California Privacy Rights Act (CPRA)

Subscribe to California Privacy Rights Act (CPRA)

Just two months before the effective date (January 1, 2023) of the California Privacy Rights Act (“CPRA”), the California Privacy Protection Agency (“CPPA”) Board met on October 28 and 29 to discuss revisions to the agency’s initial draft CPRA regulations.  Board members discussed a range of proposed changes that could significantly impact businesses but also reserved discussion on important topics, such as employee and business-to-business data, for future proceedings.

This post provides further details about the rulemaking process, as well as takeaways from the Board’s discussion of key substantive topics, such as restrictions on the collection of personal information and opt-out preference signals.  The Board directed CPPA staff to consider and include specific modifications, as discussed below; and on November 3, the CPPA released a further revision of its proposed rules for a 15-day public comment period (the “November 3 Draft Regulations”).  The deadline to submit comments is 8:00 am on Monday, November 21.
Continue Reading CPRA Rule Revisions Unlikely to be Finalized in 2022

With the clock now running on the comment period for the California Privacy Protection Agency’s (CPPA) Draft Regulations to implement the CPRA – comments are due on August 23 – one of the items on many businesses’ CPRA preparation to-do lists is to address new (and the expansion of existing) consumer rights. The Draft Regulations published by the CPPA lay out how the CPPA is likely to define these obligations. This post takes a deeper look at what’s in the CPPA’s proposal – as well as what’s missing.

A couple of overarching points are worth keeping in mind.  First, implementing the CPRA’s consumer rights provides an occasion to review and update data maps so that they accurately capture how personal information flows both through their organizations and to service providers, contractors, and/or third parties.  Second, preparing for CPRA consumer requests should go hand-in-hand with reviewing the systems and procedures that are in place to honor consumers’ requests.
Continue Reading Preparing for Expanded Consumer Rights Requests Under the CPRA

Among the many details to absorb in the draft amendments to the CCPA regulations published by the California Privacy Protection Agency (“CPPA”) on May 27 (the “Draft Regulations”) are new and prescriptive disclosure requirements for notices at collection and privacy policies. While these disclosure provisions (and all of the other provisions of the Draft Regulations)

The spotlights of the consumer privacy world are once again on California after the new California Privacy Protection Agency made a surprise Friday night release of its draft California Privacy Rights Act (CPRA) regulations on May 27, 2002.

In this webinar in association with Mondaq, Robert Cunningham and Rod Ghaemmaghami provided observations on the

We like to occasionally use this space to let you know about upcoming events that you may not have heard about:

June 8

State Attorneys General 101
Please join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Senior Associate Beth Chun and Abby Stempson, Director of the Center for Consumer Protection, National

On Friday May 27, 2022, the California Privacy Protection Agency (CPPA) Board announced its next public meeting will be on June 8, 2022. The announcement simply stated the date of the meeting, that there are “some discussion items [that] will be relevant to the Agency’s rulemaking work,” and that information on how to attend the meeting and the meeting agenda could be found on the CPPA’s site. It did not take too many Internet sleuths to review the posted agenda, and note that Agenda Item No. 3 was “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California Privacy Rights Act of 2020, Including Possible Notice of Proposed Action,” and that the posted meeting materials included a copy of the “Draft Proposed CCPA Regulations.” In addition, Agenda Item No. 4 provides for “Delegation of Authority to the Executive Director for Rulemaking Functions.” Full stop, June will be an active month for California privacy rulemaking.

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could  preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.
Continue Reading New California Draft Privacy Regulations: How They Would Change Business Obligations and Enforcement Risk

The replay for our April 28, 2022 Privacy Priorities for 2022: Tracking State Law Developments webinar is available here.

In the absence of a federal privacy law, privacy has been at the forefront of many states’ legislative sessions this year. Against this backdrop, state attorneys general continue to initiate investigations into companies’ privacy practices,

Top Privacy Issues to Watch in 2022You’ve probably seen a lot of privacy forecasts for 2022 during the past few weeks. Here’s one that reflects the collective thoughts of our diverse privacy team, which includes former high level officials from the FTC and State AG offices, and practitioners who have been advising clients about privacy for over 30 years.

Note:

Last week, California’s Governor Gavin Newsom signed into law AB 694, which makes a few technical changes to the California Privacy Rights Act (CPRA).  The relevant changes to the CPRA are summarized below.

  • As defined in the CPRA, “personal information” does not include publicly available information or lawfully obtained, truthful information that is a

During last month’s California Privacy Protection Agency Board (CPPA) meeting, the only substantive agenda item, addressed in closed session, was a discussion of two key appointments: the first Executive Director and a Chief Privacy Auditor, as required by CPRA’s 1798.199.30. On October 4, 2021, the five-person CPPA board announced that they appointed