in a nutshell
The California Privacy Rights Act of 2020 (CPRA) amends the California Consumer Privacy Act of 2018 (CCPA) with most changes effective January 1, 2023, subject to a 12-month lookback. increase. Limited exceptions for personal data of employees and business contacts expire. The new California Privacy Protection Agency (CPPA) expands the statutes and existing rules from the California Attorney General and, once finalized, publishes the draft rules. The CPPA will hold public hearings on August 24 and 25, 2022 to solicit public input on the draft regulations and may make further changes. However, because the CPPA’s attention is focused in part on the draft U.S. Data Privacy and Protection Act and its potential preemptive effect on California’s privacy laws, it is likely that the CPRA’s amendments to the CCPA will take effect before the CPRA’s amendments take effect. , it is unclear whether the CPPA will finalize the regulation. In the current regulatory draft, the CPPA has not yet addressed all the topics and issues mandated by the CPRA, so further regulatory drafts are expected. Despite the fluid situation, businesses need to take steps now to be ready by his January 1, 2023 date.
- continue contract renewal
- Preparing for a customer privacy audit
- Update and document data subject request program
- Operationalize the principle of data minimization
- avoid dark patterns
Many companies are working to update their contracts to meet the European Union’s Standard Contractual Clauses (EU SCC) from 2021. The revised CCPA and CPPA draft rules would impose new and different data protection requirements in contracts between parties disclosing personal information. Businesses should standardize their legal terms wherever possible and have a unified set of data protection standards that any customer or service provider would be happy to agree to. Like the EU’s SCC, the CPPA’s draft regulations also need details. The Draft Regulation does not allow business purposes or services for which personal information is processed by service providers, contractors or third parties to be described in general terms, such as by general reference to the entire commercial contract. To govern the contracting process, companies should consider separating the mandatory legal terms under the CCPA from the factual statements of particular relationships (similar to the factual annexes contained in the EU SCC). ). Businesses also need to establish efficient processes for renewing vendor and customer contracts without lengthy negotiations and elaborate signing procedures. This includes legislation, standardized terms (see our article on global standardization of data processing agreements), and electronic signatures (see our article on electronic form over physical form: electronic signature law is an upgrade). Is required). Contracting parties frequently update data processing terms that meet compliance requirements in response to changes in law by separating them from commercial terms that assign risks and responsibilities and determine dispute resolution frameworks and laws governing disputes. You can align your interests to the data processing agreements you need. Between Parties (cannot be unilaterally renewed by either party).
Companies often spend hours in lengthy negotiations about what audit rights should be included in data processing agreements, even though such rights are rarely exercised in practice. However, under the draft regulations, whether a company conducts due diligence on its service providers and contractors would require that the service provider or contractor uses personal information in violation of his CCPA or its regulations. We take into account whether there is reason to believe that While simple terms and conditions regarding audit rights probably still make sense for many businesses, businesses should be prepared for the possibility that their customers might enforce contract terms or exercise their right to audit or test their systems. and must be prepared in-house.
The draft regulation should clarify how businesses must respond to requests from California residents to exercise their rights under the revised CCPA. This includes knowing, accessing, transplanting, deleting, correcting your personal information, restricting the processing of sensitive personal information and opting out. “Selling” and “Sharing” Personal Information and Withdrawing from Financial Incentive Programs. Businesses should consider which of these rights apply and how. For example, if a business does not use personal information for purposes other than those listed in subsection 7027(l) of the Draft Regulation, it is not required to provide a “Restrict Use of Sensitive Personal Information” link. Firms will then establish technical controls (including the ability to respond to opt-out preference signals) necessary to respond to requests and protocols that provide clear guidance to personnel on how to respond to written requests. Must be implemented.
The draft regulation also introduces the concept of “disproportionate effort” in the context of companies serving consumer demands. Disproportionate effort is defined as the amount of time and resources that a company expends in meeting an individual request significantly exceeds the benefit provided to the consumer by meeting the request. A business can claim excessive effort as a waiver of its obligation to respond to data subject requests only if it has appropriate processes and procedures in place to respond to consumer requests in accordance with the CCPA. Having such processes and procedures in place is a requirement or requirement under many privacy laws around the world, so companies should document their programs.
The draft regulation introduces further restrictions on the collection and use of personal information. The use, collection and retention of personal information must be reasonably necessary and appropriate to achieve the purposes for which it was collected or processed. Explicit consumer consent is required where collection, use, or retention is not necessary or proportionate or irrelevant or incompatible with the purposes of collection. In summary, section 7002 of the draft regulation states that if data collection, use, retention, and/or sharing is irrelevant or incompatible with the purposes for which it was collected, prior explicit consent is required, even with detailed notice. suggests that
“Dark patterns” broadly refer to tactics companies use to coerce individuals into making decisions that favor the company over individuals. The CCPA, as amended, stipulates that consent is not valid if it is obtained through the use of dark patterns, and the CPPA’s proposed regulations provide several examples of user interfaces that are considered dark patterns, including It explains in more detail what might constitute a pattern. Beyond the CCPA, consumer privacy laws in Connecticut and Colorado also restrict the use of dark patterns, and the Federal Trade Commission has issued warnings against the use of dark patterns and has been implicated in the use of dark patterns. Enforcement measures have been taken against companies that Companies should review their user interfaces to ensure that they are clear, present positive and negative options symmetrically, do not prevent users from making decisions that are detrimental to the company, and generally manipulate users or , should avoid subverting or substantially subverting user autonomy.
Businesses should continue to prepare for the known January 1, 2023 requirements of the revised CCPA itself, but some of the requirements in the draft regulations that will improve a company’s overall privacy law compliance program. (Details of the regulations that need to be addressed before they are finalized are subject to further change.) Companies should not delay action just because laws and regulations are in flux. This has been happening in California and elsewhere since 2018. This is the new normal.