Last week, the Consumer Privacy Protection Agency (Agency) Board rounded out the first half of 2022 by releasing draft California Privacy Rights Act (CPRA) regulations. This first set of CPRA regulations focus on updating existing California Consumer Privacy Act (CCPA) regulations to account for the new provisions of the CPRA and addressing specific areas such as Agency audits and enforcement. At its May 26, 2022, board meeting preceding the release of the draft, the Agency’s Executive Director Ashkan Soltani remarked, “We are building the car while driving it.”

At the meeting, the Agency board presented updates on the rulemaking process. Specifically, the board announced that the focus of draft regulations would be on the Agency’s enforcement procedures, audit authority, selection process, and safeguards prioritized over subjects such as cybersecurity audits, privacy risk assessments, and automated decision-making, which the board commented as needing more comprehensive review.

The board then posted the full text of the Draft Proposed California Consumer Privacy Act Regulations to the Agency website the next day and noticed a meeting for June 8, 2022.

Draft Regulations and June 8, 2022, Board Meeting

The 66-page Draft Proposed CCPA Regulations include regulations covering the following areas:

• Restrictions on the collection, retention, and use of personal information.
• Provisions to address so-called “dark patterns” and the process for obtaining consumer consent, including provisions addressing symmetry in choice, clarity of language, the exclusion of double negatives, and a prohibition against “manipulative language or choice architecture.” Agreements obtained in violation of those provisions would be deemed a “dark pattern” and would not constitute consumer consent.
• Additions to accessibility requirements, including new specifications on the form of consumer disclosures and communications that require notices to be accessible for consumers with disabilities and readable across devices, including those with smaller screens.
• Clarification on requirements for businesses in complying with consumer opt-out-of-sale/sharing requests, including a new requirement for businesses to provide a means “by which the consumer can confirm that their request to opt-out of sale/sharing has been processed by the business.” This requirement can take several forms, for example displaying on the business website the statement “Consumer Opted Out of Sale/Sharing.” The draft regulations also clarify that cookie management tools by themselves are not enough for submitting opt-out-of-sale/sharing requests.
• Provisions that require certain contract provisions in contracts with third parties, service providers, and contractors, and that clarify the associated business and legal obligations of such parties—including, notably, new requirements for third parties regarding providing notice at the time of collection.
• Provisions relating to Agency audit powers, which would allow the Agency to “audit a business, service provider, contractor, or person to ensure compliance with any provision of the CCPA” if: (1) the Agency suspects possible violations of the CCPA; (2) the “subject’s collection or processing of personal information presents significant risk to consumer privacy or security”; or (3) the subject has a “history of noncompliance with the CCPA or any other privacy protection law.”

More discussion of these topics should be expected at the upcoming June 8, 2022, board meeting. This broad language should also be a subject of much discussion during the upcoming notice and comment period. Our Chambers-ranked Privacy & Data Security team will monitor upcoming developments and respond to any client concerns as the Agency moves forward with the rulemaking process. For support navigating the rulemaking process or preparing for compliance with upcoming regulations, our team is available to assist. CONTACT US.

© 2022 Perkins Coie LLP