Draft Revised CCPA Regulations: The Top 5 Takeaways

At a board meeting on June 8, 2022, the California Privacy Protection Agency (“CPPA”) voted unanimously to move forward with draft revised California Consumer Privacy Act (“CCPA”) regulations, beginning a formal rulemaking process detailed below. The draft revised CCPA regulations, along with an Initial Statement of Reasons, were unexpectedly published as meeting materials at the CPPA board meeting.

Here, we have outlined the top five key takeaways from the draft revised regulations:

1. Don’t Panic! — This Is Just a Draft

The CPPA is in the early stages of developing the revised CCPA regulations. While the draft revised CCPA regulations provide insight into where the CPPA may be headed, there is a strong likelihood that the current draft will go through several rounds of revisions and the final CCPA regulations will look different from this current draft. For example, the CPPA purposefully excluded several key topics from this draft, including rules addressing automated decision-making, privacy risk assessments, and cybersecurity audits, which the CPPA has indicated will likely be addressed in future regulation packages.

Next, the CPPA will file a Notice of Proposed Rulemaking Action and invite the public to comment on the draft revised CCPA regulations during the initial public comment period (which runs for at least 45 days). Then, if the CPPA proposes any substantive modification to the draft revised CCPA regulations after the initial comment period, it will open an additional public comment period for at least 15 more days. Once the CPPA finalizes the revised CCPA regulations, it will submit the text of the final regulations and a response to every public comment in a Final Statement of Reasons to the Office of Administrative Law for final publication.

2. Global Opt-Out Preference Signals Are Mandatory . . . Not Optional

Despite statutory language suggesting a business can choose whether to accept global opt-out preference signals or provide links to other opt-out mechanisms, the draft CCPA regulations would require a business to process any properly formatted opt-out preference signal as a valid request to opt out of the “sale” of personal information or the “sharing” of personal information for cross-context behavioral advertising (§ 7025). The CPPA’s Initial Statement of Reasons makes this even clearer: “[t]his regulation is also necessary to address a common misinterpretation of Civil Code section 1798.135, subdivisions (b)(3) and (e), that complying with an opt-out preference signal is optional for the business. Not so.”

This is likely to be a controversial aspect of the draft CCPA regulations, with many businesses feeling this places an undue burden on businesses to adopt a technology that has not yet truly been developed nor widely accepted. 

3. Purpose Limitation Requirement Liberally Interpreted to Create an Opt-In Regime

The CPPA has broadly interpreted the CCPA’s purpose limitation requirements to require that a business’s collection, use, retention, and sharing of personal information be “reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed”—meaning it must be consistent with what an average consumer would expect when the personal information was collected (§ 7002). The draft CCPA regulations would require a business to obtain the consumer’s explicit consent before processing that consumer’s personal information for any purpose that is unrelated or incompatible with the purpose(s) for which it was collected. The CPPA’s Initial Statement of Reasons further explains this purpose limitation will “restrict businesses from using consumers’ personal information for disclosed purposes that are unrelated to a consumer’s expectation simply because they are hidden within a lengthy and dense privacy policy.”

The illustrative examples provided in the draft CCPA regulations create a pseudo-opt-in consent regime for many common data processing practices, including:

• Product Development: A business should not use personal information collected in connection with a specific product or service to research and develop unrelated or unexpected new products or services without the consumer’s explicit consent.
• “Selling” or “Sharing” Data Used to Provide a Service: A business should not “sell”or “share” personal information collected for the purpose of providing a service without the consumer’s explicit consent, as such selling or sharing is not reasonably necessary and proportionate to provide the services, nor is it compatible or related to the provision of the services.

Like the CPPA’s initial take on the global opt-out, we anticipate this broad interpretation of the CCPA’s purpose limitation requirements will be subject to significant pushback by businesses across industries, as it in many ways defeats the statutory structure of the law as currently written.

4. Dark Patterns Remain Squarely in the Crosshairs

The draft CCPA regulations would require businesses to design and implement methods for submitting CCPA requests and obtaining consumer consent that (§ 7004):

• Is Easy to Understand: Language must be easy to read and understand (e.g., No legalese).
• Provides Symmetry in Choice: Path for a consumer to exercise a more privacy-protective option must not be longer than the path to exercise a less privacy-protective option (e.g., No designs where the “yes” button is more prominent than the “no” button).
• Avoids Language or Interactive Elements That Confuse: Toggles/buttons must clearly indicate the consumer’s choice (e.g., No double negatives; no unexplained toggles).
• Avoids Manipulative Language or Choice Architecture: No guilting or shaming the consumer into making a particular choice or bundling consent to subvert consumer’s choice (e.g., No “I like paying full price” warnings or requiring the consumer to click through reasons against their choice).
• Is Easy to Execute: No unnecessary burden or friction for the consumer seeking to exercise privacy rights (e.g., No “Do Not Sell” links that require searching or scrolling to find the opt-out mechanism).

We strongly anticipate some version of these new requirements will make it into the final draft of the CCPA regulations and wouldn’t be surprised if the final language aligns closely with the language in the current draft.

5. A Service Provider/Contractor Cannot Provide Cross-Contextual Behavioral Advertising

Starting in 2023, the CCPA will allow consumers to opt out of the “sharing” of their personal information for cross-context behavioral advertising (i.e., the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services the consumer did not intentionally interact with).

The draft revised CCPA regulations clarify that any person who contracts with a business to provide cross-contextual behavioral advertising is a third party and not a service provider (or contractor) (§ 7050). For example:

• If a clothing company hires a social media company as a service provider to provide advertisements on its platform, the social media company can only serve non-personalized ads based on aggregated or demographic information (e.g., based on sex, age, geography). The social media company cannot use a list of customer email addresses provided by the clothing company to identify users on the social media’s platform to serve advertisements to them in its capacity as a service provider.
• A cookware company that hires an advertising company as a service provider to advertise its service can provide contextual advertising services (e.g., placing product ads on websites that post recipes or other cooking tips).

If retained, these new requirements would likely impact common market positions taken by certain adtech companies that they can operate as a service provider in relation to certain targeted advertising activities (such as matching an advertiser’s customer files to create segments, such as look-a-like audiences, or collecting data on an advertiser’s digital property via a pixel for retargeting purposes). While we anticipate this restriction to receive significant scrutiny from the adtech industry, it seems unlikely at this point the CPPA will be sympathetic to the position of various adtech stakeholders.

Now What:

• Don’t Panic! – As a reminder, these are very preliminary DRAFT regulations. They are likely to undergo several revisions, so we do not recommend adjusting your program today to try to comply with the moving target the draft CCPA regulations reflect.
• So, What’s Next? – Be on the lookout for the CPPA to file its Notice of Proposed Rulemaking Action, which will kick off the formal rulemaking process and the initial public comment period. There is a long way to go before the regulations are finalized, but this Notice will signify the trains are starting to leave the station.
• Make Your Voice Heard – Consider reviewing the draft revised CCPA regulations in their entirety to see if there are topics on which you would like to comment.
• Build Your Revised CCPA Program – Although these draft regulations are not final, the statutory text of the revised CCPA is (subject to a few amendments still under consideration). We recommend companies take steps today to address the set requirements imposed under the CPRA. Our CPRA On The Way Guide can help your organization get started. 
• Be Patient and Flexible – The next few months are going to be a bumpy ride, as we now have five comprehensive state data protection laws coming into effect (California, Colorado, Connecticut, Utah, and Virginia), with each state incorporating different levels of rulemaking, as well as a bipartisan federal privacy law proposal actively under consideration. Developing a flexible compliance program can help to address requirements now and make quick adjustments as the laws evolve.