State Privacy Update: California Finalizes New CCPA Regulations and Iowa Becomes the Sixth State to Adopt Comprehensive Privacy Legislation
March wrapped up with several significant state privacy developments. First, on March 28, Iowa Governor Kim Reynolds signed Senate File 262 (SF 262) into law, making Iowa the sixth state to adopt comprehensive data privacy legislation, joining California, Colorado, Connecticut, Utah, and Virginia. Second, on March 29, the California Office of Administrative Law (OAL) approved updated California Privacy Protection Agency (CPPA) regulations—promulgated pursuant to the California Privacy Rights Act (CPRA)—and filed them with the Secretary of State. According to the CPPA’s website, this concludes the rulemaking process that was started on July 8, 2022, and makes the newly finalized regulations effective as of March 29, 2023. The Attorney General (AG) and the CPPA, however, cannot enforce the new rules until July 1, 2023.
As we explained in our webinar: Staying Ahead of State Privacy Laws, complying with emerging U.S. state privacy laws and regulations can be difficult, especially as the landscape continues to shift as more states consider privacy legislation. Below is a high-level summary of the two latest updates that add complexity to the growing patchwork of state privacy laws.
New Privacy Law in Iowa
The new Iowa law will take effect on January 1, 2025. Similar to other comprehensive state privacy laws, it provides for a host of consumer rights, imposes affirmative obligations on controllers, and requires controllers to enter into contracts with processors that contain specific provisions. The law allows for a 90-day cure period upon notice of a violation, and will be enforced by the Iowa AG. Please see our previous blog post for a more comprehensive overview of the new law.
The New CPPA Regulations
On March 29, 2023, the CPPA announced that its regulations to implement the amended California Consumer Privacy Act (CCPA) were final. The text of the final rules was released several days later and is available here. An accompanying press release stated that the final regulations “have not changed substantively” since the CPPA Board made modifications at its October 2022 meeting. The primary change appears to be that the request to know rules (§ 7024(h)) now permit consumers to request information for a specific time period.
These CPPA regulations, however, significantly change the CCPA rules that had been in effect prior to March 29. The following is not a comprehensive list, but provides insight into the scope of changes that businesses may need to consider as they implement the new regulations in the coming months:
- Collection and Use of Personal Information (PI). The regulations provide additional guidance on when a business’s collection, use, retention, and/or sharing of consumer PI is “reasonably necessary and proportionate” to achieve (1) the purpose for which the PI was collected or processed or (2) another disclosed purpose that is “compatible with the context” in which the PI was collected. The regulations provide numerous factors and examples that must be weighed when making these determinations. The new guidance may require a business to reassess whether its use of a consumer’s PI remains “reasonably necessary and proportionate” or if the use must be considered a secondary use.
- Disclosures and Communications to Consumers. The regulations create additional requirements for how notices are provided to consumers, including formatting and accessibility requirements.
- Consumer Consent. The regulations require businesses to avoid choice architecture that impairs or interferences with the consumer’s ability to make a choice. The regulations caution that use of this type of choice architecture could negate consumer consent. The regulations prohibit the use of dark patterns to obtain consent and provide several factors to consider in determining whether a choice architecture is a dark pattern, of which a business’s intent is merely a single factor.
- Notice at Collection. The regulations adjust the notice at collection requirement to account for more than one business collecting PI. The regulations acknowledge that more than one business may control the collection of a consumer’s PI. If multiple parties are controlling the collection, all parties must provide a notice of collection, but this requirement can be satisfied by a single notice about their collective “Information Practices,” which the rules define.
- Alternative Opt-Out Link. The regulations permit businesses to use a single link to allow users to both opt out of selling and sharing and exercise their right to limit the use of sensitive PI.
- Sensitive PI. The regulations provide consumers with the ability to limit the use and disclosure of sensitive PI to that which is “necessary to perform the services or provide the goods reasonably expected by an average consumer.” Sensitive PI that is collected or processed without the purpose of inferring characteristics about a consumer from requests to limit use is exempt from this obligation.
- Opt-Out Preference Signals. The regulations require businesses to process opt-out preference signals that meet certain technical requirements. These signals would allow a consumer to exercise their right to opt out of the selling and sharing of PI.
- Contracts. The regulations include new requirements for contracts between service providers and contractors, as well as contracts between businesses and third parties.
- Agency Audits. The regulations provide the CPPA with the authority to audit businesses, service providers, contractors, or other persons. These audits “may be announced or unannounced.”
Businesses should reevaluate their compliance with the CCPA in light of the additional obligations imposed by these regulations with the goal of implementing updated policies and procedures prior to the July 1, 2023 enforcement date.
Wiley’s Privacy, Cyber & Data Governance Team has helped entities of all sizes from various sectors proactively address risks and compliance with new privacy laws and advocate before government agencies. Please reach out to any of the authors with questions.