Updated CCPA Regulations Approved
Three months prior to the enforcement date of the California Consumer Privacy Act (CCPA), as amended, the California Office of Administrative Law approved the updated CCPA Regulations (final rulemaking documents will be posted here after processing). These updates take into account the CCPA’s expanded scope following its amendment by the California Privacy Rights Act of 2020 (CPRA), including new provisions regarding:
Consumer rights in relation to sharing, selling, and limiting the use of sensitive personal information;
Website and mobile app options in relation to “Do Not Sell or Share My Personal Information” requirements, user-enabled privacy controls, “alternative opt-out links,” and Global Privacy Control (GPC);
Dark patterns, notice, and transparency considerations; and
Service provider, contractor, and third-party contract requirements.
Although these regulations provide clarity on many of the changes the CPRA brought about, there remain several issues the California Privacy Protection Agency (CPPA) needs to address in its next round of regulations, including cybersecurity audits, risk assessments, and automated decision-making. The preliminary comment period for the next round of regulations ended on March 27, 2023. Initial draft rules on these topics may be released later this year.