Posternak Blankstein & Lund LLP is now Arent Fox. Read the press release

CPRA Draft Regulations: Three Key Takeaways

The California Privacy Protection Agency (CPPA) published California Privacy Rights Act (CPRA) proposed regulations (Regulations) on May 27, 2022. The Regulations provide helpful insight into the CPPA’s vision for the CPRA and help to better prepare businesses that are structuring their privacy programs in anticipation of the CPRA’s January 1, 2023, effective date.
On

While there are several updates, we focus on a few key features of the Regulations: (1) alternative opt-out link, (2) requirements for processing opt-out preferences in a frictionless manner, and (3) disproportionate effort exemption when responding to data subject requests.

Alternative Opt-Out Link

The CPRA requires that businesses provide, where applicable, a “Do Not Sell or Share My Personal Information” and a “Limit the Use of My Sensitive Personal Information” hyperlink for data subjects to exercise opt-out rights. As an alternative to the requirement to provide these two links, the Regulations now permit the use of a single “Your Privacy Choices” or “Your California Privacy Choices.” The alternative combined opt-out link would direct the consumer to a webpage that informs the consumer of their rights and provides the opportunity to exercise both rights. The link must be located at either the header or footer of the business’s internet homepage and must include the opt-out icon to the right or left of the link. The icon should be approximately the same size as any other icons used on the webpage.

The initial statement of reasons (ISOR) from the CPPA states that the purpose of this alternative opt-out link option is to ensure uniformity and make sure the link is easily accessible and understandable to consumers. The ISOR further states that this alternative opt-out link benefits both consumers and businesses by simplifying and streamlining information about opt-outs.

As a nuance to consider, the Regulations clarify that if a business processes opt-out preference signals in a frictionless manner, it may, but is not required to, provide the above referenced links. Please read more about how to provide opt-out preference signals in a frictionless manner below.

Frictionless Manner 

The CPRA requires that businesses process opt-out preference signals in a “frictionless manner.”  To do this, the business shall not:

  1. Charge a fee or require any valuable consideration if the consumer uses an opt-out preference signal,
  2. Change the consumer’s experience with the product or service offered, and
  3. Display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signals.

Businesses must provide information on how consumers can implement opt-out preference signals for the business to process the signal in a frictionless manner, for example, in the businesses’ privacy policy.

Disproportionate Effort 

The CPRA makes reference to “disproportionate effort” as a relief for businesses that would be subject to a significant burden to comply with a consumer request. This term is used in the context of a business responding to a consumer request. Specifically, when the time and resources expended by a business significantly outweigh the benefit provided to the consumer, this is considered a disproportionate effort, and the business is not required to honor the request. In order for a business to claim “disproportionate effort,” the business would have to demonstrate that the time and/or resources needed to process the request would be significantly higher than the material impact on the consumer. Notably, a business that has failed to put in place adequate processes and procedures to comply with consumer requests in accordance with the CPRA and the Regulations cannot claim that responding to a consumer’s request requires disproportionate effort.

Next Steps

Businesses should pay close attention to the new requirements under the Regulations. Businesses are in a good place to start implementing these practices but should keep in mind that the final Regulations are due for release July 2022. Find the Regulations here.

Please contact Eva Pulliam, Christine Chong, Destiny Planter, or the ArentFox Schiff attorney with whom you normally work if you have any further questions.

Contacts

Continue Reading