By: Linda Goodman

The California Privacy Protection Agency (“CPPA”) recently published additional proposed regulations that include proposed revisions to existing California Consumer Privacy Act (“CCPA”) regulations. The Agency also released additional revisions to the proposed cybersecurity audit regulations that it had previously circulated, as well as draft provisions regarding the applicability of CCPA regulations to insurance companies. These latest proposals have been added to the agenda for the CPPA’s December 8 Board meeting, along with the draft regulations on automated decision making technology (ADMT) and the latest version of its risk assessment regulations.

The revisions to the CCPA regulations are the most notable element of this latest batch of proposed regulations. The proposed revisions will impose additional compliance requirements on businesses, including new provisions related to notifying consumers of their right to file complaints and informing them of the status of their opt-out and right-to-limit requests. The proposed revisions will also clarify a number of existing requirements, like obtaining consumer consent and timely compliance with opt-out requests.

The following are a brief description of the CPPA’s newest proposed regulations.

1. Definition of “Sensitive Personal Information”. (§ 7001) The proposed regulations include an amended definition of “sensitive personal information” that includes:

(1)     Personal information that reveals:

(A)    A consumer’s social security, driver’s license, state identification card, or passport number.

(B)    A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

(C)    A consumer’s precise geolocation.

(D)    A consumer’s racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.

(E)    The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.

(F)    A consumer’s genetic data.

(2)     The processing of biometric information for the purpose of uniquely identifying a consumer.

(3)     Personal information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation.

(4)     Personal information of consumers less than 16 years of age.

Sensitive personal information does not include information that is “publicly available” pursuant to Civil Code section 1798.140, subdivision (v)(2).

2. Consent Guidance. (§ 7004 and § 7002) The proposed regulations include new guidance for properly obtaining consent from consumers, including new illustrative examples related to providing consumers with symmetrical and clear choices and consent withdrawal.
3. Privacy Policy Links for Mobile Applications. ( 7003) The proposed regulations would require mobile applications to post links to their privacy policies in the applications’ settings menus, instead as currently required, on the applications’ platform or download pages.
4. Increased Applicability Thresholds. (§ 7005) The proposed revisions include a new provision that increases the CCPA’s monetary thresholds in alignment with increases in the Consumer Price Index on an annual basis. This would result in an increase of the annual gross revenue threshold that an entity must satisfy in order to constitute a “business” subject to the CCPA’s requirements.  Under the proposed regulations, that threshold would rise from $25 million to $27.98 million.  The increase in the CCPA’s monetary thresholds would increase the monetary damages, administrative fines, and civil penalties that a business could be exposed to under the law.
5. Privacy Policy Description Update. ( 7011 (e)) The proposed regulations provide for an update to the following:

(B) Identification of the categories of sources from which the personal information is collected. The categories shall be described in a manner that provides consumers a meaningful understanding of where the information is collected.

(E) For each category of personal information identified in subsection (e)(1)(D), the categories of third parties to whom the information was sold or shared. The categories of third parties shall be described in a manner that provides consumers a meaningful understanding of the parties to whom the information is sold or shared.

6. Notice of Right to Opt-out of Sale/Sharing and the “Do Not Sell or Share My Personal Information” Link. ( 7013 (e)(3))

(C) A business that sells or shares personal information that it collects through a connected device (e.g., smart television or smart watch) shall provide notice in a manner that ensures that the consumer will encounter the notice before the device begins collecting the personal information that it sells or shares.

(D) A business that sells or shares personal information that it collects in augmented or virtual reality, such as through gaming devices or mobile applications, shall provide notice in a manner that ensures that the consumer will encounter the notice before the consumer enters the augmented or virtual reality environment.

7. Notice of Right to Limit and the “Limit the Use of My Sensitive Personal Information” Link. ( 7014 (e))

(3) A business shall also provide the Notice of Right to Limit in the same manner in which it collects the sensitive personal information that it uses or discloses for purposes other than those specified in Section 7027, subsection (m). Illustrative examples and requirements follow.

(A) A business that uses or discloses sensitive personal information that it collects in the course of interacting with consumers offline, such as in a brick-and mortar store, for purposes other than those specified in section 7027, subsection (m), shall provide notice through an offline method (e.g., on the paper forms that collect the sensitive personal information or by posting signage in the area where the sensitive personal information is collected directing consumers to where the notice can be found online).

