November 28, 2022

Volume XII, Number 332


California Privacy Protection Agency Released Proposed CPRA Regulations

The California Privacy Protection Agency (the “Agency”) released draft regulations to the California Privacy Rights Act (“CPRA”) on May 31, 2022 (the “Proposed Regulations”). The Proposed Regulations are drafted as comments to the California Attorney General’s regulations for the California Consumer Privacy Act, California’s landmark privacy law, which was amended by CPRA.

The Proposed Regulations address long-debated issues in U.S. privacy law, such as the effectiveness of user preferences communicated through browser signals. Under the Proposed Regulations, covered businesses must respect these opt-out signals sent through browser settings as effective communication of user preferences. The acceptable methods of opt-out communication is important because CPRA grants consumers the right to opt-out of “sharing” personal information, selling personal information, and processing of sensitive personal information in certain contexts.

Other important provisions of the Proposed Regulations include an extension of the consumer right to request and receive copies of information provided to covered businesses and further clarification of “dark patterns”. Previously, after a consumer request, businesses were only required to provide copies of information received in the past 12 months. The Proposed Regulations require businesses to provide all information collected after January 1, 2022. “Dark patterns”, defined as features which have the effect of “substantially subverting or impairing user autonomy, decisionmaking, or choice, regardless of a business’s intent.” Dark patterns were already prohibited under the CPRA, and the Proposed Regulations add that obtaining consumer consent with the use of a dark pattern nullifies the consumer’s consent.

The Agency is set to have a public meeting June 8, and the agenda lists the draft rules as a topic of discussion. The full text of the Proposed Regulations can be found here.

© 2022 Proskauer Rose LLP. National Law Review, Volume XII, Number 153

About this Author

Ryan P. Blaney Healthcare and Cybersecurity Attorney Proskauer Washington DC

Ryan Blaney is a partner in Proskauer’s Health Care and Privacy & Cybersecurity Groups.

Ryan’s practice focuses on regulatory compliance, enforcement, litigation and transactions in the areas of data privacy, cybersecurity, health care, and emerging technologies. He advises private equity, asset managers, health care, life sciences, retail and technology clients on privacy and cybersecurity compliance, cybersecurity incidents and government investigations, including acting as lead counsel in defending clients in regulatory investigations by...


Vincent Tennant is an associate in the Privacy & Cybersecurity and Health Care Groups.

Vince’s practice focuses on data privacy and cybersecurity issues in the context of regulatory compliance, enforcement, litigation and transactions. He advises private equity, asset managers, health care, life sciences, retail and technology clients on privacy and cybersecurity compliance, cyber risk management in critical transactions and cybersecurity incident response.   

Vince counsels clients on federal, state, and...