Skip to Main Content
Our Commitment to Diversity

CCPA Regulations Approved

Share via LinkedIn
Share via Twitter
Share via Facebook
Download PDF Version
Date: 3 April 2023
U.S. Intellectual Property Alert
By: Whitney E. McCollum, Jane E. Petoskey

On 29 March 2023 the California Office of Administrative Law approved the first final rulemaking package proposed by the California Privacy Protection Agency (CPPA or the Agency), which is the implementing and enforcement agency created under the California Consumer Privacy Act (CCPA). The package consists of (1) the CPPA’s proposed regulations (Regulations), and (2) the CPPA’s final statement of reasons. The Regulations, which are now a part of the CCPA, took effect 29 March 2023. The CPPA is expected to publish the final rulemaking documents on its website the week of 3 April 2023.

The Regulations govern how the CCPA will be enforced. With the Regulations now in effect, businesses covered directly by the CCPA and other parties, such as service providers covered indirectly by the CCPA, should take note of the following key provisions:

  • Restrictions on the collection and use of California consumers’ personal information (including expanded requests to deletion and new requests to correct);
  • Requirements for methods for submitting consumer requests and obtaining consumer consent (including prohibitions on the use of “dark patterns”);
  • Additional information requirements in privacy notices;
  • Expanded opt-out requirements (including opt-out preference signals and requests to opt-out of sale/sharing);
  • The new California consumer right to limit the use of “sensitive personal information”; and
  • The expansion of indirect coverage over “contractors” and “third parties” (beyond “service providers,” including data processing contractual requirements).

While the Regulations have a significant impact on the CCPA, this is just the beginning of the CPPA’s rulemaking process, and in turn, the California Attorney General’s enforcement of the CCPA. Specifically, where the California Attorney General’s first and only CCPA settlement against Sephora was nearly eight months ago, we are seeing more activity, with a recent investigative sweep focused on mobile app providers’ opt-out compliance and expect more action in the wake of the Regulations.

In terms of next steps for the CPPA, we expect to see the next rulemaking package to address automated decision-making, cybersecurity audits, and risk assessments, based on the Agency’s 3 February 2023 meeting. While some of the above key changes from the Regulations may not immediately impact all businesses, the second set is sure to have a major impact if it covers automated technology and audits/risk assessments.

Whitney E. McCollum
Whitney E. McCollum
Seattle
San Francisco
Jane E. Petoskey
Jane E. Petoskey
Seattle

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Find more items tagged as: Consumer Products, Cybersecurity Risk and Response, Financial Services, Health Care, Intellectual Property, Technology
Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel