Surprise! California Privacy Rights Act draft regulations released
Unclear how final these draft regulations are or what additional changes will be made prior to them being officially released for public comment.
On June 8, 2022, the California Privacy Protection Agency (CPPA) Board, will meet to discuss and take potential action regarding a draft of its proposed regulations. The June 8th public meeting includes an agenda item where the CPPA Board will consider “possible action regarding proposed regulations … including possible notice of proposed action.”
To facilitate this discussion, the CPPA included a draft of the proposed regulations as part of the meeting records. This draft comes in the form of a 66 page redline of the current California Consumer Privacy Act (CCPA) regulations (recently renumbered by the CPPA). The quietly released 66-page draft regulations, are intended to implement and interpret the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
What is the CPRA?
In 2020, California voters approved the CPRA, which modified the existing CCPA, broadening its obligations from consumer information to employment data (among other changes).
Companies will have obligations related to employment data under the CPRA if they (1) meet the jurisdictional scope of the law and (2) have any employees or contractors in California, even if their business is not headquartered in the state.
A business falls within the jurisdictional scope of the CPRA if it meets at least one of the following thresholds:
Had annual gross revenue above $25 million in the previous calendar year; or
Annually collects, stores, analyzes, discloses, or otherwise uses ("processes") the personal information of 100,000 or more California residents or households; or
Derives at least 50 percent of its annual revenue from selling (disclosing to a third party for monetary or other valuable consideration) or sharing (disclosing to a third party for targeted advertising) the personal information of California residents.
Because at least one of these criteria must apply—but not all of them—smaller businesses may be nonetheless within the scope of the CPRA if they have any California employees.
The CPPA has taken shape and is now beginning to fulfill the goals set forth in the law passed over 2 years ago.
Proposed Regulations Status
To date, the CPPA has not issued a Notice of Proposed Rulemaking to start the formal rulemaking process. Furthermore, the timeframe associated with the draft regulations is unclear (i.e., the CPRA requires the CPPA to finalize regulations by July 1, 2022, etc.). The June 8th meeting will likely shed light on the route that CPRA plans to take - which could be by way of the emergency rulemaking process.
Here are some of the highlights of the proposed draft regulations:
Adds a definition of “disproportionate effort” within the context of responding to a consumer requests. For example, disproportionate effort might be involved when the personal information which is the subject of the request is not in a searchable or readily-accessible format, is maintained only for legal or compliance purposes, is not sold or used for any commercial purpose, and would not impact the consumer in any material manner;
Adds a new section on the restrictions on the collection and use of personal information that contains illustrative examples. One example is a business that offers a mobile flashlight app. That business would need the consumer’s explicit consent to collect a consumer geolocation information because that personal information is incompatible with the context in which the personal information is collected in connection with the app;
Adds requirements for disclosures and communications to consumers. This includes making sure communications are reasonably accessible to consumers with disabilities whether online or offline;
Adds requirements for methods for submitting CCPA requests and obtaining consumer consent. This is to ensure that the process to select a more privacy-protective option should not be more difficult or longer than a less protective option; and