A little breathing room — California privacy agency modifies proposed regulations

REUTERS/Axel Schmidt

December 8, 2022 - Within the last few months, the California Privacy Protection Agency (CPPA or the Agency) has twice modified the text of the proposed regulations implementing the California Privacy Rights Act (CPRA) (once on Oct. 18, and again on Nov. 3). This modification kicked off a 15-day comment period, which ended on Nov. 21, 2022.

Given that the CPRA takes effect on Jan. 1, 2023, businesses are eager to receive finalized rules to assist with their implementation efforts. The soonest businesses are likely to receive these rules, however, is not until the end of January or February 2023, given the Office of Administrative Law's (OAL) 30-day review period. Regardless, businesses should continue to make good faith efforts to comply with the law and be prepared to review their implementation efforts once the regulations are finalized.

For a full overview of the changes made during this latest round of edits, businesses can view the chart made available by the CPPA. For now, we have highlighted the top three changes that may give businesses some breathing room as we head into 2023.

1. Adding structure to the definition of unstructured data

The California Consumer Privacy Act (CCPA), and now the CPRA, regulate "personal information." Personal information is broadly defined as any information that could reasonably be linked with a particular consumer or household. In regulating personal information, the CCPA/CPRA gives California residents certain rights over their personal information, including the right to access, delete, and correct their personal information and the right to limit certain types of processing activities (e.g., opting out of the "selling" or "sharing" of their personal information).

Once the CCPA was signed into law, many businesses started their privacy compliance journeys with a data mapping exercise. A data mapping exercise helps companies understand their information practices by identifying, among other things, what information the business collects, where it is sourced from, how it is used, and whether it is disclosed to any third parties.

One issue that businesses need help with when it comes to data mapping (and privacy compliance in general) is how to address unstructured data.

What is unstructured data? Unstructured data can generally be thought of as data that is not stored in an organized fashion (e.g., information stored in email accounts or chat systems). Structured data, in contrast, is stored in a predefined format (e.g., in a field-based format). Privacy professionals know applying laws such as the CCPA/CPRA to unstructured data is problematic. The concern, of course, is locating that information in the first place and then creating an automatic process to fold that data into the privacy program.

Enter the CPRA proposed regulations. The initial draft of the CPRA regulations introduced the concept of "unstructured data," which was a relief in and of itself. By acknowledging that unstructured data exists, the draft regulations recognize the challenges privacy professionals face concerning that type of data set. The definition of "unstructured" in the initial draft of the proposed regulations, however, evoked uncertainty. There, the term "unstructured," as it relates to personal information, was defined only as "personal information that is not organized in a pre-defined manner, such as text, video files, and audio files."

Furthermore, the term "unstructured" only appeared in connection with the "Right to Correct," where businesses were allowed to consider whether contested personal information was stored in an unstructured manner, possibly suggesting that unstructured data may not need to be corrected in response to a consumer's request to correct.

The modified proposed regulations changed the definition of "unstructured" by removing the examples (text, video files, and audio files), and instead adding that unstructured data is that which cannot be retrieved or organized in a pre-defined manner without "disproportionate effort" on behalf of the business, service provider, contractor, or third party. "Disproportionate effort" is a term that appears throughout the proposed regulations, thus suggesting that the issues businesses face with respect to unstructured data go well beyond the Right to Correct.

The CCPA has not yet defined what constitutes "disproportionate effort." But the modified proposed regulations do describe disproportionate effort as instances when "the time and/or resources expended ... to respond to the individualized request significantly outweighs the reasonably foreseeable impact to the consumer by not responding, taking into account applicable circumstances such as, the size of the business, service provider, contractor, or third party, the nature of the request, and the technical limitations impacting their ability to respond."

Technical limitations could very well include issues such as data not being in a searchable or readily accessible format, which is the case for many types of unstructured data.

