After a significant delay, on February 3, 2023, the California Privacy Protection Agency (CPPA) unanimously approved amended regulations. The new regulations have not yet gone into effect as they must first be approved by the Office of Administrative Law (OAL). The CPPA’s General Counsel advised that there is no guarantee that the regulations would be approved on the first go-around. As the OAL has 30 business days to determine whether the CPPA complied with all rulemaking requirements, it is anticipated the regulations may take effect as early as April 2023.

The revised regulation is intended to do the following:

1. Update existing regulations to fit with amendments made by the California Privacy Rights Act (CPRA).

2. To put into operation new rights and concepts introduced by the CPRA

3. Make the regulations more streamlined and easier to understand.

The revised regulations include regulations on data processing agreements, consumer opt-out mechanisms, mandatory requirements for recognition of opt-out preference signals, and consumer request handling.

The regulations were not substantively changed from the second modification in October 2023, which included:

• Sections clarifying how consumers can opt out of having their data sold or shared, including via opt-out preference signals.

• Provisions providing allowances for enforcement flexibility, which are intended to assuage businesses’ concerns that the current delay in adopting final regulations will present compliance challenges.

• Allowances for businesses, service providers, and contractors to delay compliance with requests to correct archived or backup systems until the data is restored to an active system or is next accessed or used.