CCPA Regulations Approved

K&L Gates LLP
Contact

K&L Gates LLP

On 29 March 2023 the California Office of Administrative Law approved the first final rulemaking package proposed by the California Privacy Protection Agency (CPPA or the Agency), which is the implementing and enforcement agency created under the California Consumer Privacy Act (CCPA). The package consists of (1) the CPPA’s proposed regulations (Regulations), and (2) the CPPA’s final statement of reasons. The Regulations, which are now a part of the CCPA, took effect 29 March 2023. The CPPA is expected to publish the final rulemaking documents on its website the week of 3 April 2023.

The Regulations govern how the CCPA will be enforced. With the Regulations now in effect, businesses covered directly by the CCPA and other parties, such as service providers covered indirectly by the CCPA, should take note of the following key provisions:

  • Restrictions on the collection and use of California consumers’ personal information (including expanded requests to deletion and new requests to correct);
  • Requirements for methods for submitting consumer requests and obtaining consumer consent (including prohibitions on the use of “dark patterns”);
  • Additional information requirements in privacy notices;
  • Expanded opt-out requirements (including opt-out preference signals and requests to opt-out of sale/sharing);
  • The new California consumer right to limit the use of “sensitive personal information”; and
  • The expansion of indirect coverage over “contractors” and “third parties” (beyond “service providers,” including data processing contractual requirements).

While the Regulations have a significant impact on the CCPA, this is just the beginning of the CPPA’s rulemaking process, and in turn, the California Attorney General’s enforcement of the CCPA. Specifically, where the California Attorney General’s first and only CCPA settlement against Sephora was nearly eight months ago, we are seeing more activity, with a recent investigative sweep focused on mobile app providers’ opt-out compliance and expect more action in the wake of the Regulations.

In terms of next steps for the CPPA, we expect to see the next rulemaking package to address automated decision-making, cybersecurity audits, and risk assessments, based on the Agency’s 3 February 2023 meeting. While some of the above key changes from the Regulations may not immediately impact all businesses, the second set is sure to have a major impact if it covers automated technology and audits/risk assessments.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© K&L Gates LLP | Attorney Advertising

Written by:

K&L Gates LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

K&L Gates LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide