In November 2020, California voters approved the California Privacy Rights Act of 2020 (CPRA) which amended and extended the original California Consumer Protection Act of 2018 (CCPA). Previously, rulemaking authority under the Acts belonged solely to the state Attorney General. However, the CPRA established the California Privacy Protection Agency and vested it with the full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018. The Agency’s responsibilities include updating existing and adopting new regulations, among other things.
On April 21, 2022, rulemaking authority under the CCPA formally transferred to the Agency. And on May 27, 2022, the Agency released a highly anticipated first draft of proposed regulations, namely sections 7000-7304 of the CCPA. On June 8, 2022, the Board approved the draft proposed regulations for the formal rulemaking process and authorized the Executive Director to take steps necessary to begin the rulemaking process.
The Agency stated in its last board meeting that it will release additional regulations in the future. Thus, this first round of proposals does not address many major topics like data security audits, privacy risk assessments, or access and opt-out rights with respect to automated decision-making. The proposed regulations will likely go through many substantive modifications during the public comment and notification periods, and thus not be completed by January 1, 2023, the CPRA’s effective date.
Some of the key take-aways from this first round of proposals are:
- Definitive technical specifications for opt-out preference signals were not included
- In certain situations, businesses would be required to obtain explicit opt-in consent, which would possibly exceed the current opt-out requirements.
- In response to a Request to Know submission, businesses would have to disclose all personal information collected and maintained about the consumer on or after January 1, 2022, unless doing so proves impossible or would involve a disproportionate effort.
- New notice requirements would apply to both first and third parties at the time of collection, more akin to requirements of the GDPR.
- Businesses would be limited to using personal information only in ways “consistent with what an average consumer would expect,” although the draft did not expound upon this.
Consumers and businesses alike can expect many more changes and additions to draft proposals in the coming months. In the meantime, if you would like to engage in the public commenting process or obtain more information generally, CCPA.,gov has a wealth of information.
