Way back in November of 2020, I wrote about the California Privacy Rights Act and some of the key changes from the existing California Privacy Protection Act. As part of the law, the newly formed California Privacy Protection Agency was tasked with drafting regulations for the law, which business would be subject to in order to determine compliance.
It’s been roughly 18 months, but the first draft of those regulations was issued this week. This begins the agencies rulemaking period, and there are bound to be revisions coming in the next few months. However, reviewing this draft gives insight into where what the agency is thinking, and what the final regulation text may end up being.
Note: I am not a lawyer, this is not legal advice, and these regulations are in draft and are subject to change, so anything that follows may not apply to the final text. This list is also not exhaustive, and you are strongly encouraged to review with legal counsel at the earliest convivence given the expected timelines for enforcement.
Full Draft regulations can be reviewed here. Some highlights below:
“Disproportionate Effort”
The regulations add in several places the concept of “disproportionate effort” a mechanic in which a business can refrain from responding to a consumer request. To qualify, the business must be able to demonstrate that the time and / or resources needed would be significantly higher than the material impact on the consumer.
Notably, however, a business that has failed to put in to place adequate processes to comply with the law may not claim that responding to a consumer’s request requires disproportionate effort.
Regardless it strikes me that a business must build out the infrastructure and be able to prove they have the processes in place to comply with consumer requests.
Data Purpose Limitation
Sections of the regulation speak to how a business that collections personal information needs to be in alignment with the purpose, and that a business can’t use data collected for one purpose for another.
At a federal level, the FTC just hit Twitter with a $150 million dollar fine for this same thing. Twitter was caught using 2FA signup information to target for advertising. The concept of data purpose is showing up in many laws, and I expect will be the subject of several court cases.
No more flashlight apps collecting and selling geolocation data, for example.
Opt-Out Signal
The regulations require a business acknowledge and act on a global opt-out signal. As I see it the most likely scenario for this, is the Global Opt Out signal proposal, which is (at time of writing) still in draft phase. The expected behavior is defined over nearly 5 pages in the regulations, it’s worth a review for what may be required once they narrow down what the signal looks like.
I see businesses having a hard time with these in absence of a industry standard for what the signal looks like. I am hoping this is better defined in later drafts. Still, in the event they get this worked out – that will force large scale evaluation and protentional refactoring of consent management strategies and adjustments to their related integrations.
Privacy Policy Requirements
The Privacy Policy is a major component of the regulations and will require some modification to be brought up to code. The policy must include:
- Identification of the categories of personal information collected over the prior 12 months.
- Identification of the sources from which personal information is collected.
- Identification of the specific business or commercial purpose for collection.
- Identification of the categories that the business has sold or shared to third parties in the proceeding 12 months. If no data has been shared or sold, this too must be disclosed.
- Identification of why data was sold or shared to a third party.
- A statement regarding whether the business has actual knowledge that it sells or shares data from consumers under 16 years old.
- A explanation of the rights that the CCPA confers on consumers.
- The Right to Know
- The Right to Delete
- The Right to Correct
- The Right to Opt-Out
- The Right to Limit
- The Right not to receive discriminatory treatment
- An explanation on how consumers can exercise the above rights.
- How the business complies with the Opt-Out signal and how consumers can enable such a signal.
- Instructions for Authorized Agents to make a request on a consumer’s behalf.
- A contact for questions or concerns about the business’s privacy policy reflecting the manner in which a business primarily interacts with the consumer.
- The date the privacy policy was updated.
It’s important the above is correct. This helps set the standard for how the rest of a companies privacy program will be judged. The important thing is to be consistent. Do not say one thing on the policy and do something different elsewhere in the business.
UX Requirements for Consent
Consent is a major component of many privacy laws and California’s regulations draft what that should look like to be considered legally binding. This should concern you. I encourage you to talk over your consent management with legal counsel as in most cases in my experience sites in the USA fail one or more of these points. At a high level:
- Needs to be easy to understand, no technical or legal jargon.
- Needs to be symmetry in choice – buttons should have equal prominence, word phrasing font size, and talks about the need for no default selection.
- Avoid language that is confusing to the customer (no double negatives, switching around button placement).
- No shaming or manipulative language. Refrain from using phrases like “No, I don’t want to save money”
- No requiring a consumer to justify their desire to opt-out.
- No bundling of consent – If you consent to geo data collection for mapping, the App can not also flag you for eligible for sale of data to brokers – each consent scenario is separate.
- Easy to execute. Methods for consent require testing and clicking the link to learn more should take you to the correct point in the company privacy policy.
- Circular or broken links, non-functional or monitored email addressed or requirements to wait on a webpage longer than required may violate the regulation.
Anything design that does not comply with the above, may be considered a dark pattern. If a dark pattern is found to be used, than the consent wasn’t binding which may open the business up to other violations of the regulation.
Service Providers, Third Parties and Remarketing
Starting on page 48 and over the next several pages the draft details out Service Providers, Contractors and Third Parties, including specific contract requirements and under which purposes they can use data sent to them by a controller.
There are several requirements for service provider contracts which will likely cause a flood of agreement modifications once the regulations are finalized. These terms include prohibiting service providers from selling or sharing personal data or using it for scenarios not directly outlined by contract. It also requires service providers comply with all aspects of the CCPA regulations.
Notably, the regulations encourage businesses to take reasonable and appropriate steps to ensure everything is on the up and up. These may include ongoing manual reviews, automated scans of the service provider’s system and other assessments, audits or testing at least one every 12 months.
Further, it calls out that a business must do due diligence. It specifically calls out that a business that never enforces the terms of contract, nor audits the systems may not be able to rely on the defense it did not have reason to believe the service processor was violating CCPA at the time data was shared with the service provider.
Lastly, and perhaps most importantly – a service provider or contractor cannot contract with a business to provide cross-contextual behavior advertising. A person who contracts with a business to provide cross-contextual behavioral advertising is a third party, and not a service provider or contractor. This means remarketing efforts are with third parties, and thus subject to different regulation than standard service providers. You will want to review this distinction with legal counsel if remarketing is critical to your business and ensure the contract requirements for third parties are being met.
The regulations helpfully include an example:
Business S, a clothing company, hires a social media company as a service provider
https://cppa.ca.gov/meetings/materials/20220608_item3.pdf
for the purpose of providing Business S’s advertisements on the social media
company’s platform. The social media company can serve Business S by providing
non-personalized advertising services on its platform based on aggregated or
demographic information (e.g., advertisements to women, 18-30 years old, that live in Los Angeles). However, it cannot use a list of customer email addresses provided by Business S to identify users on the social media company’s platform to serve advertisements to them.
Next Steps
The Privacy Agency will continue to make changes during their rulemaking process, but it’s important to see the direction things are headed. Take advantage of the draft and begin making plans for how to comply. Remember, the planned enforcement date is January 1st, 2023 which does not leave a ton of time for companies to get everything in order so they can be compliant. Make the most of the time you have left.