February 6, 2023

Volume XIII, Number 37

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

The California Privacy Protection Agency (CPPA) Decides on a Roadmap for Revised California Privacy Rights Act (CPRA) Regulations

At a two-day meeting that took place on October 28th and 29th, the CPPA considered the CPRA Modified Regulations (Modified Regs) that were published on October 17th of this year. We analyze the initial proposed CPRA regulations here.

On the proposed changes of the Modified Regs, the CPPA Board (the Board) considered clarifying amendments while maintaining the initial intent of the (i.e., no further substantive changes). There are three amendments of particular importance that were discussed:

  • First, there was a recommendation by Alistair Mactaggart, who was recently appointed to the Board, to clarify that Opt-out Preference Signals (OOPS) should be applied by businesses to pseudonymous profiles associated with a browser or device, including in circumstances where the business uses such identifiers or profiles for cross-device linking. OOPS are signals sent by a platform, technology, or mechanism communicating the consumer’s choice to opt-out of the sale or sharing of their personal information. With this modification, it will be clear that businesses would need to extend the opt-out signals to other devices if the business linked other devices through pseudonymous identifiers, even if the user is not logged in.

  • Second, amendments were sought to clarify the meaning of consumer expectations as to collection purpose in the Proposed Regulations Sec. 7002(b). However, no further clarification will be made at this time, so there will remain ambiguity as to when enhanced notice and consent should be provided by businesses.

  • Finally, the Board discussed the need to be a “reasonable enforcer” and provide leniency to businesses that take good faith efforts to comply with the regulations. This discussion arose out of concern that businesses would not have enough time to conform to the finalized regulations.

The Board also clarified the next steps for the proposed regulations, including the expectation for the final regulations to be published in January or February 2023. Before the CPPA can publish the final regulations, it will have to develop a revised redline document to be released to the public. Following a 15-day comment period, the amendments will have to be formally approved and sent to the Office of Administrative Law (OAL), which will also review and approve or reject the regulations. Once approved by the OAL, the regulations will become final. We will report on the publication and Board approval of the next draft, and on OAL action.

It should also be noted that many of the changes to the proposed regulations have been noted as being made to ease initial implementation and may not be final. Further, the CPPA still plans to rulemake in stages, and continues to work on some of the tougher issues like automated decision making.

For more information on the impact of the Modified Regs or last week’s meeting, contact the authors or your relationship partner at the firm. CPW will continue to cover the CPRA rulemaking process and other state privacy law developments, as well as federal legislative and regulatory efforts.

Sasha Kiosse also contributed to this article. 

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 305

About this Author

Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...