Please note that log in for BLAW products will be unavailable for scheduled maintenance on Sunday, February 5th from approximately 4 AM to 5 AM EST.
Bloomberg Law
Free Newsletter Sign Up
Login
BROWSE
Bloomberg Law
Welcome
Login
Advanced Search Go
Free Newsletter Sign Up

Consumer Privacy Opt-Outs Specified in California Draft Rules

May 31, 2022, 4:57 PM

The California Privacy Protection Agency unveiled draft regulations that focus on topics ranging from opt-out preference signals to consumer complaints as companies gear up for the bulk of the California Privacy Rights Act to take effect Jan. 1.

This first batch of draft rules touches on a number of the 22 topics listed for rulemaking under the CPRA, but does not address cybersecurity audits, risk assessments, or the opting-out of automated decision-making technology.

The draft rules make clear that companies must honor opt-out preference signals, which are a way for consumers to share their desires with multiple companies instead of having to indicate them one by one. That’s consistent with California Attorney General Rob Bonta’s (D) statement that businesses subject to the California Consumer Privacy Act must accept such browser signals when applicable.

A company may solicit consumer preferences through a universal opt-out or through opt-out links such as “Do Not Sell or Share My Personal Information” or “Limit the Use of My Sensitive Personal Information,” according to the rules package.

“Even if the business posts the above-referenced links, the business must still process opt-out preference signals, though it may do so in a non-frictionless manner,” the draft rules state.

The proposed regulations don’t list technical specifications for the opt-out preference signals.

Consumer Complaints, Consent

The draft rules specify that “sworn complaints” may be filed with the agency’s enforcement division or submitted in person or by mail.

Such complaints must identify the entity that allegedly violated the privacy law, provide evidence supporting the conclusion, and authorize the alleged violator to communicate with the agency regarding the complaint, among other criteria.

The privacy agency may independently launch investigations without a government agency referral or complaint, the rules state.

The draft regulations also make clear that consent must be obtained using easy-to-understand methods and without the use of manipulative language.

“Avoid manipulative language or choice architecture,” the proposed rules state. “The methods should not use language or wording that guilts or shames the consumer into making a particular choice or bundles consent so as to subvert the consumer’s choice.”

The agency is set to have a public meeting June 8, and the agenda lists the draft rules as a topic of discussion.

To contact the reporter on this story: Jake Holland in Washington at jholland@bloombergindustry.com

To contact the editor responsible for this story: Jay-Anne B. Casuga at jcasuga@bloomberglaw.com