At a glance
In March 2023, the CPRA modified regulations were accepted and made final by the California Office of Administrative Law (OAL).
These updates clarified certain requirements—giving California businesses more detail, and in many cases, illustrative examples of how the law should be interpreted and implemented.
With the CPRA enforcement date right around the corner, businesses need to the apply these updates to their privacy programs before the California Privacy Protection Agency (CPPA) begins enforcement in earnest.
Below we’ll cover 5 key takeaways from the CPRA modified regulations, including new restrictions on the collection and use of personal information, updated language around consumer consent, clarification on opt-out, and more.
Table of contents
Reasonable and proportionate consumer data collection
The CPRA modified regulations state:
“a business’s collection, use, retention, and/or sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve [...] [t]he purpose(s) for which the personal information was collected or processed”
This language shares the same reference point as the original CPRA text, but goes on to include:
Five elements for businesses to consider when determining whether data processing is consistent with a consumer’s expectations
Three ways to identify when a stated purpose is consistent with the context in which the data was gathered
Three ways to decide if data processing is necessary and proportional to its purpose
We’ll cover the five considerations for evaluating consistency with consumer expectations below. That said, we highly recommend reviewing section § 7002 of the modified regulations to brush up on the other components.
Under the CPRA modified regulations, a consumer’s expectations around data processing are influenced by:
Their relationship with the business
The type, nature, and amount of personal information being collected or processed
The source of the personal information and how the business collects and processes it
How the business discloses collection or processing to a consumer, specifically in terms of the disclosure’s “specificity, explicitness, prominence, and clarity”
The degree to which consumers are aware that third parties, service providers, contractors, and others are involved in the collection or processing
It will be interesting to see how this particular section of the modified regulations play out. Though the CPPA did clarify certain portions of the text, the terms 'reasonable' and 'proportionate' are inherently subjective. And, this was one instance where the modified regulations didn’t provide examples.
In terms of implementation, this means many companies may end up looking to the CPPA for further guidance and/or peering over their neighbor's shoulder i.e. seeing how other companies approach this requirement. It’s also likely that long-term enforcement will rely on early precedents.
Dark patterns and consent
CPRA was the first of California’s privacy laws to specifically mention dark patterns, defining them as:
“a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice, as further defined by regulation.”
And going on to say that a consumer’s:
“...agreement obtained through use of dark patterns does not constitute consent.”
This expansion on valid consent is unique to the modified regulations, in that the concept of dark patterns didn’t explicitly appear in the California Consumer Privacy Act (CCPA).
Broadening the scope of the CCPA, this new language reflects a commitment to regulating actions that are difficult to define yet have a clear impact on customers' decisions. It also allows California regulators to investigate dark patterns backed by a clear legal framework, increasing the likelihood of enforcement.
The CPRA modified regulations offer five guidelines for how a business can evaluate whether an interface or workflow is collecting valid consent. Read our full guide on dark patterns for CPRA compliance to learn more.
Easy to understand
This one is pretty clear, but remember that ‘easy to understand’ applies to both the language and design of your consent interface.
The modified regulations emphasize that consent interfaces should use straightforward language to explain a consumer’s choices and how to implement them. In other words, avoid legal mumbo jumbo, double negatives, or any misleading terms.
The same goes for design—the interface should be designed so that the options and outcomes are clear.
Symmetry in choice
Symmetry in choice means that choosing the ‘more privacy’ option should not take more effort than the ‘less privacy’ option.
For example, cookie banners that give consumers the choice of "Accept all" and "More information" are not compliant. This is because consumers only need to click once to accept cookies, but must click multiple times to reject them.
Similarly, offering "Yes" and "Ask me later" as the only two options is also prohibited, because there’s no way to reject the opt-in.
Avoid confusing language or interactive elements
Double negatives are a prime example of confusing language. For example, having "Yes" or "No" next to the statement "Do Not Sell or Share My Personal Information." In this context, it’s not immediately clear that choosing "No" means agreeing to have your personal information shared or sold.
Coercive interactive elements are varied, but often appear as buttons that change depending on the user's options. For example, a "Confirm my choices" button might appear when all tracking cookies have been enabled, but if some cookies are deselected, the button changes to say "Allow all."
