7 Things You Need to Know About the Final CCPA Regulations

Almost 9 months after the California Privacy Protection Agency (CPPA) began the formal rulemaking process, the initial set of regulations under the California Privacy Rights Act (CPRA) finally became effective on March 29, 2023. As expected, the final regulations (“Final Regulations”) clarify and expand on existing regulations under the California Consumer Privacy Act (CCPA) that were previously in force. In advance of the July 1 CPRA enforcement date, businesses should evaluate whether and to what extent the Final Regulations will impact their existing privacy program, processes and practices.

Here are seven key ways in which the Final Regulations may impact your business:

1. Contracting requirements. The Final Regulations set out minimum terms that must be included in contracts with all entities to which a business discloses personal information, including service providers, third parties and a new category of entities called contractors. Article 4 highlights these specific requirements as well as the duties of a third party that receives personal information from a business subject to the law. Businesses should consider revisiting their existing data processing agreements and updating their templates to ensure they comply with applicable requirements.
   
2. Targeted advertising. The Final Regulations clarify that companies that provide cross-contextual behavioral advertising are “third parties” under the CPRA and not service providers or contractors. The clarification effectively obligates businesses to provide consumers with the ability to opt out of the disclosure of their personal information for cross-contextual behavioral purposes when exercising their right to opt out of “sales” or “sharing” of personal information. Businesses that conduct cross-context behavioral advertising should consider adjusting their privacy notices and consumer rights processes going forward to the extent they have not already done so.
   
3. New notice requirements. The Final Regulations modify the various notice requirements under the CCPA to align them with the CPRA. For example, the Final Regulations set out formatting and presentation requirements, clarifying that disclosures must be easy to read and understandable and conform to applicable industry standards for persons with disabilities. According to the Final Regulations, conspicuous links for websites should appear in a similar manner as other similarly posted links, and, for mobile applications, conspicuous links should be accessible in the business’s privacy policy.
   
4. Dark patterns. The Final Regulations provide additional clarity regarding what types of “dark patterns” may invalidate a business’s efforts to obtain consent from its users. Under the Final Regulations, any practice that does not comply with specific guidelines for how a business must present consumers with the ability to exercise their rights and obtain valid consent may constitute a “dark pattern.” In addition, a user interface that has the “effect of substantially subverting or impairing user autonomy, decisionmaking, or choice, regardless of a business’s intent,” may be considered a dark pattern.
   
5. Requests to correct. In addition to the individual rights to access, limit and delete personal information, the Final Regulations expand upon the CCPA’s rights requirements and requires businesses to provide consumers with the ability to correct their information maintained by the business. Article 3 discusses these specific requirements, including exceptions for requests for which the response would be impossible or involve disproportionate effort for the business. The Article also explains how certain concerns over the accuracy of personal information should be resolved.
   
6. Opt-out preference signals. The Final Regulations provide further clarity about what businesses must do when they receive automated opt-out preference signals from consumers. Under the CPRA, businesses are expected to treat opt-out preference signals as valid requests to opt out of the sale or sharing of their personal information. The Final Regulations indicate that a business shall process any opt-out preference signal as a valid request to opt out of sale/sharing if (1) the signal is in a format commonly used and recognized by businesses (such as an HTTP header field); and (2) the platform, technology or mechanism that sends the opt-out signal makes clear to the consumer that the use of the signal is meant to have the opt-out effect (regardless of whether or not the signal is tailored to only California residents).
   
7. Enforcement. The Final Regulations include a new section on enforcement actions by the CPPA. Specifically, this section includes information on how a person can make a sworn complaint to the agency, as well as how the agency can conduct probable cause hearings and audits and enter into stipulated orders.

While California’s approach to enforcing the Final Regulations is yet to be seen, what we do know is that enforcement, including budget allocation and increased hiring of enforcement personnel, is a top priority based on the most recent CPPA Board minutes. In addition, another rulemaking is forthcoming relating to automated decision-making, cybersecurity audits and risk assessments.

If you need help with assessing the Final Regulations or your CPRA-compliance roadmap, see our CPRA FAQ Guide or contact a member of Orrick’s Cyber, Privacy and Data Innovation Group . To receive updates on the CPRA, and other global privacy and cybersecurity developments, sign up here .

Authors

Sulina Gabale Partner, Cyber, Privacy & Data Innovation, Internet of Things

• D: +1 202 339 8420
• E: [email protected]

Practice:

• Cyber, Privacy & Data Innovation
• Internet of Things
• Strategic Advisory & Government Enforcement (SAGE)

Sulina Gabale Partner

As innovation pushes the limits of technology, those ideas challenge the boundaries of what is considered “personally identifiable information.” Sulina answers the question - how can we create tomorrow’s technology with yesterday’s privacy and consumer protection laws? Sulina works closely with innovators at all levels of a business – executives, engineers, marketing and product, HR and customer service teams – to gain a true understanding of their goals and the data they’re collecting, using and sharing. She places herself in her client’s shoes as well as in consumers’ mindset to devise creative privacy-by-design solutions, ensuring her client’s business and data innovation strategies withstand multi-national rules, government regulations, industry standards and consumer scrutiny.

With experience in both data privacy and consumer protection, Sulina utilizes a comprehensive approach to counsel clients on a myriad of issues affecting consumers and businesses. She routinely guides companies of all sizes through the existing patchwork of laws, self-regulatory standards and industry practice impacting data privacy and security. She advises clients subject to regulatory investigations and litigation involving a spectrum of federal and state laws, including:

• California Online Privacy Protection Act (CalOPPA)
• Children’s Online Privacy Protection Act (COPPA)
• Family Educational Rights and Privacy Act (FERPA) and related state student data privacy laws
• Fair Credit Reporting Act (FCRA)
• Gramm-Leach-Bliley Act (GLBA)
• Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
• Section 5 of the Federal Trade Commission Act (FTC Act)
• U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Sulina advises companies of all sizes on the development and deployment of cutting-edge technologies and services, including ad-tech, AI and machine learning, biometric tools, social media, robotics and IoT devices, marketing and promotions and more. Sulina began her legal career focusing on consumer protection. She continues to counsel clients on marketing and promotional issues, including interest-based ads; sweepstakes and promotions; automatic renewal and subscriptions; advertising substantiation; influencer programs and social media; SMS text messaging and telemarketing (including matters involving the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA)); and other state and federal consumer protection laws.

Sulina’s practice is industry-agnostic. She has represented clients ranging from start-ups to Fortune 500s, non-profits, academic institutions and city governments across a range of industries from fashion and ecommerce, financial services, retail, food and beverage and technology services. Prior to law school, Sulina worked in the highly interactive fields of journalism, entertainment and digital media. This well-rounded background helps her connect with clients on a personal level, and ensure her advice integrates legal solutions with business practicality.

Before joining Orrick, Sulina was a member of the Privacy & Data Security Group; Entertainment & Media Group; and IP, Information & Innovation Group at Reed Smith, LLP in New York and Washington, D.C.