Businesses and practitioners are busy evaluating how the California Privacy Rights Act differs from the California Consumer Privacy Act and what impact the CPRA will have on compliance obligations. Even with this analysis, there remains a big unknown — the significant regulations anticipated by the CPRA. The broad scope of this rulemaking is likely to further shape interpretation of the CPRA and impact compliance.

Section 1798.185 is the CPRA “Regulations” provision. It is one of a few provisions that became operative on the CPRA’s Dec. 16, 2020, effective date, replacing its CCPA counterpart. As discussed in the CPPA providing notice to the attorney general that it is ready to do so. Final CPRA regulations are to be adopted by July 1, 2022, a year ahead of the CPRA’s enforcement.

Section 1798.185 identifies 22 areas requiring regulation, including a catch-all category of “harmonizing the regulations governing opt-out mechanisms, notices to consumers, and other operational mechanisms,” and this list is not exhaustive. Businesses subject to the CPRA will want to be familiar with these anticipated regulations and follow the rulemaking process as they plan their compliance strategies. Some of the key rulemaking topics are discussed below.

Audits and risk assessments

One of the CPRA's most impactful provisions, 1798.185(a)(15), involves issuing regulations requiring businesses to conduct annual cybersecurity audits and "regular" risk assessments if the business's "processing of consumers' personal information presents significant risk to consumers' privacy or security." In determining whether the processing "may result in significant risk to the security of personal information," the CPRA identifies two factors to be considered: (1) the size and complexity of the business; and (2) the nature and scope of processing activities. 

While the specific requirements for audits and risk assessments will be determined by future regulations, the CPRA does provide some guidance. Businesses obligated to perform an audit will need to define the audit's scope and "establish[] a process to ensure that audits are thorough and independent." Risk assessments are to be submitted to the CPPA and need to include whether the processing includes sensitive personal information. They also need to identify and weigh the benefits against the potential risks of the processing, "with the goal of restricting or prohibiting the processing if the risks to [the] privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public."

The CPRA's risk assessment requirement is similar to the EU General Data Protection Regulation. Article 35 mandates a data protection impact assessment be carried out in consultation with the data protection officer for processing "likely to result in a high risk," but unlike the CPRA, it does not require DPIAs to be filed with a regulatory authority. While Article 35 identifies particular circumstances where DPIAs are necessary, it also calls for guidance regarding what kind of processing is subject to the DPIA requirement. Both the European Data Protection Board and individual countries, like the U.K. Information Commissioner's Office, have issued such guidance. Whether the CPPA or the CPRA regulations themselves will provide similar direction about the type of processing subject to the audit and risk assessment requirements is an issue for businesses to watch.

Opting out and limiting the use of personal information

The CPRA contemplates additional regulations regarding the process for consumers to opt out of the sale or sharing of personal information and restrict the use of sensitive personal information. Opt-out rights and obligations already are addressed by both current CCPA regulations and the proposed additional regulations. CPRA Section1798.185(a)(4) amends its CCPA counterpart to include the CPRA’s new concepts of sharing and sensitive personal information, directing “rules and procedures” be established to “facilitate and govern” consumer requests to opt-out or limit the use of sensitive information “to ensure that consumers have the ability to exercise their choices without undue burden and to prevent business[es] from engaging in deceptive or harassing conduct,” including retaliation. Like the CCPA, this provision also calls for regulations “to govern business compliance” with opt-out requests and for the development of a “recognizable and uniform opt-out logo or button” (an issue addressed in the proposed modifications to Section 999.306). 

The CPRA also calls for regulations regarding the opt-out preference signal referenced in Section 1798.135(b)(1). Businesses that allow consumers to opt out of the sale and sharing of personal information and limit the use of their sensitive personal information “through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism” do not have to provide the links or otherwise comply with the requirements in Section 1798.135(a). Section 1798.185(a)(19) requires regulations to “define the requirements and technical specifications” for an opt-out preference signal, identifying specific issues to be addressed, including ensuring the signal is “consumer-friendly, clearly, described, and easy to use by an average consumer.” This provision also contemplates a regulation establishing technical specifications for an opt-out preference signal that allows the consumer or their parent/guardian to specify they are under 13 years of age or at least 13 and less than 16 years of age.

