On Friday, May 27, 2022, just in time for the holiday weekend, the California Privacy Protection Agency (CPPA) Board quietly issued a draft of proposed regulations implementing the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA). The surprise announcement included a 66-page draft of proposed amended regulations (the Regulations) describing a detailed, prescriptive approach to privacy regulation that will impose significant additional obligations and compliance costs on covered businesses beyond what was already required for the CCPA.1 The Regulations are likely to further complicate compliance with the growing patchwork of privacy obligations.
While some aspects of the Regulations are likely to change before they are finalized, the Regulations effectively set a new compliance baseline in the United States. They provide mechanisms for rapid enforcement with potentially large fines, implement numerous CPRA requirements, including a prohibition on dark patterns and recognition of global opt-outs, and dramatically increase contractual obligations for sharing data with service providers and other third parties, among other things. We highlight some key takeaways below, with an emphasis on enforcement and new obligations on service providers.
Enforcement: Fast & Expensive with Little Due Process
All companies will want to look closely at Article 9 of the Regulations, which sets out the CPPA’s enforcement provisions. While California does not provide a private right of action for privacy violations2, the Regulations describe abbreviated enforcement procedures with short deadlines, limited due process rights, and the potential for large administrative fines.
The Regulations provide a mechanism for consumers to submit sworn complaints describing compliance violations but they also allow the CPPA to initiate its own investigations based on unsworn or anonymous complaints and other referrals. For sworn complaints, the agency must respond in writing to the complainant describing the agency’s action or nonaction in response to the complaint. Given that the agency must respond to each complaint, it’s not hard to imagine a framework where the CPPA simply forwards complaints to businesses, putting the burden on companies to respond in writing or else risk administrative penalties.
The Regulations also establish a framework for “probable cause” hearings that the agency must initiate under the statute to bring an enforcement action. The statute provides that probable cause exists when “the evidence supports a reasonable belief that the CCPA has been violated.” Upon receiving a complaint or on its own initiative, the CPPA need only provide 30 days’ notice to a company describing the alleged violation(s) by either service of process or registered mail before initiating a probable cause hearing. The Regulations are notably silent about whether the CPPA will grant an extension of time.
The Regulations are light on due process protections for alleged violations. Companies accused of violations can request a public hearing if they do so in writing at least 10 days in advance, otherwise the entire proceeding is closed to the public and conducted informally by agency staff, potentially over videoconference or telephone. Agency staff is solely responsible for determining whether there is probable cause based on a notice issued to the company and any information or arguments presented at the proceeding by the parties.
A company that fails to participate or appear at the proceeding waives the right to further probable cause hearings and gives agency staff the right to determine whether there is probable cause based solely on the notice and any information presented by the Enforcement Division of CPPA (which could mean based solely on an unsworn complaint).
After a hearing, agency staff issue a written decision with their determination of probable cause. Surprisingly, the Regulations provide that the agency’s probable cause determination is final and not subject to appeal. Because the statute provides for administrative fines of up to $2500 for each violation (and $7500 for intentional violations or if the violation involves minors), a probable cause hearing could potentially result in substantial monetary liability – but there is no process described to challenge the facts or legal conclusions. Thus, the agency acts as both regulator and judge, raising concerns about the impartiality of any judgment. If enacted as currently proposed, this provision will almost certainly be challenged in court on a variety of grounds.
Consumer Consent and Dark Patterns
The CPRA generally permits businesses to obtain consumer consent to circumvent various requirements under the statute. For example, even if a consumer has exercised a right to opt-out from certain uses of their information, a business can still seek a consumer’s affirmative consent to override the opt-out. The Regulations set forth the details for obtaining such consent. Consent mechanisms must be easy to understand and must offer “symmetry in choice,” meaning that it cannot be more burdensome or take longer for a consumer to exercise a more privacy-protective option. The Regulations state that companies should avoid confusing language, like double negatives, and should not use language or wording that “guilts” a consumer into making a particular choice or bundles consent to subvert the consumer’s choices. Finally, the Regulations provide that consent mechanisms must be easy to execute without unnecessary burden or friction and must be tested to ensure functionality.
