Publication
CPPA Board Meeting Modifies CPRA Regulations
By Brandon Roper, Diamond J. Zambrano, Aloke S. Chakravarty, Chase Millea, and Tony Caldwell
The California Privacy Protection Agency (CPPA) held a board meeting on October 28 – 29, 2022 (the “Meeting”) to review proposed modifications to the California Privacy Rights Act (CPRA). The CPRA is effectively an amendment to the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 and will become effective on January 1, 2023. In the leadup to the CPRA effective date, the CPPA accepted input from the public during a comment period that ended on August 23, 2022. The response from the public during the comment period was substantial and resulted in thousands of pages of written comments, resulting in the CPPA making proposed revisions to the CPRA regulations that were the subject of the Meeting.
During the Meeting, a number of substantive revisions to the CPRA were discussed, including the following:
- Global Privacy Controls (GPC): Opt-Out Preference Signal
- GPC is a technology consumers can use to automatically send commands from their computer or other device(s) that indicate consumers' preferences for data sharing. The CCPA does not require businesses to employ technology that works with or recognizes GPC from consumers. However, the CPRA will require businesses to recognize and abide by the data sharing preferences communicated via GPC.
- The CPPA board discussed some potential unintended consequences of the GPC requirement in the CPRA. The CPPA board explored a hypothetical example, discussing how businesses should respond to GPCs from consumers who previously participated in a business’ financial incentive program. The effect of such a business receiving a GPC from a consumer would be contradictory. On the one hand, the consumer previously requested that their personal data be used to participate in a financial incentive program. On the other hand, the GPC could subsequently send an automatic signal for the business to not use the consumer’s data. On this point the CPPA board concluded that clarifying language will need to be added to the CPRA to avoid unnecessary ambiguities. These changes are forthcoming.
- Limiting the Use of Sensitive Personal Information
- The CPRA will introduce a new classification of data called Sensitive Personal Information (SPI). With the new class of data comes a new right of consumers to limit businesses use of SPI. Businesses will have to tell consumers how they will use the SPI before the businesses collect it, giving consumers the opportunity to limit the use of their data.
- The CPPA board discussed the list of permissible purposes for which businesses can process SPI without having to give consumers the right to limit such use (located in Section 7027(m) of the draft regulation). The CPPA board expressed concerns that the list is not adequately comprehensive and that this part of the regulation needs further discussion and subsequent modification.
- Data Minimization, Purpose Limitation, and Secondary Use
- The CPRA draft regulations include language that requires any information that is collected from consumers be “reasonably necessary and proportionate to either the purposes for which it was collected or another disclosed purpose that is compatible with the context in which the personal information was collected.” Information that is collected from a consumer and does not meet those requirements requires the consumer’s consent. In other words, for a new use case, consumer data cannot be collected, used, or retained without first notifying the consumer AND receiving consent from the consumer for such use. Similarly, the CPRA will require businesses to be specific and intentional when collecting consumer data, notifying consumers at the time of collection of the “explicit and legitimate purposes” for which their data is collected and used and that their data will not be “further processed in a manner that is incompatible with those purposes.”
- The CPPA board determined that the current draft CPRA regulations need clarifying language to be added in order for businesses and consumers to better understand what specifically must be included in consumer disclosure notices. The board determined that the updated regulation needs to include language that is straightforward and easy to understand.
The CPPA board plans to publish updated proposed rules within the next two (2) weeks after which another public comment period will begin. After that comment period a final draft of the rules will be considered by the CPPA board and then by the California Office of Administrative Law by the end of this year. If those timelines are met the CPRA will become effective on schedule, on January 1, 2023.
Snell & Wilmer has been monitoring requirements under CCPA and CPRA, will continue to provide updates as this topic develops. See our previous article on expiration of CCPA exemptions for B2B and employee personal data here.
About Snell & Wilmer
Founded in 1938, Snell & Wilmer is a full-service business law firm with more than 500 attorneys practicing in 16 locations throughout the United States and in Mexico, including Los Angeles, Orange County and San Diego, California; Phoenix and Tucson, Arizona; Denver, Colorado; Washington, D.C.; Boise, Idaho; Las Vegas and Reno, Nevada; Albuquerque, New Mexico; Portland, Oregon; Dallas, Texas; Salt Lake City, Utah; Seattle, Washington; and Los Cabos, Mexico. The firm represents clients ranging from large, publicly traded corporations to small businesses, individuals and entrepreneurs. For more information, visit swlaw.com.