Over the prior year, we’ve received numerous questions about what obligations the CPRA Regs will add to the underlying statute. On February 14, the CPPA, California’s new privacy regulatory agency, filed the first part of its proposed final CPRA Regs with California’s Office of Administrative Law (OAL). OAL has 30 business days to review and approve the proposed final CPRA Regs. Assuming OAL approves the Regs (which we expect it will), the Regs should take effect in April or May 2023. Now that we’ve seen the likely final version of the CPRA Regs, we’ve identified eight (8) key new obligations businesses will need to address. This list is not comprehensive, and you should speak with a lawyer about the various obligations under the law. We also note that the CPPA only filed the first part of the CPRA Regs; the CPPA is currently taking comments on the second part the CPRA Regs which are set to cover cybersecurity audits, risk assessments, and automated-decisionmaking. If you are interested in drafting comments or have any questions about the CPRA, please contact us.

1. Section 7002

Section 7002 is perhaps the biggest addition in the CPRA Regs. Section 7002 is an expansive interpretation of Section 1798.100 of the CPRA statutory text, which states that a “business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” Based on our reading of Section 7002, a business must comply as follows:

(a) Disclosure. A business must disclose each category of personal information it processes and the purposes for processing that information within its Notice at Collection.

(b) Reasonable Expectation / Compatibility Tests. For each purpose identified in the Notice at Collection, the business must evaluate the purpose in the context of the reasonable expectation test or the compatibility test. The reasonable expectation test is used to evaluate a purpose for which the personal information was originally collected. The compatibility test is used to evaluate a purpose other than for which the personal information was originally collected. The specifics of these tests are set out in the CPRA Regs. If the purpose passes the relevant test, the business can proceed with the processing without consent. If, however, the purpose fails the relevant test, the business must obtain consent in order to proceed with the processing.

(c) Reasonable and Proportionate Test. For each purpose identified in the Notice at Collection, the business must also evaluate the purpose in the context of the reasonable and proportionate test. The specifics of this test are set out in the CPRA Regs.

Section 7002 will fundamentally impact secondary uses for personal information, and may outright prohibit certain uses. Businesses should start documenting their data practices in the context of these tests, including through risk assessments.

2. Dark Patterns 

The CPRA Regs expand on the prohibitions around dark patterns. Under the CPRA Regs, a business must implement methods for submitting CPRA requests and obtaining consumer consent that are easy to understand, have symmetry in choice, avoid language or interactive elements that are confusing, avoid architecture that impacts or interferes with the consumer’s ability to make a choice, and are easy to execute. A method that does not comply with these requirements may be a dark pattern. Businesses should carefully evaluate technological implementation within their services, especially where using third party consent management platforms. For example, a website cookie banner that only gives the option of “Accept All” and “More Information” could constitute a dark pattern.

3. Notice at Collection

The CPRA Regs further specify the language that must be included in a Notice at Collection. In addition, the Regs state that both third and first parties (terms not previously found in the CPRA text) controlling the collection of personal information must provide a Notice at Collection. The Regs also clarify that a link to a Notice at Collection must direct consumers to the specific section with relevant information, and not to the top of a general privacy policy. Businesses should carefully evaluate their disclosures to make sure they align with the new obligations.

4. Opt-Out Preference Signals 

The CPRA Regs set out extensive requirements for operationalizing requests to opt-out of sales and shares. Of particular note, the CPRA Regs seek to remove any ambiguity as to whether businesses must respond to Do Not Sell or Share opt-out preference signals, such as GPC. The answer is yes, businesses must respond and disclose so in their Notice at Collection. To the extent a business associates a consumer profile (including an account or pseudonymous profile) with a specific browser or device when it receives the signal, it must apply that opt-out to the entire profile. Further, a business may use something called a “frictionless” opt-out (meaning the business only responds to preference signals and does not need a Do Not Sell or Share link in the footer), but only where the business engages in sales and shares exclusively through tracking technologies on its website and subject to limitations. Businesses should review the implementation of their Do Not Sell or Share mechanisms, especially given the recent warning letters issued by the Attorney General and focus of the CPPA on sales and shares.

5. Requests to Limit Use and Disclosure of Sensitive Personal Information

The CPRA Regs set out extensive requirements for operationalizing requests to limit the use and disclosure of sensitive personal information. These requirements are similar to those set out for sales and shares, but do not go as far as requiring a business to respond to preference signals. The Regs also clarify what constitutes permissible business uses for sensitive personal information, and situations that do not require a business to offer a request to limit opt-out, including where sensitive personal information is processed without the purpose of inferring characteristics about a consumer. Businesses should review these obligations, especially in the context of the robust requirements under Section 7002.

6. Alternative Opt-Out Link

Here is one addition many businesses may welcome. The CPRA Regs allow businesses to use an alternative opt-out link in the footer of their websites, specifically the phrase “Your Privacy Choices” along with an adjacent opt-out icon. There are specific requirements around use of this alternative opt-out link. Businesses may want to consider moving to this alternative opt-out language.

7. Consumer Requests

The CPRA Regs set out extensive requirements for operationalizing consumer requests, many of which build upon requirements from the prior CCPA Regs. There are now specific requirements for the right to correct, including that a business should implement measures to ensure personal information subject to a request remains correct. There are also additional requirements for the rights to know and delete, including obligations to notify service providers and third parties. Service providers also have their own downstream obligations. Remember that consumer requests fundamentally differ from requests to opt-out and limit as they require verification and allow for a longer response time. Businesses should review their technical process for responding to consumer requests, including implementation with APIs for their vendors.

8. Contracts

The CPRA Regs clarify the importance of contractual language and expand upon the language that must go into contracts, including for both service provider and third party contracts. Per the CPRA Regs, a recipient of personal information that does not have specific service provider language in its contract with a business cannot be a service provider. A third party recipient that does not have third party language in its contract is prohibited from processing personal information. And a service provider cannot contract to provide cross-contextual advertising – in that role, the recipient is a third party. Businesses should review their contracts to make sure they include appropriate language.