Since late June 2023, the California Privacy Protection Agency (CPPA) has been prohibited by court order from enforcing the regulations it finalized on March 29 of last year. According to that ruling, because the text of the California Privacy Rights Act (CPRA) called for the CPPA to finalize its rulemaking by July 1, 2022, and for enforcement to begin on July 1, 2023, the law required a year’s time between adoption of any regulations and their enforcement.
On February 9, 2024, this prohibition was ended when a California appellate court in California Privacy Protection Agency v. Superior Court (California Chamber of Commerce) vacated the lower court’s ruling, meaning the regulations are immediately back in effect. The newly effective regulations provide crucial details on several major areas of California’s comprehensive data privacy law, the California Consumer Privacy Act (CCPA), as amended by the CPRA.
Regulations Summary
The regulations are divided into nine articles, each of which focuses on a broad subject area.
Article 1:
General Provisions
Article 1 encompasses general provisions, including definitions. It also details necessary, proportionate, and compatible uses of personal information. (Businesses must limit their uses of personal information to those that are necessary and proportionate to, or compatible with, the purposes for which they collected it.) This article also lays out how businesses must provide additional notice when they collect new categories of personal information or use personal information for new purposes. Also of note, it outlines and provides some context to the CPPA’s views on dark patterns – “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.”
Article 2:
Required Disclosures to Consumers
Article 2 adds guidance related to required disclosures to consumers. One key highlight is the clarification that “more than one business may control the collection of a consumer’s personal information.” If “a first party [] allow[s] another business, acting as a third party, to control the collection of personal information from consumers browsing the first party’s website,” both entities must provide notice at collection. This has the potential to pull in numerous service providers, including website analytics companies.
Article 3:
Business Practice for Handling Consumer Requests
Article 3 focuses on business practices for handling consumer requests. Notably, it provides specificity on how a business must comply with both universal opt-out preference signals and requests to limit the use and disclosure of sensitive personal information to those necessary in order to perform the service or provide the goods requested and expected by the consumer. How this regulation is to be enforced is especially significant in view of technological gaps, namely the lack of a widely accepted universal opt-out solution.
Article 4:
Service Providers, Contractors, and Third Parties
Article 4 pertains to service providers, contractors, and third parties, and outlines requirements for contractual provisions between a business and any entity to whom it discloses personal information. It also limits the purposes for which service providers, contractors, and third parties may use personal information they receive from a business.
Article 5:
Verification of Requests
Article 5 adds much-needed clarity to the verification of requests and breaks down requirements based on the specific right a consumer seeks to exercise. Additionally, it sets out guidance on how a business can evaluate whether its verification process will be deemed to be in compliance with the CCPA.
Article 6:
Special Rules Regarding Consumers Under 16 Years of Age
Article 6 details special rules regarding consumers under 16 years of age, including requirements related to establishing the mandatory reasonable method for determining that a person providing consent for selling or sharing the personal information of a child is the child’s parent or guardian.
Article 7:
Non-Discrimination
Article 7 furnishes numerous examples related to non-discrimination, which in the context of CCPA/CPRA refers to “[a] price or service difference” based on a consumer’s decision to exercise a data right. It also provides guidance on determining the value of consumer data.
Article 8:
Training and Record-Keeping
Article 8 addresses internal training and record-keeping for businesses subject to CCPA/CPRA. Notably, there are stricter requirements placed on businesses that know, or should know, that they “buy[], receive[] for . . . commercial purposes, sell[], share[], or otherwise make[] available for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year.”
Article 9:
Investigations and Enforcement
Article 9 pertains to investigations and enforcement, including probable cause hearings, stipulated orders, and audits for compliance with CCPA/CPRA. It also outlines how an individual or business may make a sworn complaint to the CPPA.
CPPA Enforcement Priorities
In a public hearing on July 14, 2023, the CPPA’s Deputy Director of Enforcement, Michael Macko, outlined three target areas for enforcement actions:
Privacy Notices and Policies
Rather than focusing on technical violations, the agency will make sure that “businesses [are] doing what they say” in their privacy policies.
The Right to Delete
The agency will also concentrate on ensuring companies are honoring requests to delete.
Evaluation and Response to Consumer Requests
Finally, the agency will look into “how businesses, in fact, are evaluating and responding to consumer requests that they receive,” including whether they place obstacles in the path of consumers who wish to exercise their rights.
While these comments are helpful in clarifying the CPPA’s immediate focus, companies should nevertheless be prepared to comply with all of the newly effective regulatory provisions.
What Comes Next
While the regulations currently in effect provide detail on many sections of CCPA/CPRA, there are several crucial areas they do not cover: cybersecurity audits, risk assessments, and automated decision making. The CPPA issued an invitation for preliminary public comments on rules regarding these topics last February (the comment period is now closed) and released an initial draft of additional rules addressing automated decision-making last November. At this time, the timeline for the adoption of final rules is unknown.