Avoid confusing choice architecture
The CPRA modified regulations prohibit the use of language that could be perceived as guilt-inducing or shaming. For example, it’s considered manipulative and shaming to offer two options for accepting a discount, such as "Yes" and "No, I like paying full price."
Bundling reasonable anticipated uses with additional unexpected ones is also not allowed. In a location-based app, for example, consent to the sale of geolocation data cannot be paired with consent to access the core service.
Easy to execute
Additionally, circular links, inactive or unmonitored email addresses, and broken UI experiences (such as a button that doesn’t work) are also not allowed. If you’ve relied on manual and/or fragmented processes so far, now is a good time to implement a smoother solution.
Notice at Collection
The CPRA modified regulations made three key updates to the requirements around notices at collection. We’ll summarize those below, but check out our full guide to CPRA notice at collection for more details.
Businesses no longer need to include third parties that collect personal information
Under the modified regulations, businesses no longer need to disclose what third parties are collecting personal data. The original text of the CPRA stated that any parties collecting personal data must be listed by name in a notice at collection, however these were removed from the modified rules in order to simplify implementation.
Data analytics providers can be considered service providers, but the relationship must be bound by a compliant service provider contract
The initial CCPA language referred to an "analytics business" as a third party, indicating it shouldn't be considered a service provider. This inferred the businesses needed to offer the right to opt-out, even if they were only using a platform like Google Analytics.
However, in one example the modified regulations state that:
“in some instances an analytics business can be a service provider and not a third party.”
Following Sephora’s settlement with the California attorney general (AG), this topic has been the subject of focused debate. Sephora's enforcement action hinged on a few factors, one of which was the AG’s stance that using an analytics provider counted as a de-facto sale. But according to the case statements, the real issue seemed to be that Sephora was treating their analytics platform (assumed to be Google Analytics) as a service provider, but hadn't bound the relationship with an appropriate service provider contract.
Removal of the subsections on the collection of employment-related information
The CPRA modified regulations removed several subsections regarding the collection of employment-related information. According to the CPPA, these sections were removed following the expiration of the employee data exemption.
Check out guide on employee DSAR under CPRA here.
Under CCPA, there was some debate as to whether businesses needed to honor browser-based opt-out signals like the Global Privacy Control (GPC). However, the CPRA modified regulations made it clear that consumer preferences transmitted through these signals must be honored as long as they meet certain technical thresholds, specifically:
The signal provider notifies the consumer that turning on the signal will not automatically opt them out of the sale or sharing of their personal data
The modified regulations require that businesses who receive a consumer’s opt-out preference signal:
Must treat the signal as a valid request
Must not use the request to solicit further information from the consumer (though they can if the information is necessary to fulfill the request)
Must not use, retain, or share data received during the request for anything besides the request's fulfillment
One change that businesses may welcome is the modified regulation’s approach to opt-out implementation. Under the CPRA modified regulations, businesses no longer need to display whether they are honoring a consumer’s opt-out preference. It's also now optional to inform consumers that their opt-out preference conflicts with their inclusion in financial incentive program, if that is in fact the case.
Section 7301(b) of the modified regulations state that, when investigating possible violations, the CPPA will:
“consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) [...] and good faith efforts to comply with those requirements."
The “good faith efforts” bit may provide some cover for businesses who are working on compliance, but haven’t fully achieved it. That said, we don’t recommend hanging your hat on the CPPA’s leniency.
The agency still holds the right to audit a business’s CPRA compliance with or without notice. They may do so on the grounds that:
They believe the business is in violation of CPRA
The business has a history of non-compliance with any privacy protection law
They believe the business’s data processing activities present a “significant risk” to consumers
These criteria give the agency broad leeway in the way they audit and investigate companies, so though there may be some wiggle room—don’t rely on that when building out your privacy program.
What’s stayed the same, for now
Though the CPPA has presented one round of modified regulations, which were accepted by the OAL, there are still a few topics that will require further rounds of rulemaking.
Specifically, the CPPA will consider further updates to the CPRA’s rules on data protection assessments and cybersecurity audits, automated decision-making, and employee data rights.
So while we’ll have to wait and see what happens there, businesses should have enough information to work towards effective compliance before the July enforcement date.
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.
Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.