The California Privacy Protection Agency (the “Agency”) released draft regulations to the California Privacy Rights Act (“CPRA”) on May 31, 2022 (the “Proposed Regulations”). The Proposed Regulations are drafted as comments to the California Attorney General’s regulations for the California Consumer Privacy Act, California’s landmark privacy law, which was amended by CPRA.
The Proposed Regulations address long-debated issues in U.S. privacy law, such as the effectiveness of user preferences communicated through browser signals. Under the Proposed Regulations, covered businesses must respect these opt-out signals sent through browser settings as effective communication of user preferences. The acceptable methods of opt-out communication is important because CPRA grants consumers the right to opt-out of “sharing” personal information, selling personal information, and processing of sensitive personal information in certain contexts.
Other important provisions of the Proposed Regulations include an extension of the consumer right to request and receive copies of information provided to covered businesses and further clarification of “dark patterns”. Previously, after a consumer request, businesses were only required to provide copies of information received in the past 12 months. The Proposed Regulations require businesses to provide all information collected after January 1, 2022. “Dark patterns”, defined as features which have the effect of “substantially subverting or impairing user autonomy, decisionmaking, or choice, regardless of a business’s intent.” Dark patterns were already prohibited under the CPRA, and the Proposed Regulations add that obtaining consumer consent with the use of a dark pattern nullifies the consumer’s consent.
The Agency is set to have a public meeting June 8, and the agenda lists the draft rules as a topic of discussion. The full text of the Proposed Regulations can be found here.