CPRA Regulations Approved by Office of Administrative Law (California) 

1. Introduction 

The California Privacy Protection Agency (“CPPA”) has had their first set of regulations approved by California’s Office of Administrative Law (“OAL”) on March 29, 2023, and they will become effective immediately. These final regulations will provide clarification on various new concepts introduced in the California Privacy Rights Act (“CPRA”), which was passed as Proposition 24 during the 2020 election. The regulations have been long awaited and cover topics such as data reduction principles and guidelines for data usage. The rules also establish standards for consumer rights, including opt-out options, and specify the language to be used in communications with consumers, such as privacy policies and notifications during data collection. 

2. Notable Changes Brought Forward 

1. Amendments for Collection and Use of Personal Data 

The CPRA has imposed new limitations on the collection and usage of personal information. In accordance with the principle of data minimization, the collection and processing of personal information must be done in a manner that is reasonably necessary and proportionate to achieve either:  

1. The purposes for which the personal information was initially collected or processed, consistent with consumers’ reasonable expectations, or  

2. Another disclosed purpose that is compatible with the context in which the personal information was collected or processed. In the event that a company fails to satisfy both requirements, they must obtain the consumer’s consent before collecting or using any personal data for additional purposes that were not originally stated in the collection notice. 

The regulations provide specific guidance on how to determine whether the purposes for collecting personal information align with the “reasonable expectations of consumers.” The guidelines suggest taking into account factors such as the business’s relationship with its customers, the type, nature, and amount of personal information being collected, the source of the information, and the methods used for collecting or processing it. The regulations also suggest considering the specificity, explicitness, and prominence of the personal information in the source system and the methods used for collecting or processing it. The crucial factor in the compatibility test is whether the disclosed purpose for personal information processing is compatible with the context in which the data was initially collected. 

Additionally, the regulations establish standards for determining whether processing operations satisfy the necessary and appropriate requirements. Companies are expected to collect and manage the minimum amount of personal data needed to fulfil a processing purpose. They should also consider implementing additional measures to address potential risks to consumers that were previously identified, such as encryption or automatic erasure. 

2. Keeping the Consumers in Loop 

• Concerning deceptive practices: The regulations require companies to make consumer disclosures and communications clear, concise, and easy to understand, avoiding technical or legal jargon. The rules also define “Dark Patterns,” which are wording or interactive features that may deceive customers, and prohibit their use. An interface is considered a dark pattern if it undermines a user’s ability to make decisions or choices. However, complying with these guidelines is challenging, given the extensive and complicated nature of disclosures. 
• Regarding disclosure requirements and privacy policies: The regulations outline information that must be included in a privacy policy, such as a comprehensive explanation of the business’s information practices, the categories of information collected, the sources of personal information, the specific purposes for collecting the data, and whether the business has knowledge of the individuals whose information is collected. They must also provide a breakdown of consumer rights under California privacy laws, instructions on how to exercise those rights, and the date of the most recent privacy statement update. 
• Notification at collection: The notice given at the time personal data is collected must include the types of personal information to be collected (including sensitive data), the purposes for which the data will be used, and whether it will be sold or shared. The rules further require that the notice of collection may be given online through a link that directs consumers to a specific area of the privacy policy. It is no longer sufficient to direct users to the entire privacy policy and ask them to look for information on data collection. 

3. Opt-out and Use Limitation Rights 

• Limit the Usage of My Sensitive Personal Information: The CPRA now grants consumers the right to request a company to restrict its use and disclosure of sensitive personal information. Companies are required to notify customers of this new right and include a “clear and visible” link on their website that reads, “Limit the Use of My Sensitive Personal Information.” However, there are exemptions to providing a Notice of Right to Limit or the link to “Limit the Use of My Sensitive Personal Information” if:  

1. The company only uses and shares sensitive personal information to provide typical services or goods that a consumer would reasonably expect; to prevent, detect, and investigate security incidents; to resist and prosecute malicious, deceptive, fraudulent, or illegal actions against the business; to ensure the physical safety of people; for short-term, transient use; or to provide services to the business.  

2. The company solely collects or uses sensitive personal data for internal business purposes and not to make conclusions about a customer. 

• Alternative Opt-Out Link: To make it easier for consumers to opt-out of the sale or sharing of their personal information and limit its use, the CPRA Regulations permit the use of a single Alternative Opt-out Link in place of the separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links. Companies that sell or distribute personal information must honour every opt-out request and treat it as a valid request to opt-out of sale or sharing. 

To make it easier for consumers to exercise their right to opt-out of sale or sharing of personal information and their right to limit the use of sensitive personal information, the CPRA allows for a single Alternative Opt-out Link to replace the two separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links. Any opt-out preference signal received by a company must be honoured and treated as a legitimate request to opt-out of sale or sharing of personal information. 

4. Rules Concerning Service Providers and Third Parties 

To comply with the CPRA’s right to delete personal data, businesses must delete personal data collected by their service providers and notify third parties to delete personal information unless doing so is impossible or excessively burdensome. Businesses must review their contracts with service providers to ensure compliance with the new regulations, as well as assess their consumer communications and privacy policies to comply with the CPRA and recent rules. If the usage of sensitive personal data falls under any of the exceptions, businesses must specify this in their privacy policies. 

3. Conclusion 

The California Privacy Rights Act (CPRA) sets a new standard for privacy regulation in the United States, introducing several significant changes to the previous California Consumer Privacy Act (CCPA). The CPRA introduces new consumer rights, including the right to correct inaccurate personal information, the right to restrict the use of sensitive personal information, and the right to limit the sharing of personal information. 

The CPRA also strengthens privacy enforcement mechanisms, requiring businesses to conduct regular risk assessments and submit annual privacy audits. Additionally, businesses must enter into contracts with service providers that ensure compliance with the CPRA, and they must inform all third parties with whom they have shared or sold personal information to delete it, unless this is impossible or requires a disproportionate effort. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today. Tsaaro helps in compliance with the privacy laws, with the skilled privacy professionals in the market.  Get in touch with us at info@tsaaro.com  .