California Privacy Protection Agency Releases Draft Regulations
The California Privacy Protection Agency (the “Agency”) released draft regulations on May 27, 2022, that are intended to implement portions of the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”). The regulations focus on issues ranging from opt-out preferences to consumer complaints as companies gear up for the majority of the CPRA to take effect on January 1, 2023.
The proposed regulations include detailed requirements for obtaining and implementing consumer direction regarding the sale and sharing of personal information, but they do not cover a number of privacy topics set out in the grant of rulemaking authority. The proposed regulations do not set forth any particular rules on the handling of personal information relating to or privacy requests from employees or individuals who interact with a business in a business capacity. They also do not go into detail on the requirement for a business to make disclosures in its privacy policy about its practices related to retention of personal information, cybersecurity audits, privacy risk assessments, and automated decision-making.
A couple of key highlights from the draft regulations include:
- Dark Patterns – the draft regulations provide specific guidelines on how a business must present consumers with the ability to exercise their rights and obtain valid consent under the law, and any practice that does not comply with these requirements may constitute a “dark pattern.” Dark pattern is defined in the regulations as a user interface that has the “effect of substantially subverting or impairing user autonomy, decision making, or choice, regardless of a business’s intent” and notes that any agreement obtained through the use of dark patterns will not constitute consumer consent.
- Opt-Out Preference Signals – the CPRA requires businesses to treat opt-out preference signals as valid requests to opt out of the sale or sharing of a consumer’s personal information. Under the draft regulations, a business shall process any opt-out preference signal as a valid request to opt out of sale/sharing if (a) the signal is in a format commonly used and recognized by businesses (such as an HTTP header field) and (b) the platform, technology or mechanism that sends the opt-out signal makes clear to the consumer that the use of the signal is meant to have the opt-out effect.
The draft regulations come roughly two months before the Agency is required to adopt final regulations for the law (by July 31, 2022) and almost seven months before the CPRA is set to go into effect.