On June 8, 2022, the California Privacy Protection Agency
(“CPPA” or “Agency”) voted to begin the formal rulemaking process for regulations implementing the California Privacy Rights Act (CPRA). The Agency Board discussed and approved draft proposed regulations
and an Initial Statement of Reasons
that were posted on the Agency's website on May 27, 2022 and June 3, 2022, respectively. These draft regulations—which will be subject to public comment and revision before they become final—provide important guidance on implementation of significant provisions in the CPRA regarding, for example, sensitive consumer personal information, opt-out links, mandatory recognition of opt-out preference signals, and additional topics. A high-level summary of the proposed regulations is provided below.
First, an important caveat: these draft regulations do not cover every topic on which the CPRA tasked the Agency with adopting regulations. The draft notably does not address how businesses should conduct privacy risk assessments, cybersecurity audits, or provide access/opt-out rights to consumers regarding the use of automated decision-making technology (including profiling). Nonetheless, the 66 pages of proposed draft regulations contain important guidance on and illustrative examples of a number of key issues, including likely requirements for opt-out links, recognition of opt-out signals, and obtaining consumer consent without being “manipulative.” The draft regulations are detailed, technical, and prescriptive, which will increase compliance costs for businesses operating in California.
To read the full alert, click here.