The California Privacy Protection Agency (CPPA) unexpectedly released a preliminary draft of the California Consumer Privacy Act (CCPA) on May 27, 2022. The proposed regulations are still being discussed by the CCPA, with the finalized regulations expected around Q3 or Q4. As far as we know, the revised CCPA regulations will go into effect January 1st, 2023.
While no part of this draft is certain yet, it is a helpful look into the changes to come.
Since the final draft’s timeline is unclear, large organizations may want to use this draft to guide preparations for the intensive compliance efforts to come in Q4. While the regulations and their language is certainly not final, this draft communicates the big picture changes organizations need to know as they anticipate a finalized draft.
In this article, we’ll cover some of the key potential changes to consider as you prepare for updated compliance requirements.
Important changes to take note of include extensive requirements for businesses to ensure customers can easily opt out of certain personal information uses. Further restrictions on the collection and use of personal information are also outlined in the draft. Third party sharing restrictions, some of which may need contracts to be revised, are also worth taking action on before January 1st.
Potential Changes to CCPA Requirements
A large majority of the changes in the new draft deal with a “frictionless” manner of dealing with consumers opting out of sharing their personal information. According to the draft, processing an opt-out signal in a frictionless manner requires businesses to not charge fees or change the consumer experience for those who opt out. Businesses also may not display notifications, text, graphics, or videos in response to a consumer sending an opt out signal.
Additionally, the draft defines a consumer’s “right to opt-out of sale/sharing.” This defines the consumer’s right to opt out of business practices that sell or share their personal information.
Restrictions on the Collection and Use of Personal Information
While this law is still considered an “opt out” law instead of an “opt in” law, the restrictions on the use and collection of personal information are heavy. For some businesses, the way they collect and use data may need to change, or they may need to outline data usage more clearly when requesting it.
The draft states that “a business’s collection, use, retention, and/or sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed.” Reasonably necessary is defined as usage and sharing that an average consumer would expect when the data is collected. For cases where the data is not being used in a way that may be expected, the law requires explicit consent. This may lead to more companies adopting “opt in” instead of “opt out” methods for simplicity and safety.
Disclosure of Personal Information Collected
A customer’s right to know personal information collected about them is weighed against “disproportionate effort,” which balances the consumer’s request for data with the effort the company will need to use to access the data. For a business to claim disproportionate effort the business must show that the time and resources needed to fulfil the request is greater than the benefit to the customer.
Additionally, “A business that has failed to put in place adequate processes and procedures to comply with consumer requests in accordance with the CCPA and these regulations cannot claim that responding to a consumer’s request requires disproportionate effort.” Systems for reasonably communicating and complying with consumer requests are necessary, but companies need not worry about unreasonable requests.
New Obligations to Correct Personal Information
This draft defines both a consumer’s “request to correct” (a consumer request for the business to correct inaccurate personal information) and their “right to correct” (the consumer’s right to request a business to correct inaccurate personal information) in detail.
Notice of Third-Party Data Collection
Consumers will need to be notified of third parties who collect personal information on behalf of a business at the time of collection. This added transparency will give consumers information about every business, advertising provider, and other third party who interacts with their data. These partnerships becoming visible is a great reason to examine your business' third-party collection practices and whether they would cause concern to consumers.
Further Restriction of Third-Party Sharing
This draft limits third party sharing in a few ways, including creating new obligations for sharing information with third party service providers and contractors. The draft requires companies to act with due diligence when partnering with third parties to ensure they will not violate CCPA regulations. Companies will also need to state the specific purpose of sharing their customer’s personal information, instead of using generic terms to describe the reason for sharing information.
Sensitive Personal Information Use Limited
Any business that uses or discloses sensitive personal information (except for a few exceptions), must provide a notice to consumers informing them of their right to limit or opt out of this practice. The exceptions outlined include:
- Performing reasonably expected services (like using geolocation for an app that provides directions)
- Detecting or investigating security incidents that might put the personal data at risk
- Resisting illegal or malicious actions directed at the business or endangering the physical safety of a person (like cooperating with law enforcement in the case of a crime)
- Short term transient use that is connected to a consumer’s current interaction and does not create a profile on the person in question
- Using personal information for reasonable internal account uses, like processing or fulfilling orders, providing storage, or maintaining accounts
- Maintaining or improving the quality or safety of a device or service owned by the business
This is just a brief overview of some of the most impactful changes outlined in the CCPA first draft. While none of these regulations are final, now is a great time to review personal information collection, usage and storage policies. Understanding potential changes to your business and outlining plans to achieve compliance by January 1, 2023 should start now.
For an in-depth look at all the proposed changes, look at the redlined CPRA regulations here. If you’re worried about continuing to utilize personal data as privacy regulations increase, check out our personal data solutions that bring personal data out of scope while maintaining their functionality.