CPPA Releases Modified Proposed CPRA Regulations
4 Minute Read
Categories: Online Privacy, U.S. State Law
On October 17, 2022, the California Privacy Protection Agency (“CPPA”) released modified proposed regulations for compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), along with an explanation of the modifications as materials for an upcoming CPPA Board Meeting. The Board Meeting scheduled for October 28-29, 2022, will discuss and take possible action, including adoption or modification, regarding the proposed regulations.
The modified proposed regulations, 72 pages in total, change the initial proposed regulations noticed on July 8, 2022. Key highlights include:
- Notice at Collection (Section 7012)
- The modified proposed regulations eliminate requirements, initially proposed, for a business to either disclose the names of third parties that the business allows to collect personal information from the consumer, or to provide information about the third parties’ business practices in the business’s notice at collection.
- The modified proposed regulations retain, however, requirements that third parties the business allows to collect personal information provide a notice at collection, and add that the business and the third parties may provide a single notice at collection that covers their collective information practices.
- Right to Limit the Use/Disclosure of Sensitive Personal Information (Sections 7014 and 7027)
- The modified proposed regulations clarify that sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to requests to limit. The modified proposed regulations state that businesses do not need to provide a notice of right to limit the use of sensitive personal information if the business only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer.
- Processing Consumer Requests
- “Disproportionate effort”: The modified proposed regulations continue to limit certain obligations to respond to access, deletion and correction requests where doing so would involve disproportionate effort, but change the definition of “disproportionate effort” to (1) make clear it applies to service providers, contractors and third parties, in addition to businesses; and (2) take into account factors such the size of the responding entity, the nature of the request, and the technical limitations impacting the entity’s ability to respond.
- Requests to Correct (Section 7023): The modified proposed regulations add that ensuring that corrected personal information remains corrected is a factor in determining whether fulfillment of a request to correct is compliant.
- Data Minimization (Section 7002)
- The modified proposed regulations provide additional specifications for the requirements that a business’s collection, use, retention or sharing of a consumer’s personal information be reasonably necessary and proportionate to achieve (1) the “purpose(s) for which the personal information was collected or processed,” or (2) another “disclosed purpose that is compatible with the context in which the personal information was collected.”
- The modified proposed regulations specify that the purpose(s) for which personal information was collected or processed must be consistent with the “reasonable expectations of the consumer.” The reasonable expectations of a consumer must be determined based on the (a) relationship between the consumer and the business; (b) type, nature, and amount of personal information that the business seeks to collect or process; (c) source of the personal information and the business’s method for collecting or processing it; (d) specificity, explicitness, and prominence of disclosures to the consumer about the purpose for collecting or processing the consumer’s personal information; and (e) degree to which the involvement of service providers, contractors, third parties, or other entities in the collection or processing of personal information is apparent to the consumer.
- Whether another disclosed purpose is compatible with the context in which personal information was collected must be based on factors that include (a) the reasonable expectation factors outlined above; (b) the other disclosed purpose, including whether it is a “Business Purpose” under the CCPA/CPRA; and (c) the strength of the link between (a) and (b).
- The modified proposed regulations also clarify that whether a business’s collection, use, retention or sharing of personal information is “reasonably necessary and proportionate” to achieve the relevant purposes must be based on factors that include the (a) minimum personal information that is necessary to achieve the purpose identified; (b) possible negative impacts on consumers posed by the business’s collection or processing of the personal information; and (c) existence of additional safeguards for the personal information to specifically address the possible negative impacts on consumers.
- Risk Assessments and Automated Decisionmaking
- The proposed regulations still do not address risk assessments or automated decisionmaking technology, including profiling.
Update: The CPPA cancelled the originally scheduled meeting for October 21-22, 2022.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code