The CPPA Issues Statement of Reasons for the California Privacy Rights Act Regulations Providing Guidance on Implementing the CCPA

5 min read

After a delay of eight months, the California Privacy Rights Act Regulations (CPRA) (the "Regulations") were finalized in late March of this year. The Regulations remain unchanged from the final modified version of the draft Regulations distributed in November 2022. The Regulations incorporate public comments and reflect the joint efforts of the California Attorney General and California Privacy Protection Agency (CPPA) to finalize the Regulations first introduced in July 2022.

The Regulations build upon the regulations promulgated under the California Consumer Privacy Act (CCPA) in 2020, that as explained in more detail in our client alert, established specific procedures for businesses to implement the CCPA's statutory requirements facilitating the ability of consumers to exercise their rights.

The finalized Regulations differ significantly from the initial draft of the regulations. We summarize below, the key changes and clarifications, included in the Regulations for businesses to consider in updating and implementing their programs and practices before the July 1, 2023 CCPA enforcement date.

  • Data Minimization: Under the CCPA, a business's collection, use, retention, and/or sharing of a consumer's personal information must be "reasonably necessary and proportionate" to achieve a given purpose. The Regulations now emphasize that reasonableness is to be measured from the perspective of the consumer. The purpose for collecting or processing a consumer's personal information must be "consistent with the consumer's reasonable expectations."

    In order to assist businesses in determining a consumer's reasonable expectations, the Regulations now include the following five factors to be used in making such determination: (1) the relationship between the consumer and the business; (2) the type, nature, and amount of personal information the business seeks to collect or process; (3) the source of the personal information and the method for collecting or processing it; (4) the disclosures the business has made to the consumer and whether they are specific, explicit, prominent, and clear; and (5) whether the involvement of third parties, contractors, service providers, and other entities has been made clear to the consumer.

    Additionally, further clarification is now available in the Regulations to help businesses define "reasonably necessary and proportionate." Specifically, the Regulations identify the following three factors for businesses to consider in assessing whether processing is "reasonably necessary and proportionate": (1) the minimum personal information that is necessary to achieve the purpose; (2) the possible negative impacts on consumers; and (3) the existence of possible safeguards that may be used to address the possible negative impacts on consumers.

  • Consumer Requests and Choice Mechanisms: Under the Regulations, consumer requests and choice mechanisms must be easy to understand, symmetrical, easy to execute, and must not confuse or impair consumers in exercising choices relating to their personal information. The Regulations note that mechanisms that do not comply with these principles may be considered "dark patterns," which is defined as an interface that is designed or manipulated to have the effect of substantially subverting or impairing user autonomy, decision-making, or choice. To ensure symmetry, businesses must provide equal options to consumers to exercise either a less privacy-protective or a more privacy-protective option, taking into account the number of steps needed to exercise each option.

    Notably, it is not necessary for a business to intend to create "dark patterns." Rather, it is sufficient that the design of a user interface have the substantial effect of subverting or impairing consumer choice.

    Additionally, the Regulations now clarify that the failure to remedy a known circular or broken link or a nonfunctional email address may be considered a violation of the Regulations because it fails to allow easy execution of consumer choice.

  • Expansion of Necessary Notices and Disclosures: In addition to a Privacy Policy and Notice at Collection, a business that collects sensitive personal information must also provide a Notice of Right to Limit the Use of Sensitive Personal Information. The Regulations now state that a business does not need to provide such notice if it does not collect or process sensitive personal information for the purpose of inferring characteristics about the consumer and it notes the same in its Privacy Policy.
  • Expansion of Do Not Sell Notice Requirement: In addition to providing consumers with the notice of right to opt out of the selling of their personal information, businesses must now provide the same notice when sharing personal information. Under the CCPA, "sharing" is defined as the disclosure of consumer's personal information by a business to a third party for cross-context behavioral advertising, regardless of whether any money is exchanged. A business must now post a Notice of Right to Opt-Out of Sale/Sharing on the webpage to which the consumer is directed to after clicking on the "Do Not Sell or Share My Personal Information" link.
  • Addition of Alternative Opt-out Link: Businesses may now provide consumers with a single link that allows consumers to exercise both the right to opt out of the sale or sharing of personal information and the right to limit the use of sensitive personal information. Such link must be titled "Your Privacy Choices," or "Your California Privacy Choices," and include the required opt-out icon that is similar in size to other icons used in the header or footer of the business' webpage.
  • Expansion of the Methods by Which Individuals Can Request to Opt Out: Businesses that sell or share personal information must now provide consumers two or more methods to submit requests to opt out of the selling or sharing of their personal information. For businesses that collect personal information from consumers online, the first method must be recognizing the opt-out preference signal and the second method may be an interactive form accessible via the "Do Not Sell or Share My Personal Information" link, the Alternative Opt-out Link, or the business's privacy policy if it processes an opt-out preference signal in a frictionless manner. Of significance, a business cannot require a consumer to create an account or provide additional information in order to submit a request to opt-out.

It's important to note that the current set of Regulations only address some of the areas specifically identified in the CCPA as requiring regulations. There are several required regulations that have yet to be promulgated by the CPPA. Currently, the CPPA is engaged in rulemaking for a number of the remaining unissued regulations that relate to cybersecurity audits, risk assessments, and automated decision-making. As such, businesses can expect additional guidance from the CPPA on this next batch of regulations, similar to that provided here, for consideration in developing and adapting their CCPA compliance programs before the July 1, 2023 enforcement date.


Katherine Madriz (White & Case, Law Clerk, Boston) co-authored this publication

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2023 White & Case LLP