April 20, 2023

CPRA Regulations

This article keeps track of the new CPRA regulations passed by the California AG. In the first part, we’ll briefly overview the existing regulations. The proposed regulations follow. Finally, we’ll provide a brief overview of all the regulations that could be expected in the next few years.

You may have read the CPRA text and even our easy-to-understand articles on CPRA requirements and CPRA exemptions, but you still need to be aware of a few more things.

Section 1798.185 of the CPRA authorizes the California Attorney General to “solicit broad public participation and adopt regulations to further the purposes of this title (the CPRA).” In simple terms, the Attorney General will make new rules within the boundaries set by the CPRA to clarify and simplify the law.

This article keeps track of the new CPRA regulations passed by the California AG. In the first part, we’ll briefly overview the existing regulations. The proposed regulations follow. Finally, we’ll provide a brief overview of all the regulations that could be expected in the next few years.

Existing California Privacy Rights Act Regulations

Here are the completed CPRA rulemaking activities:

Transferring Rulemaking Powers to CPPA

The first-ever passed regulation transferred rulemaking powers to the CPPA.

Major CCPA Updates

This round of  CPRA Regulations is, in fact, extensive amendments to the California Consumer Privacy Act(CCPA). The key takeaways include the following:

  • Providing an alternative opt-out link to consumers in the form of a “Your California Privacy Choices” link
  • Requires businesses to respond to opt-out preference signals made by consumers through their browsers (such as Global Privacy Controls)
  • Clarifies what disproportionate effort in honoring consumer requests is
  • Clarifies the procedure of honoring consumer requests
  • Providing consumers with a notice on the right to limit the use of sensitive personal information
  • Defines the CPRA consumer rights
  • Clarifies further the data minimization principle
  • Clarifies that the purpose of data processing must be related to the reasonable expectations of the consumer
  • Reduces the requirement of explicit consent for processing already collected data for a new purpose down to implied consumer’s consent
  • Aligns the requirements of financial incentives programs
  • Requirements regarding the use of plain language in notices and disclosures
  • Requires businesses to inform users on data retention periods when they collect personal information
  • Prohibit dark patterns in mechanisms where users are required to make a choice
  • Specific and detailed requirements on what each privacy policy shall contain
  • Clarifications on requests to Limit the Use and Disclosure of Sensitive Personal Information
  • Aligns the CCPA and CPRA requirements on service providers, contractors, and third parties, including the contract requirements
  • Clarifies that service providers cannot provide cross-context behavioral advertising services because such services can be provided only by third parties.

These updates have passed through the first comment period and will likely be enacted.

Proposed CPRA Regulations (Draft Regulations)

The currently proposed CPRA Regulation affects cybersecurity audits, risk assessments, and automated decision-making.
The draft-text is not available yet. Once it becomes public, we’ll summarize the key details here.

The CPRA Regulations to Expect in the Future

According to Section 1798.185 of the CPRA, in the future, we can expect new regulations on the following:

  • Adding new categories of personal information required for notices and disclosures, particularly on data collection
  • Update the definitions of deidentified data to address the changes in technology
  • Establish new exceptions of the law in relation to complying with other federal and state laws
  • Clarify further the rules on honoring consumer requests
  • Adjusting the monetary thresholds in January of every odd-numbered year to reflect any increase in the Consumer Price Index
  • Establish new rules and procedures for disclosing notices, particularly those related to the sharing of personal information and opt-out of the sale of personal data
  • Establish new rules and procedures for consumer requests, particularly the request for correction
  • Issue regulations about business purposes for which businesses, service providers, and contractors may use consumers’ personal information consistent with consumers’ expectations
  • Issue regulations to define the business purposes for which service providers and contractors may combine consumers’ personal information obtained from different sources
  • Further define what precise geolocation is
  • Further define the term "specific pieces of information obtained from the consumer" with the goal of maximizing a consumer’s right to access
  • Issue regulations regarding businesses’ requirements for conducting cybersecurity audits, risk assessments, and other data security practices in order to prevent data security incidents
  • Issue regulations on the access and opt-out rights regarding businesses’ use of automated decision-making technology, including profiling
  • Establish rules on the work of the California Privacy Protection Agency and the law enforcement actions
  • Define the scope and process of the agency’s audit authority to establish criteria for who to audit and to protect consumers’ personal information from disclosure to an auditor
  • Regulate consumer’s opt-out preference signals
  • Regulate further methods for opt-in
  • Any other regulations that the Attorney General may consider necessary.

The Role of the California Privacy Protection Agency (CPPA) in CPRA Regulations

The CPPA is the central actor in the CPRA and CCPA rulemaking processes. The CPPA board’s job is to draft and publish the proposed regulations for public comment. Once they collect comments, the CPPA board will discuss them in a board meeting before finalizing the regulations. Every version of the regulations is subject to revision.

The CPPA will also consider US states’ new state privacy laws, such as Colorado, Virginia, Utah, and Connecticut, and ensure that the requirements do not differ a lot among data privacy laws.

The CPRA extends the consumer privacy rights established by the CCPA and increases the data protection standards in California. Although not as comprehensive as the GDPR of the EU, the CPRA is still a step forward in the right direction in protecting the privacy rights of California consumers.

Start your Free Trial