On July 8, 2022, the California Privacy Protection Agency (“CPPA”)1 published draft regulations in the California Regulatory Notice Register (“Draft Regulations”)2 mandated by the California Privacy Rights Act (“CPRA”).3 The Draft Regulations amend prior regulations adopted under the California Consumer Privacy Act (“CCPA”) to provide additional rights to consumers in their personal information and expand the obligations of businesses processing such personal information.4
Under the CPRA, the Draft Regulations are to become effective January 1, 2023.
I. Application of CCPA to Businesses and Information Collected
As amended by the CPRA, the CCPA applies to for-profit businesses that conduct business in California, collect and process consumers’ personal information, and satisfy at least one of the following requirements: within one calendar year, (1) have gross annual revenues over $25 million; (2) buy, sell or receive personal information from at least 100,000 California consumers or households (expanding the current threshold of 50,000); or (3) make at least half of their annual revenue by selling or sharing California consumers’ personal information.5
Notably, the CCPA does not apply to information processed by financial institutions (such as banks, broker-dealers, investment advisers, and certain “FinTech” companies) pursuant to the Gramm-Leach-Bliley Act (“GLBA”), and its implementing regulation, Regulation S-P.6
There are, however, certain categories of information collected by financial institutions (that meet the coverage thresholds above) that are subject the CCPA. These categories include:
• Personal information of employees who live in California;
• Personal information collected from the financial institution’s website; and
• Prospective customer information from consumers who do not have a pre-existing relationship with the financial institution.7
If adopted, the Draft Regulations would require such covered financial institutions to comply with requirements that differ from prior CCPA requirements, which could include some or all of the following:
• Update their privacy policy to ensure that it is clear and not misleading;
• Implement procedures to detect and process “opt-out preference signals,” which are signals from a consumer’s browser or device communicating that the consumer does not consent to the sale or sharing of their personal information;
• Add new link(s) to the header or footer of the homepage of their website related to the consumers’ right to opt-out of the sale or sharing of their personal information and the right to limit the use of their personal information;
• Provide an opportunity for consumers to submit requests to correct their collected personal information and limit the use of their sensitive personal information;
• Update their data processing agreements with their service providers, contractors and third parties to prohibit third parties from selling data and to respond to customer requests under the CCPA; and
• Perform due diligence on service providers, contractors and third parties to assess these parties’ compliance with the CCPA.
II. CPRA Expands the Privacy Rights Established by the CCPA
The CCPA established notable privacy rights for…