CPRA Regulations Just Around the Corner: Approved by the California Privacy Protection Agency

On February 3, 2023, the California Privacy Protection Agency (the “Agency”) approved the final draft of the regulations (the “Regulations”) promulgated under the California Privacy Rights Act of 2020 (“CPRA”). The Regulations amend and restate the regulations promulgated by the California Attorney General under the California Consumer Privacy Act of 2018 (“CCPA”). The Agency’s approval triggers a 30-day review period for the California Office of Administrative Law. Given this timeline, the Regulations likely will take effect around April 2023.

These Regulations contain substantive provisions that interpret and expand on the CPRA and hold the full force of the law. Notable provisions in the Regulations include the following:

Purpose Limitations

The CPRA requires that a business’s collection, use, retention or sharing of a consumer’s personal information be reasonably necessary and proportionate to achieve (1) the purpose(s) for which the business collects or processes such personal information or (2) another disclosed purpose compatible with the context in which the business collected the personal information. As set forth in the Regulations, if a business fails to meet this requirement, then the business must obtain the consumer’s consent before collecting or processing the personal information. The Regulations further specify that the purpose(s) for which a business collects or processes personal information must be consistent with the “reasonable expectations of the consumer,” and set forth factors for a business to determine such expectations, as well as whether a business’s collection, use, retention or sharing of personal information is reasonably necessary and proportionate and whether other disclosed purposes are compatible with the context of collection.

Right to Limit the Use of Sensitive Personal Information

If a business is only collecting or processing sensitive personal information, as defined by the CPRA, for certain enumerated purposes, then the business does not need to provide consumers with notice of their right to limit the use and disclosure of such sensitive personal information or a method for submitting a request to exercise such right, provided that the use or disclosure is reasonably necessary and proportionate to the disclosed purpose. 

Opt-Out Preference Signals

Businesses must recognize universal out-out preference signals as a valid request from a consumer to opt out from the sale of personal information or sharing of personal information for cross-context behavioral advertising, which was a topic of the California Attorney General’s enforcement action discussed in our prior alert here. However, it is optional for a business to display the status of whether the business has processed an opt-out preference signal as a valid request to opt-out of the sale/sharing personal information on its website. It is also optional for a business to inform consumers of any conflict between an opt-out preference signal and participation in an incentive programs. 

Audits and Enforcement

The Agency may audit a business, service provider, contractor or person to ensure compliance with any provision of the CCPA and CPRA, and such audits may be announced or unannounced.

The Regulations contain other substantive provisions that affect notices at collection, dark patterns, service provider contracts and many other areas governed by the CCPA and CPRA. The Regulations, however, do not include provisions related to data protection assessments, cybersecurity audits, or automated decision-making. The Agency has announced it will cover those matters in future regulations.

The Agency and the California Attorney General will begin enforcing both the Regulations and the CPRA on July 1, 2023. In light of the complexity of the CPRA and these Regulations, businesses should actively work towards compliance now. If you need assistance with your compliance efforts or want more information on the Regulations or the CPRA, please contact one of our Cybersecurity & Data Privacy attorneys.