[co-author: Blair Robinson]*
Last week, the California Privacy Protection Agency (CPPA) released an updated draft of the California Privacy Rights Act (CPRA) and a summary of the changes. The rules remain in the proposal stage, and it is unclear when to expect a final version of the rules, although it is likely that this version will include near-final requirements and prohibitions.
While most of the changes compared to the previous incarnation are technical, the modified proposal also relaxes one of the more revolutionary requirements: universal failure signals. Previously, the regulations required all CPRA entities to treat browser-based opt-out options as consumer consent. They also required companies to add a dynamic icon to their website to indicate whether they had responded to the signal. Under the amended rules, companies will only be required to respond to browser opt-out signals if they sell or share personal information and have the option to display a status icon, but are no longer required to do so. Instead, companies can offer consumers choices about the cookies and other tracking technologies used on their website, which provides greater transparency for the consumer.
The amended rules also hamper business on several other issues. For example, the CPPA removed some statutory privacy and security requirements for business service providers because the CPRA already requires certain provisions in service contracts. The CPPA reworked other rules to “simplify implementation for now” so that companies are still smart enough to prepare for possible compliance without rushing to meet a year-end deadline. Some of these deferred requirements include the disclosure in their online privacy policies of the identities of third-party data processors and controllers, as well as technical requirements to implement “Right to Limit” and financial incentive programs.
The updated rules clarify that enforcement actions against companies that use “dark templates,” or interfaces that direct consumers to opt-in (or not opt-out), do not require a demonstration of the company’s intent. Intent is still a “factor to consider” under the CPPA, but offenses in this area carry strict liability against companies using these technologies. The CPPA Board will meet in open sessions October 28 and 29. See the rules have changed and explanation.
*The intern is not a lawyer