With the clock now running on the comment period for the California Privacy Protection Agency’s (CPPA) Draft Regulations to implement the CPRA – comments are due on August 23 – one of the items on many businesses’ CPRA preparation to-do lists is to address new (and the expansion of existing) consumer rights. The Draft Regulations published by the CPPA lay out how the CPPA is likely to define these obligations. This post takes a deeper look at what’s in the CPPA’s proposal – as well as what’s missing.
A couple of overarching points are worth keeping in mind. First, implementing the CPRA’s consumer rights provides an occasion to review and update data maps so that they accurately capture how personal information flows both through their organizations and to service providers, contractors, and/or third parties. Second, preparing for CPRA consumer requests should go hand-in-hand with reviewing the systems and procedures that are in place to honor consumers’ requests.
Right to Opt Out of Sale/Sharing of Personal Information
The CPRA broadens the scope of the CCPA’s existing opt-out right to include the “sharing” of personal information. The Draft Regulations would add to existing opt-out obligations by requiring a business to:
- Provide a “means by which the consumer can confirm” that their request has been processed by the business (e.g., by displaying through a toggle or radio button on the business’s website that the consumer has exercised their right); and
- Notify all third parties to whom the business has sold or shared the consumer’s personal information since receiving the request that the consumer has exercised their opt-out right, direct them to comply with the request, and forward the request to any other person to or with whom they have disclosed or shared the consumer’s personal information.
Right to Delete
Following new requirements under the CPRA, the Draft Regulations clarify that a business must send deletion requests “downstream” to all relevant parties. Specifically, the Draft Regulations provide that a business must: (i) instruct its service providers and contractors to delete the consumer’s personal information from their records; and (ii) notify all third parties to whom it has sold or shared the consumer’s personal information to delete the information. Service providers and contractors must in turn notify other service providers, contractors, and third parties that accessed the personal information that is subject to the deletion request, unless the access occurred at the direction of the business. These obligations are subject to limitations if they are impossible or would require disproportionate effort to fulfill.
Right to Correct
The right to correct is a new right granted to consumers by the CPRA, and the Draft Regulations establish rules and procedures to facilitate consumers’ correction requests. Among other obligations, the Draft Regulations provide that, upon verification, a business must determine the accuracy of the personal information by considering the “totality of the circumstances relating to the contested personal information.” Pursuant to the Draft Regulations, relevant factors that a business would need to consider are: (i) the nature of the personal information; (ii) how the business obtained the contested information; and (iii) documentation relating to the accuracy of the information. A business that corrects personal information would also need to implement measures to ensure the information “remains corrected” and instruct its service providers and contractors to correct the information in their respective systems.
Right to Know
Building on the existing right to know, the Draft Regulations provide that a business must provide information beyond the 12-month period preceding the business’s receipt of the request unless doing so “proves impossible or would involve disproportionate effort.”
Right to Limit Use and Disclosure of Sensitive Personal Information
The right to limit the use and disclosure of sensitive personal information is another new right under the CPRA. The Draft Regulations would require a business to handle such “requests to limit” by:
- Ceasing to use and disclose the consumer’s sensitive personal information, except for purposes allowed under the regulations, within 15 business days of receiving the request;
- Notifying its service providers and contractors that the consumer has exercised their right to limit and instructing them to comply with the consumer’s request within the same time frame described above;
- Notifying all third parties to whom the business has disclosed or made available the consumer’s personal information for purposes other than those set forth in the regulations after the consumer submitted their request and before the business complied with the request that the consumer has exercised their right and directing the third party to comply with the consumer’s request and forward the request to others that have received the consumer’s sensitive personal information;
- Notifying all third parties to whom the business makes sensitive personal information available for purposes other than those set forth in the regulations (e.g., third parties that the business authorizes to collect information from its property) that the consumer has exercised their right, and directing such third parties to comply with the consumer’s request and forward the request to others that have received the consumer’s sensitive personal information; and
- Providing a “means by which the consumer can confirm” that their request has been processed by the business (similar to the obligation for opt-out requests described above).
Propagating Data Subject Rights to Service Providers, Contractors, and Third Parties
A business may have obligations to notify and instruct its service providers, contractors, and/or third parties to comply with a consumer’s request. Service Providers, contractors, and third parties may also have obligations to notify and instruct companies they’ve shared a consumer’s personal information with to comply with a request. The following chart shows obligations that each party has based on the consumer’s request.
See: Propagating Data Subject Rights Chart
Takeaways: The CPRA provides consumers with a range of rights that empower them to exercise more control over their personal information, and the additional obligations that the proposed regulations impose on businesses would help ensure that all parties processing consumers’ personal information give effect to such rights.
To reiterate, it’s unclear which of the amendments in the proposed regulations will stick. It is clear, however, that the expanded transparency and consumer rights requirements in the CPPA’s Draft Regulations are likely to require substantial time and resources to implement.
Stay tuned for additional blog posts in which we will summarize how the proposed regulations contemplate some of businesses’ other compliance obligations under the CPRA.