December 7, 2022

Volume XII, Number 341


December 06, 2022

Subscribe to Latest Legal News and Analysis

December 05, 2022

Subscribe to Latest Legal News and Analysis

OOPS! And Other Takeaways from the First Draft of CPRA Regulations

In an unexpected move, the California Privacy Protection Agency (the “Agency”) issued draft regulations (“Regs”) mandated by the California Privacy Rights Act (“CPRA”), on Friday May 27 (a day before the Memorial Day weekend, and a day after a public stakeholder meeting in which it gave no indication that the Regs would be issued the next day). The Agency has placed consideration of the draft Regs on its Board’s June 8 meeting agenda. If approved, they will then be subject to public comments, which must be considered before the Regs can be finalized.

The Regs contain detailed guidance regarding many highly-anticipated topics, such as:

  • Global Privacy Control requirements—or the “Opt-Out Preference Signal” ( “OOPS”) under the Regs—but unfortunately no technical specifications with respect to implementation of the OOPS. The Agency interprets the CPRA to make the opt-out link optional if OOPS are “frictionlessly” implemented, but not to make honoring OOPs optional if an opt-out link is provided.

  • General principles regarding the handling of consumer requests.

  • Detailed requirements regarding implementation of the rights to access, delete, correction, limit (the use of my sensitive information), and do not sell / do not share.

  • Notices to consumers, including special notice requirements for job applicants, employees and contractors.

  • Financial incentive notice requirements are relaxed.

  • Service provider, contractor, and third party agreements and obligations.

  • Complaint and enforcement procedures.

While the Regs leave various hot-button issues for a later draft (like automated decision-making, profiling, cybersecurity audits, and risk assessments), they certainly provide detailed guidance on the issues addressed. Even so, implementation will present many challenges for businesses, service providers, contractors, and even third-parties. As a result, we can expect spirited debate and comment from industry and consumer protection groups alike before the draft Regs are finalized.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 154

About this Author

Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...

Kyle R. Fath Cybersecurity Attorney Squire Patton Boggs New York Los Angeles
Of Counsel

Kyle Fath is counsel in the Data Privacy & Cybersecurity Practice. He offers clients a unique blend of deep experience in counselling companies through compliance with data privacy laws, drafting and negotiating technology agreements, and advising on the privacy, IT, and IP implications of mergers & acquisitions and other corporate transactions. His practice has a particular focus on the the ingestion and sharing of data by way of strategic data transactions, data brokers, and vendor relationships, the implications of digital advertising (as companies look toward...

Of Counsel

Shea Leitch is Of Counsel for Squire Patton Boggs' Washington D.C. office. For close to 10 years, Shea Leitch has served as a trusted advisor to multinational companies who rely on her to provide timely and practical advice as they build and adapt their global privacy and security programs. A Certified Information Privacy Professional (CIPP/US, E), Shea’s in-depth knowledge of privacy and data security issues makes her a sought-after counselor to companies in various sectors, including the social media, advertising, retail and automotive sectors.