California Privacy Protection Agency Publishes First Set of Draft CPRA Rules for Consideration
Home / 4As Blog / California Privacy Protection Agency Publishes First Set of Draft CPRA Rules for Consideration
Published 06.02.2022
Topic
Government Relations
Privacy Law
Regulations
On May 27, the California Privacy Protection Agency (CPPA) published its first subset of California Privacy Rights Act (CPRA) draft regulations.The first set of draft rules covers specific topics including personal data collection and use restrictions, mandatory user opt-out signal acknowledgement, and privacy notice requirements. The new draft rules represent only a small number of the 22 regulatory topics that the CPPA has been tasked with regulating in Cal. Civ. Code § 1798.185(a).
Formal discussions regarding the draft will take place at the CPPA’s June 8 board meeting, where an updated timeline for a formal rulemaking process could be announced. It is also possible that these draft rules be approved by the CPPA for a formal notice of proposed rulemaking and public comment process at that same meeting. The new draft regulations are a redlined version of the regulations governing California’s current privacy law enacted in 2018, the California Consumer Protection Act. While there are significant changes to those regulations, the structure of the regulations remains very similar.
Specifically, the draft regulations:
Mandate that covered businesses honor global privacy control (GPC) opt-out signals, despite the CPRA’s text stating that recognition of these opt-out signals is optional if an opt-out link is posted prominently on a covered business’ website. No additional GPC technical specifications were included in the draft regulations;
Make clear that a person or entity who contracts with a business to provide cross-contextual behavioral advertising is a third party and not a service provider or contractor. This will be a specific area of concern for agencies’
Dictate that covered businesses confirm that they have processed requests from consumers to opt out of sales/sharing and requests to limit the use of sensitive personal information (i.e a toggle or radio button displayed on a brand website).The draft regulations erect a new notice at collection requirement for when a first party allows a third party to collect personal information directly from consumers;
Detail the necessary requirements for obtaining consumer consent and affirm that the failure to follow those requirements is considered a dark pattern;
Operationalize a consumer’s right to correct inaccurate personal information and right to limit the use of sensitive personal information;
Provide direction on notice requirements associated with the right to limit the use of sensitive personal information and identify the permissible uses for sensitive personal information;
Contain data processing agreement requirements in the draft regulations that do not match the statutory requirements. For example, contracts would need to require that service providers and contractors notify businesses within five days if they determine that they can no longer comply with the law. That is different from the statutory text; and
Create a new duty for businesses to conduct due diligence on service providers, contractors, and third parties.
In future, the CPPA will issue more regulations on topics such as cybersecurity audits, risk assessments, and opting-out of automated decision-making technology.
To represent the interests of our members, the 4As will continue to monitor the CPRA rulemaking process for opportunities to participate in a public comments process in partnership with other associations representing the advertising industry.
Questions regarding the contents of these draft regulations or other aspects of the CPRA can be directed to Alison Pepper.
