this conclusion
- Authorize the alleged violator and Agency to communicate regarding the complaint, including disclosing the complaint and any information relating to the complaint
- Include the name and current contact information of the complainant
- Be signed and submitted under penalty of perjury
In addition to sworn complaints, the proposed Regulations include a provision for Agency-initiated investigations that can include referrals from government agencies or private organizations and anonymous complaints. These investigations may be opened at the discretion of the CPPA.
Agency audit rights
Another addition found within the proposed Regulations is the right for the CPPA to audit organizations to ensure compliance with the CCPA. With these audit rights, the Agency can conduct an investigative audit to understand whether possible violations of the CCPA have occurred or if the collection or processing of personal information presents a significant risk to consumer privacy or security. The CPPA may also choose to audit a business if there is a history of noncompliance with the CCPA or any other privacy protection law and the CPPA has the right to conduct these audits without prior announcement.
Requirements for avoiding dark patterns
The proposed Regulations include significant requirements for businesses to lawfully obtain consumer consent and any method used to obtain consent that does not meet these requirements may be considered a dark pattern. Any consent deemed to have been collected via the use of dark patterns will not be considered valid.
The proposed Regulations state that “a user interface is a dark pattern if the interface has the effect of substantially subverting or impairing user autonomy, decision-making, or choice, regardless of a business’s intent.”
Valid method for obtaining consent must be:
- Easy to understand: language must be easy for consumers to read and understand and should meet the requirements for disclosures to consumers, where applicable.
- Offer symmetry in choice: the method for a consumer to exercise a more privacy-protective option should not be longer or more difficult to exercise than a less privacy-protective option.
A website banner that serves as a method for opting out of the sale of personal information that only provides the two choices, “Accept All” and “More Information,” or “Accept All” and “Preferences,” is not equal or symmetrical because the method allows the consumer to “Accept All” in one step, but requires the consumer to take additional steps to exercise their right to opt-out of the sale or sharing of their personal information. An equal or symmetrical choice would be “Accept All” and “Decline All.” – Proposed CCPA Regulations § 7004(2)(C)
- Avoid language or interactive elements that are confusing to the consumer: this includes the use of double negatives and unclear toggles or buttons.
Giving the choice of “Yes” or “No” next to the statement “Do Not Sell or Share My Personal Information” is a double negative and a confusing choice for a consumer. – Proposed CCPA Regulations § 7004(3)(A)
- Avoid manipulative language or choice architecture: language or wording that guilts or shames the consumer into making a particular choice or bundles consent in order to subvert the consumer’s choice should not be used.
When offering a financial incentive, pairing choices such as, “Yes” (to accept the financial incentive) with “No, I like paying full price” or “No, I don’t want to save money,” is manipulative and shaming. – Proposed CCPA Regulations § 7004(4)(A)
- Be easy to execute: unnecessary burdens or friction should not be added to the process for submitting consent and methods should be tested to ensure that they do not undermine the consumer’s choice in order to obtain consent.
Circular or broken links, and nonfunctional email addresses, such as inboxes that are not monitored or have aggressive filters that screen emails from the public, may be in violation of this regulation. – Proposed CCPA Regulations § 7004(5)(B)
How should businesses respond to the draft proposed CCPA Regulations?
The proposed Regulations still have some way to go before these provisions become finalized starting with the CPPA board meeting on June 8, 2022. A notice of proposed rulemaking still needs to be made and a 45-day public consultation period will need to conclude before we see what a final draft might look like. This will leave significant room for change within the regulations. However, as best practice, businesses can evaluate their consent collection methods and preference management solutions to support Do Not Sell or Share requirements.
There will also likely be some focus on correctly handling consumer rights requests off the back of the final regulations. As many businesses saw in the months following the GDPR taking effect, individuals exercising their rights increased adding a significant burden on the privacy office. Ensuring an effective solution for receiving, verifying, and responding to consumer rights requests is in place ahead of any final rulemaking will help your business prepare to handle a rise in requests.
Additionally, with an added emphasis on limiting the use of sensitive personal information, managing opt-out requests, and communicating correction and deletion requests to third parties, businesses should ensure that their data map is up to date, records of processing are maintained, and personal information is properly classified.
Learn more about how The OneTrust Privacy & Data Governance Cloud can help you automate your privacy program in one unified platform to comply with global privacy laws and offer consumers transparency, choice, and control.