CPRA Regulations Update: What In-House Counsel Need to Know and Do Now
By Michael Kurzer, Parker Hancock, Warner Scott and Lindsay Moore
On March 29, 2023, California’s Office of Administrative Law (OAL) approved the California Privacy Protection Agency (CPPA) Board’s initial package of regulations under the California Privacy Rights Act (CPRA).
The final CPRA regulations (“CPRA Regulations”) cover a wide array of topics including consumer rights, business’s obligations in handling personal information, user interface design, sharing of information with third parties, additional protections for sensitive personal information, cross-context behavioral advertising, global privacy controls, cybersecurity audits, risk assessments and enforcement procedures. The proposed final CPRA Regulations are intended to provide clarity and specificity to implement the law and address feedback from public comment periods.
Some of the most significant topics addressed in the new regulation include a new framework for the lawful use of consumer data, guidance on when and how consent must be obtained from consumers, and a new opt-out framework, all of which are discussed below.
New Framework for Explaining Data Collection Purposes and Promoting Data Minimization
The CPRA Regulations provide a new framework for regulating how businesses can use personal information. This new framework is motivated by an intent to promote “data minimization” in handling personal information by adding new limits on what information a business is able to collect, how it can use it, and how long that information can be retained. First, the CPRA regulations require that the collection, use, retention, and sharing of a consumer’s personal information be “reasonably necessary and proportionate” to achieve the original purpose for which the personal information was collected or processed, or another disclosed purpose that is compatible with the context in which the personal information was earlier collected.1
Further limiting this standard, the CPRA Regulations require that “the purpose(s) for which the personal information was collected or processed shall be consistent with the reasonable expectations of the consumer.”2 The CPRA Regulations elaborate that the consumer’s reasonable expectations are based on:
- The relationship between the consumers and the business. For example, the consumer of a business’s mobile flashlight app would not expect the business to collect their geolocation information to provide the flashlight service.
- The type, nature, and amount of information that the business seeks to collect or process. For example, if a business collects a consumer’s fingerprint in order to unlock their mobile device, the consumer likely expects the business’s use of the fingerprint is only for the purpose of unlocking their device.
- The source of the personal information and the business’s method for collecting or processing it.
- The specificity, explicitness, prominence, and clarity of disclosures to the consumer about the purposes for collecting and processing their information.
- The degree to which the involvement of service providers, contractors, third parties, or other entities is apparent to the consumer.
Additionally, the CPRA Regulations further require that a business not retain personal information longer than reasonably necessary to achieve the purpose for which it was collected.
New Guidance for User Interfaces for Consents, Data Subject Requests, and Prohibition of Dark Patterns
The CPRA Regulations provide guidance regarding how businesses can obtain consent for the collection and use of personal information. As part of this, the CPRA Regulations provide that the use of certain “dark patterns” in user interface designs may invalidate any consent obtained from them.3 Dark patterns are user interface designs that attempt to mislead, coerce or pressure users into taking certain actions, such as providing consent or giving up their privacy rights. Under the CPRA Regulations, a dark pattern is “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.”4 The CPRA also states that the use of dark patterns invalidates consent.
The CPRA Regulations provide extensive guidance on what constitutes a dark pattern and what does not. The CPRA Regulations require that user interfaces:
- Provide clear and easy-to-understand information about the choices available to consumers and the consequences of those choices.
- Use plain language that is appropriate for the intended audience and avoiding technical or legal jargon.
- Provide equal prominence and accessibility to both accepting and declining options.
- Avoid pre-selected choices that favor business interests over consumer interests.
- Avoid deceptive or misleading language, images, colors, sounds or other elements that could influence consumer decisions.
- Avoid using negative or discouraging messages on declining options or implying that consumers will lose access to services or benefits if they exercise their rights.
- Provide consumers with a simple and straightforward way to withdraw their consent or change their preferences at any time.
The CPRA’s guidance for user interfaces aims to ensure that consumers are able to make informed and meaningful decisions about their personal information and privacy rights. Failure to abide by these guidelines constitutes a “dark pattern” that cannot be used to provide legally adequate consent.
New Opt-Out Framework and Adoption of Opt-Out Preference Signal
The CPRA also introduces a new opt-out framework. The CPRA expands the definition of “sale” to include “sharing” of personal information for cross-contextual behavioral advertising, which is targeted advertising based on a consumer’s activity across different websites, applications, or services. The CPRA requires businesses that sell or share personal information to provide consumers with a clear and conspicuous link titled “Do Not Sell or Share My Personal Information” on their websites or mobile applications. Consumers can click on the link to submit a request to opt out of both sales and sharing of their personal information.
The CPRA Regulations also discuss the use of privacy opt-out signals that can be sent by consumer’s browsers.
One example of an opt-out preference signal is the Global Privacy Control (GPC), which is an open standard that allows users to signal their opt-out preferences through a browser extension or setting. The GPC is currently recognized by the California Attorney General’s current CCPA regulations as a valid opt-out mechanism, and the CPRA Regulations will further require businesses to honor the GPC and other similar controls for both sales and sharing of personal information, as well as limiting the use of sensitive personal information. By recognizing global privacy controls as valid opt-out requests under the law, the CPRA and CPRA Regulations enhance consumer choice and convenience while reducing privacy risks.
What This Means for You
The CPRA and the CPRA Regulations will have a significant impact on the data privacy landscape in California and beyond. Businesses that collect, use, retain, or share personal information for advertising purposes will need to comply with new and enhanced consumer rights and business obligations under the law. Businesses will also need to monitor future rulemaking by the CPPA for future rule proposals as well.
If your business is involved in behavioral advertising activities, its leadership should start preparing for compliance with the CPRA and its proposed final regulations as soon as possible.
In preparation for the new CPRA Regulations, companies should:
- Evaluate its data collection policies and procedures.
- Update its privacy notices.
- Implement mechanisms for honoring consumer requests.
- Ensure contractual safeguards with service providers, contractors and third parties.
- Adopt data minimization policies and data retention principles.
- Conduct data protection impact assessments.
V&E assists clients in identifying, managing, and mitigating data privacy and cybersecurity risks, from early planning and assessment to managing incident response and resulting litigation.
1 CPRA Regulations § 7002(a).
2 CPRA Regulations § 7002(b).
3 CPRA Section 1798.140(h).
4 CPRA Section 1798.140(l).
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.