California Privacy Protection Agency Releases Modified Proposed CPRA Regulations - Key Takeaways

Eddie Holman, Yeji Kim, Clinton Oxford, Tracy Shapiro
Wilson Sonsini Goodrich & Rosati
Contact
LinkedIn
Facebook
X
Send
Embed

Wilson Sonsini Goodrich & Rosati

Written Comments Due by November 21

On November 3, 2022, the California Privacy Protection Agency (CPPA, or the Agency) issued modified proposed regulations implementing the California Privacy Rights Act (CPRA),1 which revise the initial proposed regulations released on July 8, 2022. The Agency’s Notice of Modifications to Text of Proposed Regulations triggers a 15-day public comment period, which ends on November 21, 2022. Below we identify the key takeaways from the changes made by the modified proposed regulations to the initial proposed regulations and discuss the potential topics to be covered in future regulations as discussed during the CPPA Board meeting held on October 28-29, 2022 (“the CPPA October Board Meeting”).

For a more in-depth analysis of the main components of the modified proposed regulations, please see our Data Advisor article.

Key Takeaways

  • In light of the Agency’s failure to meet the statutory deadline for finalizing the regulations by July 1, 2022, the modified proposed regulations permit the Agency to consider all facts it determines to be relevant when determining whether to initiate an investigation, “including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements.”
  • Under the modified proposed regulations, a business no longer needs to identify the names of the third parties that it allows to control the collection of personal information in the business’s Notice at Collection, which is welcome news for businesses that may face compliance burdens keeping their Notices at Collection constantly updated with every new or terminated third-party contract.
  • The modified proposed regulations introduce “factors” to assess whether a business meets its data minimization obligations. For example, a business must consider, among other things, the relationship between the consumers and the business and the type, nature, and amount of personal information to evaluate whether a particular use of personal information is consistent with consumers’ reasonable expectations.
  • Despite public comments asking the Agency to provide greater clarity on the technical specifications for processing opt-out preference signals, Agency staff took the position in the CPPA October Board Meeting that no other technical specifications are needed in the regulations. The changes in the modified proposed regulations instead focus on when and how businesses should honor opt-out preference signals, while still providing little-to-no guidance on how to recognize such signals in the first place.
  • During the CPPA October Board Meeting, the Board also suggested that the Agency may implement new exceptions for the request to limit use and disclosure of sensitive personal information, including an HR/employee data exception, as well as a health-related research exception.

Next Steps

The proposed regulations are subject to a mandatory 15-day public comment period. The CPPA will accept written comments until 8:00 a.m. PT on November 21, 2022. Comments may be submitted by the following means:

Electronic:

Comments may be submitted electronically to regulations@cppa.ca.gov by including "CPPA Public Comment" in the subject line and including the comment as an attachment to the email.

Mail:

California Privacy Protection Agency
Attn: Brian Soublet
2101 Arena Blvd., Sacramento, CA 95834


We encourage businesses affected by the modified proposed regulations to submit comments to the CPPA. Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues, and will monitor CPPA guidance, enforcement, and litigation pursuant to the CPRA to assist clients with compliance. For more information or advice concerning your CPRA compliance efforts, please contact Tracy Shapiro, Eddie Holman, Clinton Oxford, Yeji Kim, or any member of the firm's privacy and cybersecurity practice.

[1]The proposed regulations are referred to as “CCPA regulations” instead of “CPRA regulations.” This is because the CPRA was a ballot initiative that amended the CCPA; it did not create a separate, new law. To this end, the proposed regulations update the existing CCPA regulations and add new rules to implement and interpret the text of the CCPA, as amended by the CPRA. We refer to the latest version of the modified proposed CCPA regulations as the “modified proposed regulations” in this alert. Cited section references are to the modified proposed regulations unless otherwise stated.

Written by:

Wilson Sonsini Goodrich & Rosati
Wilson Sonsini Goodrich & Rosati
Contact
more
less

Wilson Sonsini Goodrich & Rosati on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide