The California Privacy Protection Agency (CPPA) recently released the draft proposed CCPA Regulations and draft initial statement of reasons. Importantly, these are draft regulations that are likely to be subject to extensive public comment and modification before they become final. At the June 8 meeting, the board moved to approve the draft regulatory text to begin the formal rule making process and public comment period.
These draft regulations redline the existing CCPA regulations. Though some provisions were largely unedited, they could be modified in forthcoming updates. This includes notices regarding financial incentives, rules for consumers under the age of 16, non-discrimination practices, and requirements for verifying requests. Requirements around cybersecurity audits, risk assessments, and automated decision-making technology were not covered in this draft.
While the draft regulations do not address all topics on which the CPRA required the CPPA to adopt regulations, the draft does include guidance on certain topics of interest such as data processing agreements and the opt-out preference signal. In this series we examine some of the key takeaways for companies.
Our focus in today’s post is on collection and notice. Under the proposed regulations, a business’s collection, use, retention and sharing of personal information should be consistent with what a consumer would expect when the information was collected. Any uses that are unrelated or incompatible with the original purpose requires explicit consent from the consumer. The draft provides four illustrative examples on this point.
For privacy policies, the regulations largely incorporate the statutory content requirements, and then adds new requirements. Where more than one business controls the collection of a consumer’s personal information, both the first-party business and any third-party businesses would have to provide a notice at collection. The draft provides several examples on this point.
Putting It Into Practice: This draft is likely to undergo many updates during the public notice and comment period. Whether they will be finalized before the CPRA comes into effect on January 1, 2023 is not clear. In light of this uncertainty, companies would be well served to look at the key developments to begin to develop approaches for addressing compliance.
Julia Kadish and Liisa Thomas