At the California Privacy Protection Agency (the “Agency”) Board meeting on February 3, 2023, the Agency took a number of long-awaited and key steps toward adopting the regulations required of it under the California Consumer Privacy Act (“CCPA”). First, the Agency Board voted unanimously to approve a rulemaking package that includes an initial set of changes to the CCPA regulations (the “Amended Regulations”) intended to reflect changes required by the enactment of the California Privacy Rights Act (“CPRA”), which came into effect on January 1, 2023. Second, the Agency Board voted unanimously to initiate a preliminary process to develop new rules required by the CPRA for risk assessments, cybersecurity audits, and automated decision-making.
The Amended Regulations provide some clarity—and specific examples—with respect to the application and enforcement of the CCPA as amended by the CPRA, but the Agency failed to provide specific direction on a number of key questions and issues raised by commenters, and the rulemaking process is far from complete. The final package will now be submitted to the California Office of Administrative Law (“OAL”), which will have 30 business days to review—and approve or reject—the package. As a result, the earliest the Amended Regulations will take effect is sometime in April 2023. If, however, the OAL were to reject the submission, the package would be sent back to the Agency, which would have 120 days to cure any deficiencies.
The Agency’s rulemaking is happening against the backdrop of increased enforcement from the California Attorney General (“CA AG”). According to a release by the CA AG, the office is actively investigating and enforcing alleged violations of the CCPA, including with a recently announced “sweep” focusing on compliance of mobile applications with consumers’ right to opt out. The combination of active enforcement and regulatory uncertainty has put many companies between a rock and a hard place as they try to comply with the CCPA.
As discussed in our previous client alerts, the CPRA was enacted in 2020 as a ballot proposition, and amended both substantive requirements and administrative aspects of the CCPA. With respect to administrative matters, the most significant step taken under the CPRA was the establishment of the Agency to implement regulations and enforce the CCPA through administrative actions (civil enforcement, however, remains with the CA AG). The CPRA directed the Agency to amend the existing CCPA regulations to harmonize them with the changed statute, and added to the number of topics—now 22 in total—to be the basis of future regulations. The CPRA directed that these regulations be finalized by July 1, 2022, but CCPA rulemaking authority, which had previously been fully vested in the CA AG, was not formally transferred to the Agency until April 2022. As a result, the process of developing the rules required by the CCPA has been—and continues to be—significantly delayed.
The Amended Regulations
The Amended Regulations address a number of the topics required by the CCPA and CPRA—such as the definition of “sensitive personal information” and contract requirements for service providers, contractors, and third parties—but a number of topics remain outstanding. The Agency provides proactive guidance through illustrative examples in the Amended Regulations that demonstrate how businesses can operationalize some of the regulatory requirements.
Among other things the Amended Regulations:
- Provide guidance on handling opt-out requests. The CCPA regulations currently in force, as published by the CA AG, prescribe the placement, appearance, and function of the “Do Not Sell My Personal Information” link. The Amended Regulations make clear that these requirements also govern the “sharing” of personal information. In addition, the Agency describes other methods by which a business may effectuate a consumer’s opt-out request, including through an “Opt-Out Preference Signal” (i.e., a signal sent on behalf of the consumer to communicate that consumer’s choice to opt out of the sale/sharing of personal information). Businesses must treat the receipt or detection of such a signal as a valid request by the consumer to opt out and must effectuate all requests to opt out of the sale/sharing of personal information in a “frictionless” manner. This guidance reinforces the same determination made by the CA AG in its enforcement action against Sephora, Inc. (“Sephora”), which stemmed, in part, from the company “wholly disregard[ing] consumers who communicated . . . via a global opt-out signal, that Sephora should not sell their personal data.”
