Draft Revised California Consumer Privacy Act (CCPA) 2022

Earlier in June, the California Privacy Protection Agency decided to move forward with proposed revisions to the CCPA. The new draft got published as meeting materials and could be found here.

Although there will be a few minor changes from what is published, it's clear that advertisers will have to make some changes in their SOPs for compliance.?

It’s important to note that this proposed draft is not law yet and may look very different when enacted by the state legislature or governor.

Still, we expect it will contain all of these same elements and more when it comes into force—so now is a great time for you to get ahead of the curve!?

Below are key points on the proposed revised regulations?

The revised draft of regulations addresses some of the concerns raised by privacy advocates and industry groups during the public comment period following the release of the original draft regulations.

The AGO is trying to balance the needs of consumers and businesses. The AGO has tried to address the concerns of privacy advocates while still allowing businesses to profit.?

• The proposed regulations are in draft form and are not yet final. At this time, the Department of Consumer Affairs has not released its finalized revisions to the CCPA, but it has made public its latest proposals for what those revisions will look like.
• As a result, these points should be considered informative only and may change as more information becomes available from the Department of Consumer Affairs or other sources.?
• The proposed regulations address some concerns privacy advocates and industry groups raised about how to implement California’s law. In particular:?
• Businesses would have an opportunity to provide notice before collecting certain personal information (like users’ social security numbers).
• However, they would need to provide that notice within 30 days after collecting such data (rather than immediately upon collection) so that individuals could make an informed decision about whether they wanted their data collected in this manner.?
• Businesses would not be required to notify customers every time they share their PII with third parties unless there was a material change in how PII is shared with third parties.?
• Businesses would have an opportunity to obtain consent before sharing user data with third parties without first providing notice.?

1. Opt-Out Requirements for Internet Advertising and Tracking are not optional?

The regulations require opt-out requirements for internet advertising and tracking to be “reasonable” (Section IV(B)(1)). The regulations state that an opt-out requirement is unreasonable if it is “not easily accessible; requires more than a single step.

Requires a disproportionate amount of time or resources relative to the significance of the information sought by the consumer.

Uses technology that is inconsistent with standard industry practices or requires special hardware or software unless such special hardware or software is freely available to all consumers who request access.?

Under California law, an opt-out should be in a manner that is reasonably designed to reach the consumer.

That means if you have your name on some mailing list (e.g., e-mail list), then your opt-out must be sent via the e-mail address associated with your name on such mailing list—even if you prefer another method/channel such as snail mail or text message.?

2. Insights on Purpose Limitations??

While the purpose limitation rule is not the most complicated aspect of the CCPA, it is nonetheless critical in regulating how data can be collected and used.

The CCPA requires businesses that sell consumer personal information to provide notice at or before the point of collection that their customers' personal information will be used for specified purposes (e.g., general marketing) and not for other purposes (e.g., individualized advertising).?

In other words, if you are collecting someone's name and e-mail for any reason other than direct communication, you need to give them notice before collecting it.?

3. The requirement for a specified methodology for obtaining consumer consent and sending CCPA requests?

The regulations specify that businesses must use a reasonably calculated method to ensure that the consumer can reasonably understand the nature and purpose of the collected information.

In other words, what you’re asking for should be clear and why you need it. The method must also be in plain language and use unambiguous language.?

For example, don't say: "To make this process easier for you, we'll store your payment information." Instead, say: "We will store credit card details, so they're available when you make future purchases on our site."?

4. Consumers to be allowed to opt-out of cross-contextual behavior-based advertising??

To be effective, an opt-out must be provided at or before the point of collection. This means that you must provide consumers with the opportunity to opt-out of cross-contextual behavior-based advertising before you collect their information for this purpose.??

In addition to being made available at or before collection, your opt-outs must also be provided clearly and conspicuously so as not to mislead consumers about their options or diminish their ability to exercise them.

Finally, your opt-out process should be reasonably calculated to reach each consumer affected by your data collection practices.?

Conclusion?

The proposed changes to the CCPA are likely to undergo many revisions before they are enacted. The California Privacy Protection Agency has not yet set an effective date of these revised regulations.??

However, businesses should begin preparing for these new requirements by reviewing their current practices and processes to identify areas where changes may be needed to avoid penalties under this law or even litigation when it takes effect as expected in 2022.?

Start your data privacy journey with Adzapier’s Free Cookie Site Scanner Tool. Just enter the URL of your website and find out what cookies are being used on your site, understand their purpose, and have actionable insights to update your site’s privacy policy.?

.

.

.

#ccpa #california #californiaprivacyact #america #dataprivacy #datacollection #dataprotection #dataprivacylaw #privacylaw #privacymatters #privacybydesign #cmp #consentmanagement #cookieconsent #dsar #adzapier