In addition to addressing the technical specifications for an opt-out preference signal, CPRA Section 1798.185(a)(20) requires regulations “to govern how a business that has elected to comply with [1798.135(b)] responds ... to the signal” and gives consumers the opportunity to later “consent to the sale or sharing of their personal information or the use and disclosure of their sensitive personal information.” Again, the CPRA gives specific directives for these regulations, including that they should “strive to promote competition and consumer choice and be technology neutral” and make sure “any link to a web page or its supporting content” allowing the consumer to consent to opt-in does not use dark patterns.

Rulemaking regarding this opt-out preference signal is likely to generate significant attention. While the CPRA appears to give businesses the choice about whether to respect opt-out preference signals, CCPA regulation Section 999.315 (adopted in August 2020 after the filing of the CPRA ballot initiative) requires businesses that collect information from consumers online to “treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism ... as a valid request” to opt-out “for that browser or device, or, if known, for the consumer.” California Attorney General Xavier Becerra made headlines in late January when he appeared to endorse the Global Privacy Control opt-out tool as meeting CCPA requirements. Making business obligations clear with respect to the opt-out process will presumably be a rulemaking priority.

Automated decision-making technology

Article 22 of the GDPR gives data subjects “the right not to be subject to a decision based solely on automated processing, including profiling ....”  While the text of the CPRA does not include a similar right, it does provide for rulemaking on this issue. Section 1798.185(a)(16) requires regulations “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling.” The provision includes mandating businesses “include meaningful information about the logic involved in those decision making processes, as well as a description of the likely outcome of the process with respect to the consumer” in response to access requests.

Consumer requests              

Some of the regulations deal with the consumer request process. Section 1798.185(a)(8) provides for regulations concerning how often and when a consumer can request a correction. It includes developing standards regarding a business’s response, how accuracy concerns can be resolved, fraud prevention measures, and a consumer’s right “to provide a written addendum to the business” if the request to correct is rejected.

Section 1798.185(a)(9) relates to the standard identified in 1798.130(a)(2)(B) allowing businesses not to provide information beyond the 12-month period in response to a verifiable consumer request if it deems the request “impossible or would involve a disproportionate effort.”

Definitions

The CPRA identifies the need for rulemaking regarding certain definitions, including:

  • “Intentionally interacts,” to maximize consumer privacy.
  • “Precise geolocation,” considering “if the size defined is not sufficient to protect consumer privacy in sparsely populated areas or when the personal information is used for normal operational purposes, including billing.”
  • “Dark pattern.”
  • “Specific pieces of information obtained from a consumer,” “with the goal of maximizing a consumer’s right to access relevant personal information while minimizing the delivery of information to a consumer that would not be useful ... including system log information and other technical data.”

'Business purposes'

The term “business purposes” also will be subject to rulemaking, including regulations related to the ability of businesses, service providers and contractors to use consumers’ personal information, establishing when service providers and contractors can combine personal information from different sources, and identifying when service providers and contractors may use personal information received pursuant to a written contract with a business for their own business purposes.

CPPA audit authority

One of the functions of the CPPA is to appoint a chief privacy auditor “to conduct audits of businesses to ensure compliance” pursuant to future regulations. These regulations will “define the scope and process” for the CPPA’s audit authority, establish criteria for determining who should be audited, and “protect consumers’ personal information from disclosure to an auditor in the absence of a court order, warrant, or subpoena.”

Conclusion

As businesses consider their compliance obligations under the CPRA, they will need to keep in mind the anticipated regulations and what impact they may have operationally. Procedurally, the rulemaking process for