At its latest meeting, the newly constituted California Privacy Protection Agency (CPPA), unanimously approved its first set of proposed California Privacy Rights Act (CPRA) regulations. The proposed regulations, along with a draft final statement of reasons (FSOR) supporting the regulations, will now be sent to California’s Office of Administrative Law, triggering a 30-day window for OAL to review the regulations and FSOR. The CPPA announced that it anticipates staying on track for the regulations to take effect in April, with enforcement thereof going live on July 1, 2023.
Some of the more notable regulations, which remain largely unchanged from the previous iteration of regulations set forth at the CPPA’s October meeting, are set forth below:
- Businesses that collect PI from consumers online must allow consumers to submit opt-out requests for sales/sharing of data through at least two methods, one of which must be an opt-out preference signal. The other method may take the form of an interactive web-based form, the Alternative Opt-Out Link, or the business’s privacy policy.
- When a consumer clicks on a “Do Not Sell or Share My Personal Information” link, they shall not be required to search or scroll through the text of a privacy policy or similar document/webpage to locate the mechanism through to submit the opt-out request.
- Upon receipt of a request to delete, correct, or know, businesses must confirm receipt of the request, provide information about how the business will process the request, and inform the consumer when they should expect a response (unless the request has already been denied or granted), within 10 business days. This is in addition to businesses’ obligation to respond to the request within 45 calendar days.
- Businesses have been granted expanded authority to request compliance from its third-party vendors with whom information is sold or shared. For instance, businesses may require third-party vendors to provide attestations that its treatment of PI made available to them is consistent with the business’s obligations under the CCPA. However, these expanded powers appear to come with strings attached, as Section 7053(b) states that businesses who actually enforce their contract terms with third-party vendors through due diligence, as opposed to merely including CCPA-required language in the contract, will have a more valid defense to any potential regulatory action.
While the CPPA received many public comments since the October 2022 meeting, the CPPA’s decision to send the proposed regulations to the OAL without any substantive changes aligns with their intention to move ahead on schedule and issue final regulations in April. Octillo will continue to monitor the rulemaking process as the regulations go under further review by the OAL and will provide further updates accordingly. If you have questions about the CPPA, CPRA, or other state privacy regulations, reach out to a member of our team.
*Attorney Advertising: Prior results do not guarantee future outcomes.
