August 19, 2022

Volume XII, Number 231

Advertisement
Advertisement

August 18, 2022

Subscribe to Latest Legal News and Analysis

August 17, 2022

Subscribe to Latest Legal News and Analysis

August 16, 2022

Subscribe to Latest Legal News and Analysis

What Should We Do About the Draft CPRA Regulations?: Collection and Notice

The California Privacy Protection Agency (CPPA) recently released the draft proposed CCPA Regulations and draft initial statement of reasons. Importantly, these are draft regulations that are likely to be subject to extensive public comment and modification before they become final. At the June 8 meeting, the board moved to approve the draft regulatory text to begin the formal rule making process and public comment period.

These draft regulations redline the existing CCPA regulations. Though some provisions were largely unedited, they could be modified in forthcoming updates. This includes notices regarding financial incentives, rules for consumers under the age of 16, non-discrimination practices, and requirements for verifying requests. Requirements around cybersecurity audits, risk assessments, and automated decision-making technology were not covered in this draft.

While the draft regulations do not address all topics on which the CPRA required the CPPA to adopt regulations, the draft does include guidance on certain topics of interest such as data processing agreements and the opt-out preference signal. In this series we examine some of the key takeaways for companies.

Our focus in today’s post is on collection and notice. Under the proposed regulations, a business’s collection, use, retention and sharing of personal information should be consistent with what a consumer would expect when the information was collected. Any uses that are unrelated or incompatible with the original purpose requires explicit consent from the consumer. The draft provides four illustrative examples on this point.

For privacy policies, the regulations largely incorporate the statutory content requirements, and then adds new requirements. Where more than one business controls the collection of a consumer’s personal information, both the first-party business and any third-party businesses would have to provide a notice at collection. The draft provides several examples on this point.

Putting It Into Practice: This draft is likely to undergo many updates during the public notice and comment period. Whether they will be finalized before the CPRA comes into effect on January 1, 2023 is not clear. In light of this uncertainty, companies would be well served to look at the key developments to begin to develop approaches for addressing compliance.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 179
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Advertisement
Advertisement
Advertisement