At a board meeting on June 8, 2022, the California Privacy Protection Agency (“CPPA”) voted unanimously to move forward with draft revised California Consumer Privacy Act (“CCPA”) regulations, beginning a formal rulemaking process detailed below. The draft revised CCPA regulations, along with an Initial Statement of Reasons, were unexpectedly published as meeting materials at the CPPA board meeting.
Here, we have outlined the top five key takeaways from the draft revised regulations:
The CPPA is in the early stages of developing the revised CCPA regulations. While the draft revised CCPA regulations provide insight into where the CPPA may be headed, there is a strong likelihood that the current draft will go through several rounds of revisions and the final CCPA regulations will look different from this current draft. For example, the CPPA purposefully excluded several key topics from this draft, including rules addressing automated decision-making, privacy risk assessments, and cybersecurity audits, which the CPPA has indicated will likely be addressed in future regulation packages.
Next, the CPPA will file a Notice of Proposed Rulemaking Action and invite the public to comment on the draft revised CCPA regulations during the initial public comment period (which runs for at least 45 days). Then, if the CPPA proposes any substantive modification to the draft revised CCPA regulations after the initial comment period, it will open an additional public comment period for at least 15 more days. Once the CPPA finalizes the revised CCPA regulations, it will submit the text of the final regulations and a response to every public comment in a Final Statement of Reasons to the Office of Administrative Law for final publication.
Despite statutory language suggesting a business can choose whether to accept global opt-out preference signals or provide links to other opt-out mechanisms, the draft CCPA regulations would require a business to process any properly formatted opt-out preference signal as a valid request to opt out of the “sale” of personal information or the “sharing” of personal information for cross-context behavioral advertising (§ 7025). The CPPA’s Initial Statement of Reasons makes this even clearer: “[t]his regulation is also necessary to address a common misinterpretation of Civil Code section 1798.135, subdivisions (b)(3) and (e), that complying with an opt-out preference signal is optional for the business. Not so.”
This is likely to be a controversial aspect of the draft CCPA regulations, with many businesses feeling this places an undue burden on businesses to adopt a technology that has not yet truly been developed nor widely accepted.
The illustrative examples provided in the draft CCPA regulations create a pseudo-opt-in consent regime for many common data processing practices, including:
Like the CPPA’s initial take on the global opt-out, we anticipate this broad interpretation of the CCPA’s purpose limitation requirements will be subject to significant pushback by businesses across industries, as it in many ways defeats the statutory structure of the law as currently written.
The draft CCPA regulations would require businesses to design and implement methods for submitting CCPA requests and obtaining consumer consent that (§ 7004):
We strongly anticipate some version of these new requirements will make it into the final draft of the CCPA regulations and wouldn’t be surprised if the final language aligns closely with the language in the current draft.
Starting in 2023, the CCPA will allow consumers to opt out of the “sharing” of their personal information for cross-context behavioral advertising (i.e., the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services the consumer did not intentionally interact with).
The draft revised CCPA regulations clarify that any person who contracts with a business to provide cross-contextual behavioral advertising is a third party and not a service provider (or contractor) (§ 7050). For example:
If retained, these new requirements would likely impact common market positions taken by certain adtech companies that they can operate as a service provider in relation to certain targeted advertising activities (such as matching an advertiser’s customer files to create segments, such as look-a-like audiences, or collecting data on an advertiser’s digital property via a pixel for retargeting purposes). While we anticipate this restriction to receive significant scrutiny from the adtech industry, it seems unlikely at this point the CPPA will be sympathetic to the position of various adtech stakeholders.