California Privacy Protection Agency Releases Draft Regulations
The California Privacy Protection Agency (the “Agency”) released draft regulations on May 27, 2022, that are intended to implement portions of the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”). The regulations focus on issues ranging from opt-out preferences to consumer complaints as companies gear up for the majority of the CPRA to take effect on January 1, 2023.
A couple of key highlights from the draft regulations include:
- Dark Patterns – the draft regulations provide specific guidelines on how a business must present consumers with the ability to exercise their rights and obtain valid consent under the law, and any practice that does not comply with these requirements may constitute a “dark pattern.” Dark pattern is defined in the regulations as a user interface that has the “effect of substantially subverting or impairing user autonomy, decision making, or choice, regardless of a business’s intent” and notes that any agreement obtained through the use of dark patterns will not constitute consumer consent.
- Opt-Out Preference Signals – the CPRA requires businesses to treat opt-out preference signals as valid requests to opt out of the sale or sharing of a consumer’s personal information. Under the draft regulations, a business shall process any opt-out preference signal as a valid request to opt out of sale/sharing if (a) the signal is in a format commonly used and recognized by businesses (such as an HTTP header field) and (b) the platform, technology or mechanism that sends the opt-out signal makes clear to the consumer that the use of the signal is meant to have the opt-out effect.
The draft regulations come roughly two months before the Agency is required to adopt final regulations for the law (by July 31, 2022) and almost seven months before the CPRA is set to go into effect.