Last week, the California Privacy Protection Agency (CPPA) released updated California Privacy Rights Act (CPRA) draft regulations and a summary of the changes. The regulations remain in the proposal stage and it is unclear when to expect finalized rules, although it is likely that this version will include near final requirements and prohibitions.
While most of the changes from the previous incarnation are technical, the modified proposal also softens one of the more revolutionary requirements: universal opt-out signals. Previously, the regulations required all CPRA-subject businesses to treat browser-based opt-out settings as the consumer’s signaled consent. They also required companies to add a dynamic icon to their website to indicate whether they had responded to the signal. Under the modified rules, businesses will only need to respond to browser opt-out signals if they sell or share personal information and have the option to display the status icon, but no longer are required to. Instead, companies can offer consumers choices about the cookies and other tracking technology used on their website, which offers greater transparency for the consumer.
The modified rules also throw businesses a bone on a few other issues. For example, the CPPA removed some statutory privacy and security requirements for business service providers because the CPRA already requires certain provisions in service contracts. The CPPA reworked other rules to “simplify implementation at this time,” so that companies would still be wise to prepare for eventual compliance without the rush of meeting the end-of-year deadline. Some of these delayed requirements include disclosing in their online privacy policies the identities of third-party data processors and controllers and technical requirements for implementing the ”Right to Limit” and financial incentive programs.
The updated rules clarify that enforcement actions against companies that employ “dark patterns,” or interfaces that steer consumers toward opting in (or not opting out), do not require showing the business’s intent. The intent is still a “factor to be considered” at CPPA’s discretion, but offenses in this area pose strict liability against the companies using these technologies. The Board of the CPPA will meet in public sessions on October 28 and 29. See the modified rules and explanations.