United States: How to comply with CCPA while the new Agency revises Regulations

16 Aug 2022    5 minute read
CCPA CRPA

In brief

The California Privacy Rights Act of 2020 (CPRA) amended the California Consumer Privacy Act of 2018 (CCPA) with most changes taking effect on 1 January 2023 with a twelve-month look-back. Limited exceptions concerning the personal data of employees and business contacts will expire. The new California Privacy Protection Agency (CPPA) has published draft regulations that will, once finalized, expand on the rules in the statute and existing regulations from the California Attorney General. The CPPA is conducting hearings on 24 and 25 August 2022 to solicit input on the draft regulations from the public and may make further changes to them. But with the CPPA’s attention partially focused on the draft American Data Privacy and Protection Act and its possible preemptive effect on California privacy laws, it is unclear if the CPPA will finalize the regulations before the CPRA amendments to CCPA take effect. In the current draft of the regulations, the CPPA does not yet address all of the topics and issues mandated by the CPRA, so we expect further draft regulations to come. Despite the fluid situation, companies should take steps now to prepare before 1 January 2023.

Contents

  1. Continue updating contracts
  2. Prepare for customer privacy audits
  3. Update and document data subject request program
  4. Operationalize data minimization principles
  5. Avoid dark patterns
  6. Summary

Continue updating contracts

Many companies are still working on updating their contracts to account for the European Union’s standard contractual clauses from 2021 (EU SCCs). The amended CCPA will, and the CPPA’s draft regulations would, impose new and different data protection requirements in contracts among parties that disclose personal information among themselves. Companies should standardize the legal terms as much as possible and have a consolidated set of data protection standards that they would be willing to agree to as customers or service providers. Just as the EU SCCs do, the CPPA’s draft regulations require specifics. Under the draft regulations, the business purpose or service for which the service provider, contractor, or third party is processing personal information may not be described in generic terms, such as by referencing the entire commercial contract generally. To manage the contracting process, companies should consider separating out the mandatory legal terms under the CCPA and the factual descriptions of the particular relationship (similar to the factual annexes that are populated in the EU SCCs). Also, companies need to establish efficient processes to update vendor and customer contracts without protracted negotiations and elaborate signature procedures, including by agreeing on notice and object mechanisms concerning changes mandated by law, standardized terms (see article on Standardizing Data Processing Agreements Globally) and electronic signatures (see article on Electronic Form Over Substance: eSignature Laws Need Upgrades). Contracting parties can align their interests on data processing agreements, which they must update frequently as laws change, by separating those data processing terms that satisfy compliance requirements from commercial terms, which allocate risks and liabilities and determine the framework for dispute resolution and laws governing disputes between the contracting parties (and which cannot be unilaterally updated by one party).

Prepare for customer privacy audits

Companies often spend time on lengthy negotiations of what audit rights should be included in data processing agreements even though such rights are rarely exercised in practice. But under the draft regulations, whether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and its regulations. Simple contract terms for audit rights probably still make sense for many companies, but companies should prepare internally for the possibility that customers will enforce contract terms or exercise rights to audit or test systems.

Update and document data subject request program

The draft regulations elucidate how businesses must respond to requests from California residents to exercise their rights under the amended CCPA, including to know, access, port, delete and correct personal information, to limit the processing of sensitive personal information, to opt-out of the “selling” and “sharing” of their personal information, and to withdraw from financial incentive programs. Businesses should examine which of these rights apply to them and how. For example, if a business does not use personal information for any purposes other than those listed at subsection 7027(l) of the draft regulations, it does not have to offer a “Limit the Use of My Sensitive Personal Information” link. Businesses should then implement required technical controls to respond to requests (including the capacity to respond to opt-out preference signals) and protocols that provide clear guidance to personnel on how to respond to written requests.

The draft regulations also introduce the concept of “disproportionate effort” within the context of a business responding to a consumer request. Disproportionate effort is defined as the time and resources expended by a business to respond to an individualized request significantly outweighing the benefit provided to the consumer from responding to the request. A business can only claim disproportionate effort as an exemption to the duty to respond to a data subject request if they have in place adequate processes and procedures to comply with consumer requests in accordance with the CCPA. Since having in place such processes and procedures is a requirement or necessity under numerous privacy laws globally, businesses should document their program.

Operationalize data minimization principles

The draft regulations introduce further restrictions on the collection and use of personal information. Use, collection, and retention of personal information must be reasonably necessary and proportionate to achieve the purpose(s) for which it was collected or processed. Any collection, use or retention not necessary or proportionate or that is unrelated or incompatible with the purposes for collection requires consumer’s explicit consent. Taken together, section 7002 of the draft regulations suggest that up front explicit consent is required even with detailed notice if the data collection, use, retention, and/or sharing is unrelated or incompatible with the purposes(s) for collection.

Avoid dark patterns

”Dark patterns” refer broadly to tactics that companies use to coerce individuals into making decisions that are likely more favorable for the company than the individual. The amended CCPA provides that consent is not effective if obtained through the use of a dark pattern, and the CPPA’s draft regulations explain in greater detail what might constitute a dark pattern, including by providing several examples of user interfaces that would be considered dark patterns. Outside of the CCPA, the consumer privacy laws of Connecticut and Colorado also restrict the use of dark patterns, and the Federal Trade Commission has issued warnings against the use of dark patterns and taken enforcement actions against companies that allegedly engaged in their use. Businesses should review their user interfaces to ensure that they are clear, present positive and negative options in a symmetrical way, do not hinder users from executing decisions that are less favorable to the company, and generally avoid manipulating users or substantially subverting their autonomy.

Summary

Companies should continue to prepare for the known 1 January 2023 requirements in the amended CCPA itself, but also get ahead of addressing some of the requirements in the draft regulations that improve a company’s overall privacy law compliance program (and that are helpful to address even if the details of the regulations are further changed before they are final). Companies should not delay action merely because the fact that laws and regulations are in flux. This has been the case since 2018 in California and elsewhere. This is the new normal.

Contact Information
Lothar Determann
Partner
Palo Alto
Read my Bio
lothar.determann@bakermckenzie.com
Helena Engfeldt
Partner
San Francisco
Read my Bio
helena.engfeldt@bakermckenzie.com
Jonathan Tam
Partner
San Francisco
Read my Bio
jonathan.tam@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.