The California Privacy Protection Agency (CPPA) Decides on a Roadmap for Revised California Privacy Rights Act (CPRA) Regulations
At a two-day meeting that took place on October 28th and 29th, the CPPA considered the CPRA Modified Regulations (Modified Regs) that were published on October 17th of this year. We analyze the initial proposed CPRA regulations here.
On the proposed changes of the Modified Regs, the CPPA Board (the Board) considered clarifying amendments while maintaining the initial intent of the (i.e., no further substantive changes). There are three amendments of particular importance that were discussed:
First, there was a recommendation by Alistair Mactaggart, who was recently appointed to the Board, to clarify that Opt-out Preference Signals (OOPS) should be applied by businesses to pseudonymous profiles associated with a browser or device, including in circumstances where the business uses such identifiers or profiles for cross-device linking. OOPS are signals sent by a platform, technology, or mechanism communicating the consumer’s choice to opt-out of the sale or sharing of their personal information. With this modification, it will be clear that businesses would need to extend the opt-out signals to other devices if the business linked other devices through pseudonymous identifiers, even if the user is not logged in.
Second, amendments were sought to clarify the meaning of consumer expectations as to collection purpose in the Proposed Regulations Sec. 7002(b). However, no further clarification will be made at this time, so there will remain ambiguity as to when enhanced notice and consent should be provided by businesses.
Finally, the Board discussed the need to be a “reasonable enforcer” and provide leniency to businesses that take good faith efforts to comply with the regulations. This discussion arose out of concern that businesses would not have enough time to conform to the finalized regulations.
The Board also clarified the next steps for the proposed regulations, including the expectation for the final regulations to be published in January or February 2023. Before the CPPA can publish the final regulations, it will have to develop a revised redline document to be released to the public. Following a 15-day comment period, the amendments will have to be formally approved and sent to the Office of Administrative Law (OAL), which will also review and approve or reject the regulations. Once approved by the OAL, the regulations will become final. We will report on the publication and Board approval of the next draft, and on OAL action.
It should also be noted that many of the changes to the proposed regulations have been noted as being made to ease initial implementation and may not be final. Further, the CPPA still plans to rulemake in stages, and continues to work on some of the tougher issues like automated decision making.
For more information on the impact of the Modified Regs or last week’s meeting, contact the authors or your relationship partner at the firm. CPW will continue to cover the CPRA rulemaking process and other state privacy law developments, as well as federal legislative and regulatory efforts.
Sasha Kiosse also contributed to this article.