On May 27, the agency tasked with enforcing the CPRA released a 66-page draft document on how to comply with the law. The California Privacy Protection Agency is required to conduct public comment periods on the regulations as they draft them, and there’s a whole lot in there one could comment on. Despite its size, however, the document’s scope is less expansive. It spends the majority of its ink on opt-outs. The agency takes up a lot of the pdf’s real estate describing in assiduous detail how you may or may not operationalize global-opt out signals.
There’s a reason for that, though. To the architects of the CCPA, it was clear the “Do Not Sell” button the CCPA mandated indeed applied to behavioral advertising: That is, users could click “Do Not Sell” and understand they wouldn’t be tracked on websites for advertising purposes. But since then, many an adtech advocate or attorney has opined that the law doesn’t necessarily capture behavioral advertising. You know, based on how you read it.
Here’s a brief synopsis of the CPPA’s more interesting signals, pun intended, within its draft regulations on the CPRA. Keep in mind that the CPPA’s chairman is none other than technologist Ashkan Soltani, who helped draft the CCPA. Since then, he’s seen the fruits of his labor; what’s working and what’s not. Reading these draft regulations, you can almost hear Soltani himself saying, “Here’s the rule. And no, sneaky lawyer, you’re not getting around it that way. Let me spell it out for you: That way is also not allowed.”
Reduce your CPRA data risks with TerraTrue’s automation.
Frictionless opt-outs
Within the draft regulations, there’s a tremendous amount of procedural requirements about what opt-out is. There are essentially two options: You can have a button at the bottom of the website indicating consumers can click it to opt out. Or, you can abide by what’s called a “frictionless manner,” which means that a business has to process an opt-out without charging a fee or changing the consumer’s experience with the product or service.
“For example, the consumer who uses an opt-out preference signal shall have the same experience with regard to how the business’s product or service functions compared to a consumer who does not use an opt-out preference signal,” the draft regs state.
There’s quite a bit of detail on what counts as a frictionless signal; almost an absurd amount of detail. Here’s a screenshot of just some of the examples the agency uses to illustrate what it means.
Cookies and consent
The draft regulations get specific on how opt-outs can be operationalized under the law and how businesses must frame such a question. You must provide two symmetrical choices. For example, if you’re asking consumers to opt-in to the sale of their personal information, you may not offer the choices “Yes” and “Ask me later.” If yes is an option, “No” must be the second. For symmetry.
Another example might be if you were to ask a user, “Are you cool with these cookies?” You could provide the option to “accept all” the cookies or “decline all” the cookies, but you can’t offer them the choice to either “Accept All” or “Learn More.” Those two choices would not be symmetrical.
In addition, businesses have 15 days to stop selling or sharing consumers’ personal information after receiving a request.
Given that the agency has a $10 million budget and a limited bandwidth to actively enforce the law, the prescriptive nature of these draft regulations takes the mind for a bit of a spin: Will the agency spend much of its time chasing who didn’t make wise word choices in their consent requests? We don’t know yet.
Public reporting
While our neighbors and friends have had a few years to adjust to the GDPR’s mandates on DSARs, it wasn’t until the CCPA that we here in the U.S. had to consider them.
That’s why the draft regulations’ public reporting requirements will likely give most businesses some minor heartburn. Here’s the thing: Businesses that sell, share or use the data of 10 million or more California consumers must issue a public DSAR report every year by July 1 disclosing how many DSARs the business received for both deletion and correction, as well as which of those were accepted, rejected, or fulfilled. You must also disclose how long you took to handle the requests received.
Specifically, if you’re captured by the law, you’re required to compile the following on DSARs:
- The number of requests consumers filed to delete their data
- The number of correction requests consumers filed about their data
- The number of requests consumers made to opt out of data sales and sharing – whether they were complied with in whole, or in part, or denied.
- The “median or mean number of days” it took the business to respond to requests to delete, correct, know or opt-out of sales and sharing
It’s highly unlikely that most U.S.-based companies have a system that comprehensive and detailed already in place for doing that kind of public reporting to date.
What the regs don’t address (yet)
While highly anticipated and eagerly awaited, one thing the regulations don’t address is DPIAs. There is a brief mention that businesses should only collect, use, retain, or share the personal information necessary for the purpose it was originally collected. But that’s about all you’ve got that even kind of hints at DPIAs, period. We don’t yet know when California law triggers a DPIA to be conducted.
While the CPPA is required to finalize its regulations by July 1, 2022, that’s not going to happen. It’s already mid-June and the draft regulations have only started hitting the public.
The draft regulations also don’t spell out the rules on AI or employee and HR data, though businesses desperately seek insights.
The good news is those insights should emerge in the coming months as the CPPA continues to hold public hearings and accept comments on draft 1.0.
We’ll keep you posted as details develop.
Request a TerraTrue demo today, and see how we can help you get compliant with CPRA!