New privacy laws in 2023 — considering draft regulations
November 16, 2022 - There are five states with new comprehensive consumer privacy laws taking effect in 2023 — California, Virginia, Colorado, Utah and Connecticut. While businesses are well-advised to start their compliance efforts early, the lack of final implementing regulations from some states makes complete compliance impossible at this time. California and Colorado recently released draft regulations for comment.
While these drafts are not final and will likely change, businesses should consider these proposed rules now. This article focuses on draft regulations in California, with a future article focusing on draft rules in Colorado.
California issues second draft of CPRA regulations
The California Privacy Protection Agency (CPPA) released the second version of draft regulations under the California Privacy Rights Act (CPRA) on Oct. 17. Because California was initially required to provide final regulations by July 2022, having another draft issued just a few months before CPRA takes effect in January 2023 creates challenges for businesses preparing for CPRA compliance.
Adding further frustration, many changes within the updated draft regulations include qualifying language that certain requirements were removed "to simplify implementation of these regulations at this time." This seemingly leaves the door open to additional CPRA compliance requirements in the future.
The updated draft regulations also include new emphasis on ambiguous standards, frequently referencing the importance of the "necessary and proportionate" collection and use of personal information and "reasonable expectations of the consumer." These ambiguous standards present challenges to entities scrambling to comply with non-finalized regulations as the deadline to do so approaches. There are dozens and dozens of changes to the prior draft of the regulations. Some key changes follow.
Updates to restrictions on the collection and use of personal information
The updated draft regulations contain several revisions focusing on the purposes for which personal information is collected.
The updated draft regulations now specify that the purposes for which personal information is collected or processed shall be consistent with the reasonable expectations of the consumer, based on several factors:
•The relationship between the consumer and the business;
•The type, nature and amount of personal information collected or processed by the business;
•The source of the personal information and the business's method for collecting or processing it;
•The specificity, explicitness and prominence of disclosures to the consumer about the purpose of collection or disclosure;
•The degree to which the involvement of service providers, contractors, third parties or other entities in the collection and processing of personal information is apparent to consumers.
Continued emphasis on respecting GPC signals and flowing deletion and opt-out requirements
The updated draft regulations continue to emphasize the importance of respecting opt-out preference signals, including Global Privacy Control (GPC) signals. California regulators are paying close attention to whether entities respect and process consumer opt-out preference signals -- signals automatically sent by a consumer's browser indicating that they do not want to be tracked.
The updated draft regulations continue to highlight the requirement for businesses to flow deletion and opt-out requests down to service providers, contractors, and third parties to whom the business has sold or shared personal information. Service providers and contractors likewise must notify their own service providers, contractors, or third parties of such requests.
Service provider right to build and improve services
The previous draft regulations severely limited the service providers' ability to use personal information collected under contracts with businesses to improve services.
The updated draft regulations clarify that service providers and contractors may use personal information collected per their contracts with businesses to build or improve the services they provide, even if such purpose is not specified in those contracts.
This change provides an important right for service providers, enabling them to leverage personal information collected to develop new, and enhance existing, products and services. This is particularly significant to the advertising ecosystem, where many service providers rely on data, including personal information, to provide products and services that benefit the entire advertising industry.
Importantly, the updated draft regulations do contain restrictions on the use of personal information to build and improve services — service providers cannot use the personal information provided by one business to provide services to another.
Changes to third parties’ obligations
The updated draft regulations provide significant changes with respect to third-party obligations.
•First, the updated draft regulations remove much of the confusing language previously included with respect to third-party obligations, replacing that language with the requirement that third parties follow requirements for businesses under the CPPA and CPRA.
•Second, and perhaps most significantly, the updated draft regulations remove the contractual requirement for third parties (but not businesses) to check for and comply with consumer opt-out preference signals – to simplify implementation at this time. Again, the regulators appear to leave the door open to reinstate the requirement later on. For now, if finalized, the removal of this requirement will significantly and positively impact the advertising ecosystem, as respecting opt-out preference signals presented one of the greatest compliance challenges to many ad-tech players that will likely lose their service provider status under the CPRA.
Removal of requirement to provide notice of right to opt out for connected devices, augmented and virtual reality devices
The previous draft regulations required businesses that sell personal information collected through a connected device, such as a smart television or smart watch, to provide a notice of right to opt out of sale in a manner that ensures the consumer will encounter the notice while using the device. The previous draft regulations contained an analogous requirement for augmented and virtual reality devices.
The updated draft regulations remove the requirement that businesses that sell personal information provide such notice to simplify implementation of these regulations at this time.
Removal of this notice requirement may signal that California regulators need more time to fully understand the connected device and augmented and virtual reality arenas. Importantly, this revision contains the qualifying language signifying that regulators may adjust this requirement at a later date.
Processing of opt-out preference signals
The updated draft regulations removed language requiring businesses to display the status of the consumer's choice, making this optional, rather than mandatory.
The updated draft regulations allow businesses to optionally notify consumers when opt-out preference signals conflict with consumers' participation in financial incentive programs to simplify implementation at this time.
That said, the CPRA obligations to comply with and honor opt-out preference signals is one of the more impactful requirements for the advertising industry under the CPRA.
Inferring customer behavior
The regulations delineate the purposes for which businesses may collect, use and disclose sensitive personal information without needing to offer consumers a right to limit such collection, use and disclosure.
The updated draft regulations clarify what information businesses can infer from customer behavior. By way of example, businesses that sell religious books can use information about customers' interest in religious content to serve contextual ads for other religious merchandise, so long as those businesses do not use sensitive personal information to create profiles about individual consumers or disclose personal information revealing customers' religious beliefs to third parties.
Accordingly, the updated draft regulations clarify that businesses may infer certain behaviors, even involving sensitive data categories like religious beliefs, so long as businesses do not disclose that personal information or create consumer profiles with the personal information.
Right to conduct audits and assessments internally or via third-party vendors
The updated draft regulations clarify that service providers and contractors can conduct assessments, audits and other technical and operational testing either internally or via third-party vendors. The belief is that these audits will help ensure that parties meet their privacy obligations.
This change is important, particularly for smaller businesses, because internal audits are far cheaper than third-party audits.
This latest draft has changes that are both beneficial to businesses and increase the complexities of compliance. Given the fact that the regulations have not yet been finalized, no business can be completely CPRA-compliant at this time. Businesses should review draft regulations in states where they operate such as California and Colorado, to be discussed in the next article, to prepare for the upcoming privacy laws.