On March 29, 2023, the California Office of Administrative Law (the “OAL”) approved the first substantive set of California Privacy Rights Act (“CPRA”) regulations from the California Privacy Protection Agency (the “CPPA”), which we addressed in a previous blog. Those regulations went into effect immediately. As discussed in a recent episode of Ropes & Gray’s privacy podcast, The Data Day, the CPPA has also begun consideration of an additional set of regulations that would implement other CPRA requirements, issuing an Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. Enforcement of the CPRA, including its implementing regulations, is scheduled to begin on July 1, 2023. However, on March 30, 2023—just one day after the OAL approved the CPPA’s regulations—the California Chamber of Commerce announced that it had filed suit in Sacramento Superior Court seeking to delay enforcement until 12 months after a final and complete set of regulations has been adopted.
The regulations that were finalized on March 29 have not changed substantively since the modified draft proposed in the fall. As such, they cover a number of critical areas such as: (1) the procedures around data subject rights requests, including the new rights to correct personal information and to limit the use of sensitive personal information; (2) requirements for honoring requests to opt out of the “sale” or “sharing” of personal information and responding to opt-out preference signals like Global Privacy Control; (3) the content and form of required privacy notices; and (4) contractual requirements for agreements with service providers, contractors, and third parties to whom a business sells or with whom a business shares personal information.
Notably, the regulations address at length the so-called “principles of processing” adopted by the CPRA, such as purpose and storage limitations. Under the purpose limitation, processing of personal information by a business must be reasonably necessary and proportionate to achieve either the purpose for which the information was collected or another disclosed purpose that is compatible with the context in which the information was collected. Section 7002 of the regulations goes even further, requiring that the data use must be “consistent with the reasonable expectations of the consumers,” a potentially vague standard that may prove challenging for businesses to operationalize. One approach to doing so would be to conduct a privacy risk assessment prior to conducting more sensitive data processing and make full and transparent disclosures that would themselves help shape consumer expectations.
With its first set of regulations in place, the CPPA will now move on to addressing other complex features of the CPRA, including the rules around automated decisionmaking and data protection audits. The CPPA board is next scheduled to meet on April 14, 2023. Ropes & Gray will continue to track developments.