Consent mechanisms that do not abide by these principles may be considered a “dark pattern,” which nullifies consent under the CPRA. The Regulations provide that a user interface is a dark pattern if it “has the effect of substantially subverting or impairing user autonomy, decision-making, or choice,” regardless of a business’ intent.
Limitations on Service Providers, Contractors, and Third Parties
The Regulations add a slew of new obligations and restrictions for service providers and contractors. Some of the notable provisions include:
- Detailed contractual requirements. Service providers and contractors must have a written contract in place that meets all of the requirements of the Regulations to qualify as a service provider or contractor rather than a “third party.” The contractual requirements are quite detailed and require specifics that may prohibit one-size-fits-all contracting. The Regulations include:
- A prohibition on selling or sharing personal information a service provider receives from or on behalf of a business;
- A specific description of the exclusive purposes and services underlying the service provider’s processing of personal information;
- A prohibition on retaining, using, or disclosing personal information received from a business for any purposes other than those specified in the contract, or using such information for a different business, unless otherwise permitted under the CCPA and CPRA;
- A prohibition on processing personal information outside of a service provider’s direct relationship with a business, such as by combining or updating personal information received from a business with information received from another source.
- Requirements to comply with all applicable sections of the CCPA, CPRA, and the Regulations, and to allow a business the right to assess the service provider’s systems for compliance, such as by automated scans or manual review;
- Obligations to notify a business within 5 business days if a service provider determines it cannot meet its obligations under the CCPA and CPRA or the Regulations;
- Providing the business the right to take “reasonable steps” to stop and remediate unauthorized use of personal information, such as requiring documentation that data has been deleted following a consumer’s request;
- Requirements that a business inform a service provider of any consumer requests under the CCPA and CPRA and provide necessary information for the service provider to comply.
- Limits on retention, use, or disclosure of personal information. The Regulations impose specific limits on how service providers or contractors can use personal information received from—or on behalf of—a business, in addition to the contractual provisions described above. For example, a service provider cannot use personal information it receives from a business for internal use, unless it is to “build or improve the quality of its services” without using information to “perform services on behalf of another person.”
- Further limits on advertising. Service providers are prohibited from contracting with a business to provide “cross-contextual behavioral advertising” without being treated as a third-party. The Regulations specifically prohibit a service provider or contractor from combining personal information it receives from a business with personal information from anyone else or from its own interactions with consumers, at least for purposes of advertising or marketing.
- Third Parties that “Control the Collection” of Personal Information. The Regulations update the requirements to provide timely “notice at collection” to consumers about the categories of personal information to be collected and the purposes for which it will be used.It includes some new specific requirements on third parties that “control the collection” of personal information, as often occurs in connection with digital advertising, including:
- Where more than one party controls the collection of personal information, all such parties must provide a detailed notice at collection describing each parties’ collection and use of personal information;
- First party services that allow a third party to control the collection of personal information must include the names of all third parties allowed to collect personal information from the consumer in their own notice of collection; and
- A third party that controls collection of personal information in another business’ physical location, such as a retail store or in a vehicle, must also provide notice at collection in a conspicuous manner at the physical location.
More Regulations to Come
The 66-page Regulations include many other obligations that will require careful attention. This draft is also only the first set of Regulations, with more to issue at a date uncertain covering additional topics. The Regulations will be considered at the CPPA Board meeting scheduled for June 8, 2022. However, the timeframe associated with the Regulations remains unclear, as the meeting’s agenda states only that the Board will consider “possible action regarding the proposed regulations . . . including possible notice of proposed action.”
We will continue to closely monitor privacy developments in California and elsewhere. If you have a question about how to comply with privacy obligations under state, federal, or international law, Baker Botts attorneys can help. Please reach out to any members of the Privacy and Data Security team for further assistance.
1 Although these Regulations implement the CPRA, the regulations are titled “California Consumer Privacy Act Regulations” and amend the existing regulations previously issued under the CCPA.
2The CCPA does, however, provide for a limited private right of action for data breaches
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.