Privacy & Information Security Law Blog

On November 3, 2022, the California Privacy Protection Agency (“CPPA”) released new modified proposed California Privacy Rights Act (“CPRA”) regulations, which make updates to the draft CPRA regulations released on October 17, 2022. The CPPA also released an updated list of documents and other information relied upon for this most recent rulemaking.

The newly-released draft CPRA regulations are still in draft form. They contain the following key changes:

• Investigations and Enforcement (Section 7301)

Add the following provision:

“As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”

This provision indicates the CPPA may be more lenient with respect to its initiation of investigations or enforcement actions regarding potential CPRA violations where the time elapsed since the effective date of the relevant legal requirement and the alleged violation is short. This is particularly true of the CPRA regulations, which may not be finalized until after the CPRA’s January 1, 2023 operative date. The provision does, however, advise entities subject to the CPRA to nonetheless make  “good faith efforts to comply” with the law’s relevant requirements to mitigate enforcement risk.

• Data Minimization (Section 7002)

Clarify that, for any purpose for which a business obtains a consumer’s consent, the business’s collection, use, retention, or sharing of the consumer’s personal information must also be reasonably necessary and proportionate to achieve that purpose.

• Opt-Out Preference Signals (Section 7025)

• Require businesses to treat an opt-out preference signal as a valid request to opt out of sale or sharing for not only that browser or device, but also for “any consumer profile associated with that browser or device, including pseudonymous profiles.”
  • Clarify that, if a consumer submits an opt-out of sale or sharing request but does not affirm their intent to withdraw from a financial incentive program, the business may ignore the opt-out preference signal with respect to the financial incentive program. The business must, however, ask the consumer to affirm their intent regarding the financial incentive program; if it does not, the business must process the opt-out preference signal as a valid opt-out request.
• Requests to Limit the Use and Disclosure of Sensitive Personal Information (Section 7027)

Clarify that a business does not need to provide a notice of the right to limit the use or disclosure of sensitive personal information, or otherwise provide the right to consumers, where the business uses or discloses the sensitive personal information only for the purposes specified in the CPRA regulations, provided that such use or disclosure is “reasonably necessary and proportionate” to the applicable purposes.

• Risk Assessments and Automated Decisionmaking

The newly-released draft CPRA regulations still do not address risk assessments or automated decisionmaking technology, including profiling.

The newly-released draft CPRA regulations and materials added to the rulemaking file will be available for public comment until November 21, 2022 at 8:00 a.m.