Of course, what constitutes disproportionate effort in one context may not constitute disproportionate effort in another. For example, in response to a "Request to Know," a business may have to scour unstructured data for personal information. This can be challenging, time-consuming, and overwhelming because unstructured data can be in email accounts, chat software (e.g., Microsoft Teams), freeform fields in software, customer service ticketing systems, etc.

While the disproportionate effort provision does not allow businesses to ignore consumer requests, it may provide them with a reprieve from having to undergo a time-consuming search for personal information in response.

2. Simplyfying implementation efforts

The modified proposed regulations made several changes intended to simplify implementation. These changes include:

A. Modifications to the Notice at Collection: The modified proposed regulations no longer will require a business to identify in its Notice at Collection the names of the third parties that control the collection of personal information. What does this mean? Potentially, a lightening of the recent infusion of specificity around ad tech vendors for U.S.-only companies. Nevertheless, this type of disclosure may still be required in some jurisdictions outside the United States.

B. Information stored on archived backups: The modified proposed regulations help businesses by allowing them, service providers, and contractors to delay compliance with requests to correct for information stored on archived backup systems.

C. Data correction: Because of the modified proposed regulations, businesses will no longer be required to make a consumer's written statement (about the accuracy of their personal information being contested by the consumer) available to any person to whom it discloses, shares, or sells personal information. And, businesses now have some discretion about whether to provide the consumer with the name of the source from which the business received the alleged inaccurate information.

D. Consumers' opt-out status: Complying with opt-out requirements appears easier under the modified proposed regulations. Businesses no longer will be required to display the status of the consumer's choice to opt out of the selling or sharing of their personal information. The modified proposed regulations now make it optional to provide a means by which consumers can confirm that their opt-out of sale/sharing requests, or their requests to limit, have been processed.

3. Agency investigations – giving businesses some grace

With the CPRA effective date just a few weeks away, businesses feel pressure to get their privacy compliance programs into shape. This pressure is intensified by the fact that the regulations still need to be finalized, leaving many businesses without guidance on certain key issues.

In response to this issue, the proposed modified rules introduce Section 7301(b). This section states that: "[a]s part of the Agency's decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements."

Considering this section, businesses should make good faith attempts to comply, even though the regulations are not finalized. To do so, businesses should take a big-picture approach to compliance and begin the process in a manner that affords flexibility to account for unanticipated changes in the finalized regulations.

Initially, businesses should focus on: (1) identifying core systems and assets processing personal information, (2) accounting for those processing activities when addressing the CPRA's requirements, and (3) in the event of any known gaps in compliance, introducing mitigating steps that would minimize the potential for consumer harm or regulatory scrutiny.

Until the regulations are finalized, there is some uncertainty as to what CPRA compliance programs will ultimately look like. But at least the proposed modified regulations acknowledge that. The best advice right now is to take a breath and do what you can to comply with the law with the guidance that we have now. Should the final regulations change your approach to compliance, the CPPA may give you some grace.

Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias. Westlaw Today is owned by Thomson Reuters and operates independently of Reuters News.

Kamran Salour is a partner for the firm's privacy and cyber practice group. He leverages his data privacy experience to guide clients through their toughest cybersecurity and privacy issues. He is CIPP/US, CIPP/E, and CIPT certified and focuses his practice on guiding his clients through the incident response process. He is located in Orange County and can be contacted at kamran.salour@troutman.com.

Sadia Mirza is a Certified Information Privacy Professional in the United States (CIPP/US) and a Certified Information Privacy Manager (CIPM). She is an attorney for the firm's privacy and cyber practice group and has extensive experience in data security and privacy matters, having handled a number of data breaches and investigations in a variety of industries. She is located in Orange County and can be contacted at sadia.mirza@troutman.com.

Robyn Lin is an attorney for the firm's privacy and cyber practice group. She regularly assists clients with privacy-related issues, such as reviewing privacy policies, data mapping, and regulatory compliance. She is located in Orange County and can be contacted at robyn.lin@troutman.com.