CPPA Issues CPRA Draft Regulations
By: Lewis Brisbois' Data Privacy & Cybersecurity Team
On Friday, May 27, 2022, the California Privacy Protection Agency (CPPA) issued draft proposed regulations ahead of its June 8, 2022 board meeting. While these draft regulations are subject to public comment and may undergo extensive revisions before they are finalized, the draft rules provide some insight into the direction the CPPA is taking with regard to how businesses may collect and use personal information as well as the form and content for notices and disclosures to consumers. Below are a few high-level takeaways from the draft regulations.
Consumer Rights. The regulations propose changes to the process for consumers to opt-out of sale or sharing of their personal data. Businesses must set up easy to understand opt-out methods that are symmetrical to opt-in options, using methods that are easy for a consumer to use. Importantly, cookie banners alone are not sufficient under the proposed regulations. The draft regulation defines important terms related to data subject rights, including the right to correct, the right to delete, the right to know, and the right to limit.
Data Collection and Processing. The draft regulation requires businesses to limit data collection to information that is “reasonably necessary and proportionate” to achieve the purpose for which the personal information was collected or processed. Under the draft regulations, what is reasonably necessary and proportionate is measured by what an average consumer would expect. The draft regulations provides illustrative examples throughout, including the “reasonably necessary and proportionate” analysis:
Business A provides a mobile flashlight application. Business A should not collect, or allow another business to collect, consumer geolocation information through its mobile flashlight application without the consumer’s explicit consent because the collection of geolocation information is incompatible with the context in which the personal information is collected, i.e., provision of flashlight services. The collection of geolocation data is not within the reasonable expectations of an average consumer, nor is it reasonably necessary and proportionate to achieve the purpose of providing a flashlight function.
Obligations of Service Providers, Contractors, and Third Parties. The draft regulations create authority for the CPPA to audit businesses, service providers, contractors, and individuals to ensure compliance with the regulations. The proposed regulations also expand on and clarify the obligations placed on businesses that share information with third parties, including:
- Illustrative examples of the instances in which service providers may retain personal information obtained in the course of providing services;
- Limitations on the types of advertising a business may provide and still be considered a service provider; and
- Clarifications regarding service provider, contractor, and third-party contract and due diligence requirements.
The draft regulations are on the agenda for discussion at the upcoming CPPA board meeting, which the public can attend either in person, or virtually. We expect the Board to provide clarity on the rulemaking process and the comment period. The full text of the draft regulations can be found here.
For more information about these draft regulations, or for assistance with your privacy compliance program, please contact the authors of this post or reach out to the entire Compliance Advisory team at PrivacyCompliance@lewisbrisbois.com. You can also subscribe to this blog to receive email alerts when new blogs are published.