What Should We Do About the Draft CPRA Regulations?: Collection and Notice

Sheppard Mullin Richter & Hampton LLP
Contact

Sheppard Mullin Richter & Hampton LLP

The California Privacy Protection Agency (CPPA) recently released the draft proposed CCPA Regulations and draft initial statement of reasons. Importantly, these are draft regulations that are likely to be subject to extensive public comment and modification before they become final. At the June 8 meeting, the board moved to approve the draft regulatory text to begin the formal rule making process and public comment period.

These draft regulations redline the existing CCPA regulations. Though some provisions were largely unedited, they could be modified in forthcoming updates. This includes notices regarding financial incentives, rules for consumers under the age of 16, non-discrimination practices, and requirements for verifying requests. Requirements around cybersecurity audits, risk assessments, and automated decision-making technology were not covered in this draft.

While the draft regulations do not address all topics on which the CPRA required the CPPA to adopt regulations, the draft does include guidance on certain topics of interest such as data processing agreements and the opt-out preference signal. In this series we examine some of the key takeaways for companies.

Our focus in today’s post is on collection and notice. Under the proposed regulations, a business’s collection, use, retention and sharing of personal information should be consistent with what a consumer would expect when the information was collected. Any uses that are unrelated or incompatible with the original purpose requires explicit consent from the consumer. The draft provides four illustrative examples on this point.

For privacy policies, the regulations largely incorporate the statutory content requirements, and then adds new requirements. Where more than one business controls the collection of a consumer’s personal information, both the first-party business and any third-party businesses would have to provide a notice at collection. The draft provides several examples on this point.

Putting It Into Practice: This draft is likely to undergo many updates during the public notice and comment period. Whether they will be finalized before the CPRA comes into effect on January 1, 2023 is not clear. In light of this uncertainty, companies would be well served to look at the key developments to begin to develop approaches for addressing compliance.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.