October 19, 2022

CPPA Releases Updated CCPA Regulations

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

On October 17, 2022, the California Privacy Protection Agency (CPPA) released its much-anticipated updates to the proposed California Consumer Privacy Act (CCPA) regulations in response to the hundreds of public comments received by the CPPA to its originally proposed regulations. This alert summarizes the revised regulations, which will be the subject of four days of CPPA board meetings occurring on October 21 to 22, 2022, and again on October 28 to 29, 2022. The revisions will also likely trigger an additional comment period, and further changes are possible. We will continue to provide updates as they occur.



While some onerous provisions remain, many changes to the proposed regulations will lessen the burden on businesses as compared to the originally proposed regulations. For example:

  • Many of the previously "mandatory" technical requirements are now "permissive";
  • The changes either eliminate or ease requirements to flow down rights requests (such as "Do Not Sell" requests);
  • There is now clarification that the right to limit the use or disclosure of Sensitive Personal Information (SPI) only applies to SPI used to make an inference about an individual; and
  • Service providers are no longer required to explicitly state in contract that they may use personal information to build or improve the quality of their services, or to prevent, investigate or detect security incidents and other malicious activity.

However, several more burdensome requirements have not changed, including:

  • The Global Privacy Control remains mandatory; and
  • There remain strict limitations on processing for "incompatible" purposes.

We describe the changes in more detail below.


Despite support in the public comments for certain changes, some of the more onerous regulatory provisions remain.

Opt-Out Preference Signal Remains Mandatory: Although many hoped that the requirement to honor Global Privacy Control (GPC) signals would be made optional, the modified regulations continue to require businesses to honor GPC signals (i.e., user-enabled online signals about a user's opt-out preferences).

Stringent "Compatible Processing" Limitations Remain: Many had also hoped that modified regulations would ease strict limitations on processing data for unrelated purposes. Although the CPPA did add more "factors" to provide flexibility, the regulations continue to require consent for businesses to process personal information for purposes beyond (i) what a reasonable consumer would expect and (ii) where there is a weak link between the initial purpose and that secondary purpose. For example, a weak link exists between the consumer's reasonable expectations that the personal information will be collected to provide a requested cloud storage service and the use of that same information to research and develop an unrelated facial recognition service.

Contracts Required with all Data Recipients: Although often overlooked, the CPRA amendments to the CCPA would require contracts not only with contractors and service providers but also with "third-party" data recipients. The regulations now both (a) require businesses to execute contracts with third parties to whom data is sold or shared and (b) prohibit third parties from collecting, using or otherwise processing personal information absent such a contract.


Most of the regulation changes will lower compliance burdens on businesses, even if the changes do not go as far as many had hoped. Key examples include:

  • Section 7002 has been substantially modified to provide "factors" that businesses (and the CPPA) will use to determine whether data use by a business was "reasonably expected" by the consumer or, if not, whether a business needs to obtain consent to engage in such secondary data uses.
  • Section 7012 no longer requires businesses to disclose the identity or privacy practices of third parties that directly collect information from consumers via the business's digital or physical properties.
  • Sections 7014 and 7027 confirm that the right to limit SPI uses and disclosures does not apply to sensitive personal information unless the SPI is used to infer characteristics about a consumer.
  • Section 7022 lessens the operational burden for service providers/contractors to provide a "detailed explanation" why deletion requests cannot be flowed down to service providers/contractors (or why the service providers/contractors cannot comply).
  • Section 7023 eliminates the requirement for businesses to flow down contested correction requests.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

Trending in Telehealth: January 9 - 16, 2023

By Amanda Enyeart McDermott Will & Emery January 19 , 2023

Trending in Telehealth is a new weekly series from the McDermott Digital Health team where we track telehealth regulatory and legislative activity.

That Stings: Consent to Jurisdiction Must Be Effective at Filing to Invoke Fed. R. Civ. P. 4(k)(2)

By Joshua Revilla McDermott Will & Emery January 19 , 2023

The US Court of Appeals for the Federal Circuit, on petition for writ of mandamus, vacated the district court’s transfer order and remanded the transfer to be considered under the clarified parameters of Fed. R. Civ. P. 4(k)(2) and 28 U.S.C. § 1404.

Absent Expressed Rationale of Obviousness, Federal Circuit Calls for Do-Over

By Anisa Noorassa McDermott Will & Emery January 19 , 2023

The US Court of Appeals for the Federal Circuit reversed a ruling by the Patent Trial & Appeal Board (Board) where, on appeal, the US Patent & Trademark Office’s (PTO) rationale for sustaining the Board’s obviousness rejection did not reflect “the reasoning or findings the Board actually invoked.”

More From Privacy

5 Trends to Watch: 2023 Venture Capital

By Chinh H. Pham Greenberg Traurig January 20 , 2023

The current macroeconomic environment, coupled with record increases in valuations over the last several years, is creating an increase in down-rounds, re-pricings, and recapitalizations.

5 Trends to Watch: 2023 Hospitality

By Samantha Ahuja Greenberg Traurig January 18 , 2023

For many hotels, the pandemic exacerbated the challenges of finding enough qualified workers to fill jobs.

Cookies and Other Tracking Technologies May Violate HIPAA

By Karin E. Ross Greenberg Traurig January 18 , 2023

In the midst of significant privacy changes in many U.S. states affecting tracking technologies such as cookies, pixels, and adtech, new lawsuits are alleging entities violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) via impermissible disclosure of protected health information due to the use of these technologies.

Featured Stories