- Provide further detail regarding the scope of required consumer notices. The CCPA requires that notices be provided to consumers regarding, among other things, the business’ privacy practices, the types of, and purpose for, collecting/processing personal information, and whether the business sells or shares personal information. The Amended Regulations clarify that privacy policies must include “a comprehensive description of the business’ online and offline” information practices, and that a notice must be provided at or before the point of collection (the “Notice at Collection”), so that consumers may exercise meaningful control over their data (e.g., to provide a tool allowing consumers to direct a business not to sell or share personal data, or to limit the use of sensitive personal data). The Notice at Collection must also indicate the length of time the business intends to retain the consumer’s personal information.
In addition, in appendices to the final rulemaking package, the Agency summarizes and responds to public comments, providing limited explanations of its reasons for accepting or rejecting a given comment.
The Agency still has several key topics on which it must issue guidance or regulations. However, while the Agency must address the topics enumerated in the statute, its regulatory authority is not limited to these issues. Rather, the Agency may regulate as necessary to further the purpose of the CCPA, as amended. Moreover, several Board members—including Alastair Mactaggart and Lydia de la Torre—have indicated they believe the Board should develop a process by which it may regularly review and, as needed, update the CCPA regulations.
This all suggests that the Agency anticipates an evolving regulatory landscape for the foreseeable future, and businesses can expect this process of public engagement and OAL approval to continue as the Agency promulgates new and amended CCPA regulations.
The Stick Looms
Against this backdrop, both the Agency and the CA AG have emphasized that the letter of the law must be enforced. The Agency has reiterated that “businesses are required to comply with all express statutory requirements . . . [and] with those CCPA regulations currently in effect” (i.e., the CCPA regulations, without the proposed changes, until such time as the Amended Regulations are approved by the OAL). The CA AG’s office has also touted its “commit[ment] to the robust enforcement of the nation’s toughest data privacy law,” despite the absence of a complete set of rules and guidance from the Agency. Recent actions indicate that CA AG enforcement is targeting alleged violations of consumers’ right to opt-out of the sale of personal information, but its authority—and appetite—to enforce is much broader.
Click here to download this article.
 Commenters will have 45 days to provide input. Cal. Consumer Privacy Protection Agency, Discussion Draft for February 3, 2023 CPPA Board Meeting: Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking, available here.
 The Agency Board held a public hearing in late August 2022, followed by a 45-day public comment period. See Consumer Privacy Protection Agency, Notice of Modifications to Text of Proposed Regulations and Addition of Documents and Information to Rulemaking File (Nov. 3, 2022), available here. This was followed by another hearing on October 28-29, 2022, at which the Board resolved to publish the modified text of the Amended Regulations and to open a final 15-day comment period. See Cal. Consumer Privacy Protection Agency, Motion (Oct. 29, 2022), available here.
 Cal. Civ. Code §§ 1798.185(a)(8)-(22).
 Id. § 1798.185(d).
 California v. Sephora USA, No. CGC-22-601380 (Complaint for Injunction, Civil Penalties, and other Equitable Relief), at 3, available here. The CA AG announced a settlement with Sephora in this matter on August 24, 2022. See California v. Sephora USA, No. CGC-22-601380 (Cal. Super. Ct., Aug. 24, 2022) (Final Judgment and Permanent Injunction), available here.
 Id. § 7011.
 Id. § 7012.
 Cal. Consumer Privacy Protection Agency, FSOR Appendix A: Summary and Response to Comments Submitted during 45-Day Period, available here; Cal. Consumer Privacy Protection Agency, FSOR Appendix C: Summary and Response to Comments Submitted during 15-Day Period, available here.
 Cal. Consumer Protection Agency, Agency Frequently Asked Questions (FAQs), (last visited Feb. 14, 2023) available here. Regarding enforcement, the Agency may consider the amount of time between the regulation’s effective date and the occurrence of an alleged violation. See Final Regulations Text § 7301(b).
 See California v. Sephora USA, No. CGC-22-601380 (Cal. Super. Ct., Aug. 24, 2022) (Final Judgment and Permanent Injunction); Cal. Att’y Gen., Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act (Aug. 24, 2022), available here.