Final California Privacy Regulations Approved: Key Takeaways
On March 29, 2023, California’s Office of Administrative Law (“OAL”) approved the final text of the first part of the regulations issued by the California Privacy Protection Agency (“CPPA”) , which will take effect immediately (“Regulations”). These final Regulations provide long awaited guidance on some new concepts contained in the California Privacy Rights Act (“CPRA”) which was approved by voters as Proposition 24 in the 2020 election. The CPRA included general requirements to data use policies, including the data minimization principles. The Regulations also provide wording to be included in consumer communications (e.g., privacy policy and notice at collection) and specify requirements for the opt-out and other consumer rights. We list some of the key consideration to take into account for privacy compliance this year.
New restriction on the Collection and Use of Personal Information. Drawing inspiration from the European GDPR, CPRA implemented the principle of data minimization, which translates into the obligation to collect and process personal information in a way reasonably necessary and proportionate to achieve: (i) the purposes for which the personal information was collected or processed (consistent with the reasonable expectations of the consumers), or (ii) another disclosed purpose that is compatible with the context in which the personal information was collected. If a business cannot meet both tests it must obtain the consumer’s consent before collecting or processing personal information for any additional purpose not originally disclosed in the notice of collection.
More specifically, the Regulations specify how to determine the purposes which meet the “reasonable expectations of the consumers” test and suggest to be guided by the following factors: the relationship between the consumers and the business; the type, nature, and amount of personal information the business seeks to collect or process; the source of the personal information and the business’s method for collecting or processing it; the specificity, explicitness, prominence, and clarity of disclosures to the consumers about the purpose for collecting or processing their personal information; and the degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of personal information is apparent to the consumers. For example, the consumer likely expects an online retailer’s disclosure of the consumer’s name and address to a delivery service provider...