CPRA Final Regulations: Important Changes To Know

On February 6, 2023, the California Privacy Protection Agency (CPPA) Board voted to finalize its first set of proposed California Privacy Rights Act regulations. The final draft of the regulations was sent to the California Office of Administrative Law (OAL) for review and approval. Following OAL's 30-day review period, the final regulations will come into effect sometime in April, with full enforcement to follow on July 1, 2023.

These final regulations cover a broad range of topics, such as data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns, and consumer request handling. It is important to note that the proposed final regulations received no substantive changes from the modifications discussed and adopted at the CPPA board's October meetings.

The Preference Signal

Some of the most significant updates in the final regulations involve detecting and honoring users' preference signals, specifically the GPC signal. The following are some of the important requirements introduced in the regulations in relation to GPC signals.

• Valid Opt-out Request
  A preference signal meeting the specified requirements under the regulations must be considered a valid request to opt-out of the sharing/sale of a user's data from the particular browser or device, as well as any associated consumer profiles, including pseudonymous profiles.

• Request for Additional Information
  A business may provide a consumer with the option to provide additional information if the same helps facilitate honoring their request to opt-out of the sharing/selling of their data. However, if a consumer does not provide such information, the business must still honor the preference signal for that particular device and browser as well as any associated consumer profiles, including pseudonymous profiles.

• Conflict between GPC Signal and Earlier Privacy Settings
  If there's a conflict between a user's previously saved business-specific privacy setting and their current GPC signal, the GPC signal must still be processed as a valid opt-opt-out request, but the business may notify the consumer of the conflict and allow them an opportunity to consent to the sale or sharing of their personal information.

• Usage of GPC Signals by Old Customers
  In case a consumer's GPC signal was detected in the past but not again, the business cannot take this to mean that the user has opted back into the sale/sharing of their data.

• Usage of Opt-out Links
  If a business processes GPC signals in a frictionless manner in accordance with the CPRA regulations, it may choose to remove the "Limit the Use of My Sensitive Personal Information," “Do Not Sell or Share My Personal Information,” or any alternative opt-out link from their website.

• GPC Detection Notification
  The requirement to notify consumers that their GPC has been detected is not a mandatory requirement anymore - businesses may choose to show this status to the consumer upon detection of the GPC.

Other Notable Updates

While the final draft of the regulations brings several updates related to preference signals, other changes have also been introduced. Some of these include:

• Reasonable Expectations of Consumers
  The purposes for which personal information is collected (or any associated secondary purposes) must meet the reasonable expectations of the consumers whose personal information is being collected. The CPRA has provided a list of factors that can be used to determine the ‘reasonability.’

• Data Minimization
  The collection, use, retention and sharing of personal information should be reasonably necessary and proportionate to the relevant processing purpose. The CPRA specifies the factors to be considered when determining whether any collection or processing of personal information is reasonably necessary and proportionate.

• Notice at Collection
  First parties and third-parties may provide a single Notice at Collection to consumers that include the required information about their collective Information Practices.

• Choice Architecture
  When designing and implementing methods for submitting CCPA requests and obtaining consumer consent, businesses should avoid such choice architecture that impairs or interferes with the ability of consumers to make a free, informed, specific and explicit choice or exercise such a choice.

• Dark Patterns
  If a business did not intend to design a user interface as a dark pattern, but later becomes aware that the interface has such an effect, and does not remedy the same, such a user interface may still be considered a dark pattern.

• Compliance with a Request to Delete
  In case a request to delete is made, a service provider should either delete it by itself or enable the relevant business to delete the personal information.

• Denial of a Request to Correct
  A request to correct may be denied by a business if the business:
  • determines that the contested personal information is more likely to be accurate based on the totality of the circumstances involved,
  • cannot verify the requestor's identity,
  • has denied the consumer's request to correct the same alleged inaccuracy in the past six months,
  • has a good-faith, reasonable, and documented belief that the request to correct is fraudulent or abusive, or
  • determines that compliance would be impossible or involve a disproportionate effort.

• Compliance with a Request to Correct
  If a business complies with a consumer's request to correct, it must correct the information on all its existing systems while also instructing all service providers and contractors to make similar corrections on their ends. However, if any information is stored on archived or backup systems, the relevant entity may delay compliance with the request to the extent of such information until the relevant archived or backup system is restored to an active system or is next accessed or used. A business may choose to delete, rather than correct contested personal information, as an alternative if doing so does not negatively impact the consumer or if the consumer consents to the deletion.

• Compliance with an Opt-out Request or Request to Limit
  A business cannot require a consumer to verify their identity to make a request to opt-out of the sale/sharing of their data or to make a request to limit. A business may ask the consumer for additional information to fulfill such a request, provided the same is not burdensome for the consumer.

• Contracts with Service Providers, Contractors, and Third Parties
  All contracts with service providers, contractors, and third parties should comply with the requirements of the CCPA. In the absence of a legally valid contract, such entities would not be considered as ‘service providers’ or ‘contractors’ within the ambit of the CCPA, nor would any third party be allowed to collect, use, process, retain, sell, or share the personal information made available to it by a business.

• Sworn Complaints
  Sworn complaints can be filed with the Enforcement Division of the CPPA. Such complaints must:
  • identify the entity in violation of the CCPA,
  • state facts supporting each alleged violation and include supporting evidence and documents,
  • authorize the alleged violator and CPPA to communicate regarding the complaint,
  • include the name and contact information of the complainant, and
  • be signed and submitted under penalty of perjury.

• CPPA Audits
  The CPPA can audit a business, contractor, or service provider to investigate possible violations of the law and ensure compliance thereof. The CPPA may also select an entity for audit if its data processing activities pose a significant risk to consumer privacy or security, or if the entity has a history of non-compliance with the CCPA or any other privacy law. Such audits may be announced or unannounced, with the CPPA having the authority to issue a subpoena, or seek a warrant if the relevant business, contractor, or service provider fails to cooperate.

How Can Securiti Help

While preference signals and opt-out mechanisms are not new concepts, their recognition by regulations such as the CPRA leaves users with a much greater degree of control over how their data is collected and processed, and greater transparency.

For organizations themselves, compliance with the aforestated obligations and requirements can only be possible via the effective use of automation.

This is where Securiti's Privacy Center can greatly help. It supports and automates GPC signal detection on browsers and extensions that support it, while keeping a record of it as proof of compliance. Additionally, with the Privacy Center, you can easily classify both first-party and third-party cookies on the website while automatically updating the privacy notices on a website if any new cookies are detected.

Request a demo today to learn more about how Securiti's products, such as the Privacy Center, help you comply with all major global data compliance regulations, such as the CPRA.