In the run-up to this Friday’s December Board meeting, the California Privacy Protection Agency (CPPA or the “Agency”) has continued its recent flurry of regulatory activity. Late last week, the CPPA published an additional set of proposed regulations that included, most notably, proposed revisions to existing California Consumer Privacy Act (CCPA) regulations. The Agency also released additional revisions to the proposed cybersecurity audit regulations that it had previously circulated, as well as draft provisions regarding the applicability of CCPA regulations to insurance companies. These latest proposals join an already crowded agenda for the CPPA’s December 8 Board meeting, which will also feature discussion of, among other things, the Agency’s recently released draft regulations on automated decisionmaking technology (ADMT) and the latest iteration of its risk assessment regulations.
The revisions to the CCPA regulations are the most notable element of this latest batch of proposed regulations. Though they would slightly raise the annual gross revenue threshold that governs whether a company is a “business” subject to the CCPA’s requirements, the proposed revisions would also impose additional compliance requirements on businesses, including new provisions related to notifying consumers of their right to file complaints and informing them of the status of their opt-out and right-to-limit requests. The revisions also clarify a number of existing requirements, such as the regulations’ provisions on obtaining consumer consent and timely compliance with opt-out requests.
In this post, we summarize key elements of the CPPA’s latest set of proposed regulations. To stay up-to-date on the latest developments in the ever-evolving California privacy and cybersecurity legal landscape, be sure to subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
Revisions to CCPA Regulations
Key revisions to the CCPA regulations proposed by the CPPA include the following:
1. Increased Applicability Thresholds: The proposed revisions include a new provision that increases the CCPA’s monetary thresholds in alignment with increases in the Consumer Price Index. Most notably, this would result in an increase of the annual gross revenue threshold that an entity must satisfy in order to constitute a “business” subject to the CCPA’s requirements. Under the proposed regulations, that threshold would rise from $25 million to $27.98 million.
- It is also worth noting that this increase in the CCPA’s monetary thresholds would increase the monetary damages, administrative fines, and civil penalties that a business could be exposed to under the law.
2. Informing Consumers of Right to File Complaint: The proposed regulations would require a business that denies a consumer’s request to know, delete, correct, opt-out, or limit to inform that consumer of their ability to file a complaint with the CPPA or California Attorney General’s office.
3. Processing Opt-Out Requests “As Soon as Feasibly Possible”: The proposed regulations include new guidance clarifying the requirement that businesses comply with consumers’ requests to opt-out of the sale or sharing of their personal information by ceasing to sell or share that personal information “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” Specifically, the revised regulations make clear that, if it is technically feasible for a business to comply with an opt-out request in less than 15 days (e.g., if the business uses a technology “that can restrict the transfer of personal information instantaneously”), then it must comply with that request as soon as possible, even if that means complying in less than 15 days. In other words, the 15-day compliance timeframe is not a safe harbor for companies that can feasibly comply with an opt-out request sooner.
4. Consent Guidance: The proposed regulations include new guidance regarding properly obtaining consent from consumers, most notably including new illustrative examples related to providing consumers with symmetrical and clear choices.
5. Definition of “Sensitive Personal Information”: The revised regulations include an amended definition of “sensitive personal information” that includes “[p]ersonal information of consumers less than 16 years of age.” The CPPA asserts that this revision is intended to align California’s definition of “sensitive personal information” with the definitions in other states’ comprehensive privacy laws.
6. Informing Consumers of Opt-Out and Right-to-Limit Request Status: The revised regulations would require businesses to provide consumers with a means by which they can confirm that their requests to opt-out of sale or sharing and/or requests to limit use of their sensitive personal information have been processed (e.g., through a message, toggle button, or radio button on the business’s website).
7. Privacy Policy Links for Mobile Applications: The revised regulations would require mobile applications to post links to their privacy policies in the applications’ settings menus (rather than just on the applications’ platform or download pages, as currently required).
8. Responding to Requests to Know: The revised regulations clarify the information that businesses must provide in response to requests to know categories of personal information, describing that information as follows:
- (1) The categories of personal information the business has collected about the consumer.
- (2) The categories of sources from which the personal information was collected.
- (3) The business or commercial purpose for which it collected, sold, or shared the personal information.
- (4) The categories of third parties with whom the business discloses personal information.
- (5) The categories of personal information that the business sold or shared about the consumer, and for each category identified, the categories of third parties to whom it sold or shared that particular category of personal information.
- (6) The categories of personal information that the business disclosed for a business purpose, and for each category identified, the categories of service providers or contractors to whom it disclosed that particular category of personal information.
The CPPA has also published a chart summarizing its proposed changes to the CCPA regulations.
Additional Proposed Regulations: Cybersecurity Audit Regulations and Insurance Provisions
In addition to the proposed revisions to the CCPA regulations, the CPPA published two other regulatory materials of note late last week:
1. Additional Revisions to Cybersecurity Audit Regulations: The CPPA published additional revisions to the proposed cybersecurity audit regulations that it had previously released for discussion at this week’s Board meeting (and summarized those new revisions in an accompanying chart). Most importantly, these latest revisions clarify the non-data broker applicability thresholds for the regulations, specifying that they would apply to businesses that have annual gross revenues of $25 million (in line with the CCPA’s statutory definition of “business”) and satisfy one of three personal information processing thresholds (personal information of 250,000 or more consumers or households; sensitive personal information of 50,000 or more consumers; or personal information of 50,000 or more consumers under the age of 16). Notably, for the latter three personal information processing thresholds, the Agency selected the lowest thresholds that it had previously identified as options (i.e., those thresholds that would protect the most consumers).
2. Insurance. The Agency also published draft regulatory provisions clarifying that insurance companies that are “businesses” for purposes of the CCPA are subject to the CCPA to the extent they process personal information for purposes that are not subject to the California Insurance Code.