On October 17, 2022, the California Privacy Protection Agency (“CPPA”) released modified proposed regulations for compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), along with an explanation of the modifications as materials for upcoming CPPA Board Meetings. The Board Meetings, scheduled for October 21-22, 2022, and October 28-29, 2022, will discuss and take possible action, including adoption or modification, regarding the proposed regulations.
The modified proposed regulations, 72 pages in total, change the initial proposed regulations noticed on July 8, 2022. Key highlights include:
- Notice at Collection (Section 7012)
- The modified proposed regulations eliminate requirements, initially proposed, for a business to either disclose the names of third parties that the business allows to collect personal information from the consumer, or to provide information about the third parties’ business practices in the business’s notice at collection.
- The modified proposed regulations retain, however, requirements that third parties the business allows to collect personal information provide a notice at collection, and add that the business and the third parties may provide a single notice at collection that covers their collective information practices.
- Right to Limit the Use/Disclosure of Sensitive Personal Information (Sections 7014 and 7027)
- The modified proposed regulations clarify that sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to requests to limit. The modified proposed regulations state that businesses do not need to provide a notice of right to limit the use of sensitive personal information if the business only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer.
- Processing Consumer Requests
- “Disproportionate effort”: The modified proposed regulations continue to limit certain obligations to respond to access, deletion and correction requests where doing so would involve disproportionate effort, but change the definition of “disproportionate effort” to (1) make clear it applies to service providers, contractors and third parties, in addition to businesses; and (2) take into account factors such the size of the responding entity, the nature of the request, and the technical limitations impacting the entity’s ability to respond.
- Requests to Correct (Section 7023): The modified proposed regulations add that ensuring that corrected personal information remains corrected is a factor in determining whether fulfillment of a request to correct is compliant.
- Data Minimization (Section 7002)
- The modified proposed regulations provide additional specifications for the requirements that a business’s collection, use, retention or sharing of a consumer’s personal information be reasonably necessary and proportionate to achieve (1) the “purpose(s) for which the personal information was collected or processed,” or (2) another “disclosed purpose that is compatible with the context in which the personal information was collected.”
- The modified proposed regulations specify that the purpose(s) for which personal information was collected or processed must be consistent with the “reasonable expectations of the consumer.” The reasonable expectations of a consumer must be determined based on the (a) relationship between the consumer and the business; (b) type, nature, and amount of personal information that the business seeks to collect or process; (c) source of the personal information and the business’s method for collecting or processing it; (d) specificity, explicitness, and prominence of disclosures to the consumer about the purpose for collecting or processing the consumer’s personal information; and (e) degree to which the involvement of service providers, contractors, third parties, or other entities in the collection or processing of personal information is apparent to the consumer.
- Whether another disclosed purpose is compatible with the context in which personal information was collected must be based on factors that include (a) the reasonable expectation factors outlined above; (b) the other disclosed purpose, including whether it is a “Business Purpose” under the CCPA/CPRA; and (c) the strength of the link between (a) and (b).
- The modified proposed regulations also clarify that whether a business’s collection, use, retention or sharing of personal information is “reasonably necessary and proportionate” to achieve the relevant purposes must be based on factors that include the (a) minimum personal information that is necessary to achieve the purpose identified; (b) possible negative impacts on consumers posed by the business’s collection or processing of the personal information; and (c) existence of additional safeguards for the personal information to specifically address the possible negative impacts on consumers.
- Risk Assessments and Automated Decisionmaking
- The proposed regulations still do not address risk assessments or automated decisionmaking technology, including profiling.