Written by Susan Kohn Ross and Stacey Chuvaieva

On March 29, 2023, California’s Office of Administrative Law (“OAL”) approved the final text of the first part of the regulations issued by the California Privacy Protection Agency (“CPPA”) , which will take effect immediately (“Regulations”). These final Regulations provide long awaited guidance on some new concepts contained in the California Privacy Rights Act (“CPRA”) which was approved by voters as Proposition 24 in the 2020 election. The CPRA included general requirements to data use policies, including data minimization principles. The Regulations also provide wording to be included in consumer communications (e.g., privacy policy and notice at collection) and specify requirements for opt-out and other consumer rights. We list some of the key consideration to take into account for privacy compliance this year.

New restriction on the Collection and Use of Personal Information. Drawing inspiration from the European GDPR, CPRA implemented the principle of data minimization, which translates into the obligation to collect and process personal information in a way reasonably necessary and proportionate to achieve: (i) the purposes for which the personal information was collected or processed (consistent with the reasonable expectations of the consumers), or (ii) another disclosed purpose that is compatible with the context in which the personal information was collected. If a business cannot meet both tests, it must obtain the consumer’s consent before collecting or processing personal information for any additional purpose not originally disclosed in the notice of collection.

More specifically, the Regulations specify how to determine the purposes which meet the “reasonable expectations of the consumers” test and suggest to be guided by the following factors: the relationship between the consumers and the business; the type, nature, and amount of personal information the business seeks to collect or process; the source of the personal information and the business’ method for collecting or processing it; the specificity, explicitness, prominence, and clarity of disclosure to the consumers about the purpose for collecting or processing their personal information; and the degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of personal information is apparent to the consumers. For example, the consumer likely expects an online retailer’s disclosure of the consumer’s name and address to a delivery service provider.

The compatibility test turns on whether another disclosed purpose is compatible with the context in which the personal information was collected.

Furthermore, the Regulations provide the criteria to determine which processing activities satisfy the necessary and proportionate requirement. A business is mandated to collect and process only the minimum amount of personal information required to accomplish a processing purpose and must take into account the potential risks to the consumers, as well as the existence of additional protections that particularly address the foregoing identified potential risks to the consumers (e.g., encryption or automatic erasure).

Communications to Consumers.

Dark Patterns. The Regulations highlight that disclosures and communications to consumers must be easy to read and understandable and written in plain, straightforward language with minimal use of any technical or legal jargon. The Regulations also introduce the term “Dark Patterns” which specify that a business must avoid language or interactive elements that are confusing to the consumer. Specifically, a user interface is a dark pattern if the interface has the effect of “substantially subverting or impairing user autonomy, decision-making, or choice.” In practice, though, fulfilling these requirements is a complicated exercise taking into account the scope and complexity of required disclosures.

Privacy Policy and Required Disclosures. The Regulations also provide a list of information that must be included in a privacy policy covering (i) a comprehensive description of the business’ information practices, including the categories of  collected, processed, sold or shared information in the preceding 12 months; categories of sources of personal information, etc.; the specific business or commercial purposes for collecting the personal information; a statement regarding whether the business has actual knowledge that it sells or shares the personal information of consumers under 16 years of age; and a statement regarding whether the business uses or discloses sensitive personal information; and (ii) an explanation of the consumer’s rights under the California privacy laws, including a description of the procedure needed to exercise those rights, and (iii) a date when the privacy policy was last updated.

Notice at Collection. The notice at collection of the personal data must now list the categories of personal information to be collected (including sensitive personal data), the purposes for which the personal information will be used, and whether that information is sold or shared. The Regulations go on to specify that notice at collection can be provided online by providing a link that takes the consumer directly to the specific section of the privacy policy. It is not sufficient now to direct the user to the privacy policy as a whole and require the consumer to scroll through other information in order to determine what is collected.

Opt-out and use limitation rights.

“Do Not Sell or Share My Personal Information” link. Unless exceptions apply, a business must inform consumers of their right to request to stop selling or sharing their personal information for purposes of “cross-context behavioral advertising” and to provide users with the opportunity to exercise that right and to place the “Do Not Sell or Share My Personal Information” link on its website. That link, located at either the header or footer of the business’ internet homepage, should immediately effectuate the consumer’s right to opt-out or lead the consumer to a webpage where the consumer can learn about and make that choice.

“Limit the Use of My Sensitive Personal Information” link.  The CPRA also introduces a new consumer right to direct a business to limit its use and disclosure of sensitive personal information. Regulations specify that a business must inform users about this new right and provide a “clear and conspicuous” link – “Limit the Use of My Sensitive Personal Information” – on their homepage.  A business does not need to provide a Notice of Right to Limit or the “Limit the Use of My Sensitive Personal Information” link if: (1) the business only uses and discloses sensitive personal information to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services; to prevent, detect, and investigate security incidents; to resist and prosecute malicious, deceptive, fraudulent, or illegal actions directed at the business; to ensure the physical safety of natural persons; for short-term, transient use; to perform services on behalf of the business; and to verify or maintain the quality or safety of a product; and (2) a business only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer.

If a business’ use of sensitive personal information falls under any of the exceptions, a business must so state in its privacy policy.

Alternative Opt-out Link and Preference Signal. The Regulations also offer an option to provide an Alternative Opt-out Link as a single, clearly-labeled link that allows consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links. A business that sells or shares personal information must process any opt-out preference signal and treat the opt-out preference signal as a valid request to opt-out of sale/sharing.

Service providers and third-parties.  Finally, the Regulations specify that now to enable the right to delete personal data, the business must delete the personal information the service provider or contractor collected pursuant to their written contract with the business; and notify all third parties to whom the business has sold or shared the personal information to delete the consumer’s personal information, unless this proves impossible or involves disproportionate effort. If that is the case, the consumer should be informed why notifying some or all third parties would be impossible or would involve disproportionate effort. Businesses, therefore, are now required to review contracts with service providers and make sure those are in line with these new requirements.

With the final Regulations having been released, businesses are now able to proceed with a substantive review of their privacy policies and consumer communications to bring those into compliance with the CPRA and these latest Regulations.