The California Privacy Protection Agency (“the Agency”) announced on October 17th, 2022 that it had proposed changes of the proposed regulations of the California Privacy Rights Act (CPRA) that were issued on July 8th 2022. The regulations were expanded upon the language of the CPRA which set out a range of additional requirements for getting consent from consumers, supporting the exercise of rights for consumers by contracting with service suppliers as well as contractors and third-party companies to share data, as well as increasing the transparency of privacy notices that consumers receive.
This update to the law summarizes several key changes made since the original proposed CPRA regulations. Although the CPRA regulations are not definitive, the most recent changes will be beneficial in helping businesses prepare for the effective date of the CPRA of Jan. 1, 2023 and the enforcement date of July 1, 2023.
Other changes, important changes to the regulations’ draft are:
Simple privacy notice requirements for the collection involve third parties.
The initial regulations were drafted with the potential of being cumbersome and redundant disclosure obligations when a third person is involved. The current version reverses some of these requirements.
First The Agency eliminated the requirement that a company’s privacy notice include the names of any third party. This is in line with the CPRA which obliges a company to reveal the different categories of third-party entities.
Then, the Agency has aligned the requirements for parties that provide notice in line with the joint controller model in the GDPR. It allows for the first-party controller and third-party controllers to share the burden of compliance between them instead of providing each of them with an individual notice. If this change is enacted as it is, companies which already comply with GDPR might already have procedures in place to assist in complying with this CPRA obligation.
The size of the opt-out alternative logo, to better match with web design.
The first draft of regulations provided a number of guidelines regarding the format used to present customers with the option of opting out. It also stipulated that the link to opt-out alternative be an icon of exactly the same size as other logos that appear on the company’s website.
Recognizing that the proposed regulation could pose a problem for companies that employ icons of various sizes and, in turn that it will require tailoring each logo for every page The Agency changed the draft regulation to define the size requirement at a similar level to the other icons that are used in”the “header and the footer” of the website’s.
The proposed “average consumers” standard and added additional criteria to assess the fairness of the gathering of personal data.
A major area of debate regarding the regulations’ draft was concerned with the “average consumer” norm. In contrast to the CPRA text , which evaluates collection on the basis of the reasonableness of a business’s processing operations and transparency The Agency has proposed in its Draft CPRA regulations that businesses’ processing and storage of personal information should be in line with what “a typical consumer might be looking for.”
The latest revisions eliminate the requirement for this standard, and instead set criteria for evaluating the process of collecting or processing. These include the company’s connection to the customer as well as the method and source to collect or process personal information, the nature and nature of personal information that is collected as well as processed. They also consider the type of disclosures to the consumer, as well as the likelihood that a consumer is aware of the involvement of third individuals.
The examples that go along with the reasons also show the Agency’s desire to engage in sharing of data in ways that the consumer might find surprising. For instance, the Agency suggests that consumers should not believe that a business will use data it obtained for the sale of a product or service by a subsidiary of the business.
Expanded the criteria for determining when a business cannot be required to comply with the demands of consumers.
In the latest update The Agency has added its definition of “disproportionate effort” that is utilized in the entire regulations. It is used to define the circumstances in which a company is not required to comply with the request of a consumer to make use of their rights under CPRA.
In the beginning, it is important to note that the Agency made clear that its standard is applicable to contractors, service providers or other third parties that are required to report back to the business in the event that they are unable to respond to the request. The Agency has also proposed a number of factors to be considered in the assessment of whether a “disproportionate effort” is in place for example, the size of the company and the type of request and the technical limitations.
These modifications are in line with changes within the regulations, which restrict the obligation of firms to restore archives of data and to comply with the right to make corrections.
Eliminated the requirement for a five-day notice for service providers and third-party contracts.
When companies begin to evaluate their service provider, third-party contract agreements with contractors One of the major changes to take into consideration is the removal of the obligation that contracts require that the parties notify businesses in five days of a situation where they are unable to comply with the relevant CPRA obligations. This should allow companies the flexibility to set deadlines for their contracts.
But, since the Agency did not suggest any changes to the proposed contract obligations, it might be beneficial for companies to review their current contracts as well as any changes that might be required should the new regulations take effect in the way they currently are.
An exception was added to the limits on the use of sensitive personal data.
The regulations draft outline various exceptions for businesses that do not have to give consumers the option to restrict the use of their personal personal data (e.g. exact locations, government identification numbers and health data). The new regulations provide a brand new exemption for situations where the personal data is employed to serve purposes “that do not draw conclusions of the customer.”
The draft provides the instance of using information related to the medical condition of a person in the event that a person is searching for it. If a company employs the information to serve a purpose that goes beyond the purpose of the search, it must respect the rights to restrict requests.
The Agency has not yet provided an opportunity to provide additional feedback regarding these changes. However, an opportunity could arise in the coming weeks since the Agency will review and decide on these changes at the board’s meeting scheduled for the 28th and 29th of October. Businesses should be on guard for future developments.
While the regulations remain to be a work-in- development, companies that are subject to the CPRA should start evaluating the what steps they should take to implement their compliance programs, with regard to the most recent changes, which appear to indicate that they’re close to being the final.