(B) A business that uses or discloses sensitive personal information that it collects over the phone for purposes other than those specified in section 7027, subsection (m), shall provide notice orally during the call when the information is collected.

(C) A business that uses or discloses sensitive personal information that it collects through a connected device (e.g., smart television or smart watch) for purposes other than those specified in section 7027, subsection (m), shall provide notice in a manner that ensures that the consumer will encounter the notice before the device begins collecting the personal information that it sells or shares.

(D) A business that uses or discloses sensitive personal information that it collects in augmented or virtual reality, such as through gaming devices or mobile applications, for purposes other than those specified in section 7027, subsection (m), shall provide notice in a manner that ensures that the consumer will encounter the notice before the consumer enters the augmented or virtual reality environment.

8. Informing Consumers of Right to File Complaint. ( 7022 and § 7026) The proposed regulations would require a business that denies a consumer’s request to know, delete, correct, opt-out, or limit to inform that consumer of their ability to file a complaint with the CPPA or California Attorney General’s office.
9. Responding to Requests to Know. ( 7024 (k)) The proposed regulations update and clarify the information that businesses must provide in response to requests to know categories of personal information, describing that information as follows:

(1) The categories of personal information the business has collected about the consumer.

(2) The categories of sources from which the personal information was collected.

(3) The business or commercial purpose for which it collected, sold, or shared the personal

information.

(4) The categories of third parties with whom the business discloses personal information.

(5) The categories of personal information that the business sold or shared about the consumer, and for each category identified, the categories of third parties to whom it sold or shared that particular category of personal information.

(6) The categories of personal information that the business disclosed for a business purpose, and for each category identified, the categories of service providers or contractors to whom it disclosed that particular category of personal information.

10. Opt-out Preference Signals. ( 7025) The proposed regulations will require that businesses must display the status of the consumer’s opt-out choice and whether it has processed the consumer’s opt-out preference signal as a valid request to opt-out of sale/sharing on its website.
11. Processing Opt-Out Requests “As Soon as Feasibly Possible”. ( 7026) The proposed regulations include new guidance clarifying the requirement that businesses comply with consumers’ requests to opt-out of the sale or sharing of their personal information by ceasing to sell or share that personal information “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” Specifically, the revised regulations make clear that, if it is technically feasible for a business to comply with an opt-out request in less than 15 days (e.g., if the business uses a technology “that can restrict the transfer of personal information instantaneously”), then it must comply with that request as soon as possible, even if that means complying in less than 15 days. Which means that the 15-day compliance timeframe is not a safe harbor for companies that can feasibly comply with an opt-out request sooner.
12. Informing Consumers of Opt-Out and Right-to-Limit Request Status. ( 7027) The proposed regulations would require businesses to provide consumers with a means by which they can confirm that their requests to opt-out of sale or sharing and/or requests to limit use of their sensitive personal information have been processed (e.g., through a message, toggle button, or radio button on the business’s website).

Also, in preparation of the board meeting, the CPPA published additional Proposed Regulations for Cybersecurity Audit Regulations and Insurance Provisions. 

1. Additional Revisions to Cybersecurity Audit Regulations. The CPPA published revisions to the proposed cybersecurity audit regulations that it had previously released for discussion at the board meeting. The most recent revisions clarify the non-data broker applicability thresholds for the regulations, specifying that they would apply to businesses that have annual gross revenues of $25 million and satisfy one of three personal information processing thresholds. 
2. Insurance. The CPPA also published draft regulatory provisions clarifying that insurance companies that are “businesses” for purposes of the CCPA are subject to the CCPA to the extent they process personal information for purposes that are not subject to the California Insurance Code.

We will be monitoring this proposal and provide updates as they arise.

____________________________________________________________________________________________________________

This article was originally posted on Cliclaw.com as part of my ongoing efforts to share valuable legal insights. I regularly contribute guest blogs to leading websites in the field of internet compliance. In these posts, I cover a range of topics to help businesses stay compliant in the ever-evolving digital world. You can read my latest guest contributions on Cliclaw.com.

This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.

Linda L. Goodman is an attorney specializing in internet compliance and privacy law. With years of experience helping businesses navigate complex legal landscapes, Linda contributes expert insights on compliance issues in the digital space. To learn more about her services and insights, visit her law firm website at The Goodman Law Firm.

© 2023 TGLF, A.P.C.