California Privacy Protection Agency Approves CCPA Regulations

California Privacy Protection Agency Approves CCPA Regulations


On February 3, 2023, after two comment periods and much anticipation, the California Privacy Protection Agency (CPPA) voted to adopt and approve its draft California Consumer Privacy Act (CCPA) regulations. The final rulemaking package will now be submitted to the California Office of Administrative Law (OAL) for review before the regulations take effect. The OAL has 30 working days from the date of submission to review the rulemaking package, which includes the final text of the CCPA regulations and a Final Statement of Reasons (FSOR) containing a summary of and response to each public comment from the comment periods. OAL review is an administrative step; it is possible that an entity will file a legal challenge to the CPPA’s regulations in the California courts. In the interim, however, businesses should be prepared to comply with the final text of the regulations as adopted by the CPPA.

In Depth

The final text of the regulations mirrors the version released on November 3, 2022, retaining several key provisions that will require more intricate compliance efforts. This includes:

  • Opt-Out Preference Signals: Businesses that sell or share personal information must configure their websites to detect user-enabled “opt-out preference signals” and treat such signals as a valid request from the consumer to opt out of the sale and sharing of their personal information.
  • New Contracting Provisions: Businesses must include specific provisions in their contracts with service providers, contractors and third parties, including third parties to whom data is sold or shared.
  • Purpose Limitation: Businesses must process personal information in a way that is necessary and proportionate to achieve the disclosed purposes for which it was collected. These disclosed purposes must be compatible with the context in which the personal information was collected and consistent with the consumer’s reasonable expectations.
  • Right to Limit: Businesses only need to offer consumers the Right to Limit Use of Sensitive Personal Information if they are using sensitive personal information outside of the permitted purposes under the regulations, such as if they are using sensitive personal information to infer characteristics about a consumer.

The CPPA’s vote dovetails with the California Attorney General’s January 27, 2023, announcement of an investigative sweep of businesses, with a particular focus on mobile applications that allegedly fail to comply with the opt-out requirements of the CCPA. Under the final text of the regulations adopted by the CPPA, businesses no longer need to post a “Do Not Sell or Share” link within their mobile applications, although the general requirement to provide two methods for opting out of the sale or sharing of personal information remains in place. The final text of the regulations also requires mobile applications to provide a conspicuous link to the privacy policy through the application platform or download page, or within the application, such as in a settings menu. While these changed requirements will take effect after the Attorney General’s sweep, businesses should consider any lessons that come out of future enforcement actions related to mobile applications.

The CPPA also voted to open a preliminary comment period on proposed rulemaking under other areas of the CCPA for which many have been awaiting further clarity. In particular, the agency’s next proposed rulemaking will focus on:

  • Issuing regulations governing opt-out and access rights related to businesses’ use of automated decision-making technology. Such access rights will include a requirement to provide meaningful information about the logic involved in a business’s automated decision-making processes and a description of the likely outcome of the process.
  • Issuing regulations for businesses engaged in processing of personal information that presents a “significant risk” to consumers’ privacy or security to:
    • Perform annual cybersecurity audits, including a definition of the scope of the audit and a process to ensure that such audits are thorough and independent.
    • Submit a risk assessment. “Regularly” submit to the agency a risk assessment identifying and weighing the risks and benefits of such processing.

The agency’s invitation for comments asks for consideration of existing state, federal and international laws that already require such opt-out rights, cybersecurity audits and risk assessments. The CPPA specifically identifies the requirement to conduct data protection impact assessments under the General Data Protection Regulation (GDPR) and the regulations of the Colorado Privacy Act. In determining how to define the types of processing that present a “significant risk” to consumers, the CPPA asks whether the European Data Protection Board’s Guidelines on Data Protection Impact Assessments might provide a useful foundation.

While we await the framework that the CPPA ultimately adopts, these references to other jurisdictions’ requirements highlight that the CPPA recognizes the increasing complexity of the privacy landscape and the importance of enabling businesses to comply with their existing and overlapping obligations in an efficient way.