This article keeps track of the new CPRA regulations passed by the California AG. In the first part, we’ll briefly overview the existing regulations. The proposed regulations follow. Finally, we’ll provide a brief overview of all the regulations that could be expected in the next few years.
Secure Privacy Team
·5 min read
Share:
You may have read the CPRA text and even our easy-to-understand articles on CPRA requirements and CPRA exemptions, but you still need to be aware of a few more things.
Section 1798.185 of the CPRA authorizes the California Attorney General to “solicit broad public participation and adopt regulations to further the purposes of this title (the CPRA).” In simple terms, the Attorney General will make new rules within the boundaries set by the CPRA to clarify and simplify the law.
This article keeps track of the new CPRA regulations passed by the California AG. In the first part, we’ll briefly overview the existing regulations. The proposed regulations follow. Finally, we’ll provide a brief overview of all the regulations that could be expected in the next few years.
RELATED CONTENT
Continue Reading
Explore more privacy compliance insights and best practices
Existing California Privacy Rights Act Regulations
Here are the completed CPRA rulemaking activities:
Transferring Rulemaking Powers to CPPA
The first-ever passed regulation transferred rulemaking powers to the CPPA.
Major CCPA Updates
This round of CPRA Regulations is, in fact, extensive amendments to the California Consumer Privacy Act(CCPA). The key takeaways include the following:
Providing an alternative opt-out link to consumers in the form of a “Your California Privacy Choices” link
Requires businesses to respond to opt-out preference signals made by consumers through their browsers (such as Global Privacy Controls)
Clarifies what disproportionate effort in honoring consumer requests is
Clarifies the procedure of honoring consumer requests
Providing consumers with a notice on the right to limit the use of sensitive personal information
Defines the CPRA consumer rights
Clarifies further the data minimization principle
Clarifies that the purpose of data processing must be related to the reasonable expectations of the consumer
Reduces the requirement of explicit consent for processing already collected data for a new purpose down to implied consumer’s consent
Aligns the requirements of financial incentives programs
Requirements regarding the use of plain language in notices and disclosures
Requires businesses to inform users on data retention periods when they collect personal information
Prohibit dark patterns in mechanisms where users are required to make a choice
Specific and detailed requirements on what each privacy policy shall contain
Clarifications on requests to Limit the Use and Disclosure of Sensitive Personal Information
Aligns the CCPA and CPRA requirements on service providers, contractors, and third parties, including the contract requirements
Clarifies that service providers cannot provide cross-context behavioral advertising services because such services can be provided only by third parties.
These updates have passed through the first comment period and will likely be enacted.
Proposed CPRA Regulations (Draft Regulations)
The currently proposed CPRA Regulation affects cybersecurity audits, risk assessments, and automated decision-making.
The draft-text is not available yet. Once it becomes public, we’ll summarize the key details here.
The CPRA Regulations to Expect in the Future
According to Section 1798.185 of the CPRA, in the future, we can expect new regulations on the following:
Adding new categories of personal information required for notices and disclosures, particularly on data collection
Update the definitions of deidentified data to address the changes in technology
Establish new exceptions of the law in relation to complying with other federal and state laws
Clarify further the rules on honoring consumer requests
Adjusting the monetary thresholds in January of every odd-numbered year to reflect any increase in the Consumer Price Index
Establish new rules and procedures for disclosing notices, particularly those related to the sharing of personal information and opt-out of the sale of personal data
Establish new rules and procedures for consumer requests, particularly the request for correction
Issue regulations about business purposes for which businesses, service providers, and contractors may use consumers’ personal information consistent with consumers’ expectations
Issue regulations to define the business purposes for which service providers and contractors may combine consumers’ personal information obtained from different sources
Further define what precise geolocation is
Further define the term "specific pieces of information obtained from the consumer" with the goal of maximizing a consumer’s right to access
Issue regulations regarding businesses’ requirements for conducting cybersecurity audits, risk assessments, and other data security practices in order to prevent data security incidents
Issue regulations on the access and opt-out rights regarding businesses’ use of automated decision-making technology, including profiling
Establish rules on the work of the California Privacy Protection Agency and the law enforcement actions
Define the scope and process of the agency’s audit authority to establish criteria for who to audit and to protect consumers’ personal information from disclosure to an auditor
Regulate consumer’s opt-out preference signals
Regulate further methods for opt-in
Any other regulations that the Attorney General may consider necessary.
The Role of the California Privacy Protection Agency (CPPA) in CPRA Regulations
The CPPA is the central actor in the CPRA and CCPA rulemaking processes. The CPPA board’s job is to draft and publish the proposed regulations for public comment. Once they collect comments, the CPPA board will discuss them in a board meeting before finalizing the regulations. Every version of the regulations is subject to revision.
The CPPA will also consider US states’ new state privacy laws, such as Colorado, Virginia, Utah, and Connecticut, and ensure that the requirements do not differ a lot among data privacy laws.
The CPRA extends the consumer privacy rights established by the CCPA and increases the data protection standards in California. Although not as comprehensive as the GDPR of the EU, the CPRA is still a step forward in the right direction in protecting the privacy rights of California consumers.
Sign up to our newsletter
and get the latest news on data privacy
