News & Events

California Privacy Protection Agency (CPPA) Sought Comments on Proposed Changes

The California Privacy Protection Agency sought comments on a proposed revision of the California Consumer Protection Act intended to make it more aligned with the California Privacy Rights Act. Requests for public comments opened in early July and continued through August 23. The act is intended to go into effect on January 1, 2023.

The changes to the CCPA primarily fall into 5 categories: dark patterns, selling & sharing of data, consumer rights requests, and privacy policy requirements.

Dark patterns are techniques companies use to gain user consent in manipulative ways. The changes to the act would combat this by requiring companies to:

  • Clearly notify consumers that they can opt-out of having personal information sold or shared
    • Only allows for sale/share of “necessary and appropriately reasonable” data
  • Provide reasonably accessible disclosures
  • Outline requirements for obtaining consumer consent agreements
    • Consent agreements must be:
      • Easy to understand
      • Provide symmetry of choice
        • Opting-out of sale/sharing of data must be equally accessible and require no extra steps to opting-in
      • Free from manipulative choices
        • Prohibition of choices such as “Yes! I would like to save money” versus “No, I like paying full price”

The changes to the act change wording to equate selling data and sharing data. Many entities skirt around consent requirements for the sale of data by not making a profit on the data but sharing it freely to affiliated companies. Companies will now need to obtain consent for both the sale and sharing of data. Websites must present an opt-out banner clearly on their landing page probing consumers to answer “yes” or “no” to “Do not sell or share my personal information.”

The changes to the CCPA add focus on consumer rights requests to allow consumers to delete, correct, limit the collection of, and know their personal data. These rights must be explicitly explained in an organization’s privacy policy.

Requirements for privacy policies would be expanded by the changes to the act. Privacy policies would now need to include:

  • An explanation of what the organization’s protocols are on the collection, use, sale, and retention of personal information
  • An explanation of how consumers can exercise their privacy rights and an outline of the process they can expect. These must include:
    • How to enact frictionless opt-out preferences
    • If the business knowingly sells personal information of users under 16 years old
    • Instructions for how an authorized agent can make a CCPA request on behalf of a consumer
    • Contact information
  • Date of the last update to the privacy policy

As noted, the CPPA has made the revised document available for public comments through the 23 of August. If there are substantive changes made after this round of public commenting, the revised edition will be made available for comments until a hearing committee votes to accept a final version of the bill.

Full Text of Regulations can be found Here