February 10, 2023

California Privacy Protection Agency Approves CCPA Regulations

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

On February 3, 2023, after two comment periods and much anticipation, the California Privacy Protection Agency (CPPA) voted to adopt and approve its draft California Consumer Privacy Act (CCPA) regulations. The final rulemaking package will now be submitted to the California Office of Administrative Law (OAL) for review before the regulations take effect. The OAL has 30 working days from the date of submission to review the rulemaking package, which includes the final text of the CCPA regulations and a Final Statement of Reasons (FSOR) containing a summary of and response to each public comment from the comment periods. OAL review is an administrative step; it is possible that an entity will file a legal challenge to the CPPA's regulations in the California courts. In the interim, however, businesses should be prepared to comply with the final text of the regulations as adopted by the CPPA.


The final text of the regulations mirrors the version released on November 3, 2022, retaining several key provisions that will require more intricate compliance efforts. This includes:

  • Opt-Out Preference Signals: Businesses that sell or share personal information must configure their websites to detect user-enabled "opt-out preference signals" and treat such signals as a valid request from the consumer to opt out of the sale and sharing of their personal information.
  • New Contracting Provisions: Businesses must include specific provisions in their contracts with service providers, contractors and third parties, including third parties to whom data is sold or shared.
  • Purpose Limitation: Businesses must process personal information in a way that is necessary and proportionate to achieve the disclosed purposes for which it was collected. These disclosed purposes must be compatible with the context in which the personal information was collected and consistent with the consumer's reasonable expectations.
  • Right to Limit: Businesses only need to offer consumers the Right to Limit Use of Sensitive Personal Information if they are using sensitive personal information outside of the permitted purposes under the regulations, such as if they are using sensitive personal information to infer characteristics about a consumer.

The CPPA's vote dovetails with the California Attorney General's January 27, 2023, announcement of an investigative sweep of businesses, with a particular focus on mobile applications that allegedly fail to comply with the opt-out requirements of the CCPA. Under the final text of the regulations adopted by the CPPA, businesses no longer need to post a "Do Not Sell or Share" link within their mobile applications, although the general requirement to provide two methods for opting out of the sale or sharing of personal information remains in place. The final text of the regulations also requires mobile applications to provide a conspicuous link to the privacy policy through the application platform or download page, or within the application, such as in a settings menu. While these changed requirements will take effect after the Attorney General's sweep, businesses should consider any lessons that come out of future enforcement actions related to mobile applications.

The CPPA also voted to open a preliminary comment period on proposed rulemaking under other areas of the CCPA for which many have been awaiting further clarity. In particular, the agency's next proposed rulemaking will focus on:

  • Issuing regulations governing opt-out and access rights related to businesses' use of automated decision-making technology. Such access rights will include a requirement to provide meaningful information about the logic involved in a business's automated decision-making processes and a description of the likely outcome of the process.
  • Issuing regulations for businesses engaged in processing of personal information that presents a "significant risk" to consumers' privacy or security to:
    • Perform annual cybersecurity audits, including a definition of the scope of the audit and a process to ensure that such audits are thorough and independent.
    • Submit a risk assessment. "Regularly" submit to the agency a risk assessment identifying and weighing the risks and benefits of such processing.

The agency's invitation for comments asks for consideration of existing state, federal and international laws that already require such opt-out rights, cybersecurity audits and risk assessments. The CPPA specifically identifies the requirement to conduct data protection impact assessments under the General Data Protection Regulation (GDPR) and the regulations of the Colorado Privacy Act. In determining how to define the types of processing that present a "significant risk" to consumers, the CPPA asks whether the European Data Protection Board's Guidelines on Data Protection Impact Assessments might provide a useful foundation.

While we await the framework that the CPPA ultimately adopts, these references to other jurisdictions' requirements highlight that the CPPA recognizes the increasing complexity of the privacy landscape and the importance of enabling businesses to comply with their existing and overlapping obligations in an efficient way.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

On the Road Again: Alternative Designs May Impact Trade Dress Functionality Analysis

By Kavya Rallabhandi McDermott Will & Emery May 25 , 2023

The US Court of Appeals for the Sixth Circuit reversed and remanded a summary judgment ruling, finding that there were genuine disputes of material fact regarding whether the plaintiff’s alleged trade dress was functional and therefore excluded from trade dress protection.

Elevate the $: Geographic Isolation Helps Defeat Trademark Infringement Claim

By Kat Lynch McDermott Will & Emery May 25 , 2023

In a case between similarly named banks, the US Court of Appeals for the Tenth Circuit confirmed expert disclosure requirements, conducted a de novo likelihood of confusion analysis and ultimately upheld a finding of no trademark infringement.

First Circuit: Claim Preclusion Shouldn't Apply to Bar Claims Under VARA

By Hannah Cohen McDermott Will & Emery May 25 , 2023

Addressing for the first time whether federal res judicata law recognizes the alternative determinations doctrine, the US Court of Appeals for the First Circuit determined that a plaintiff’s claims under the Visual Artists Rights Act (VARA) were not precluded by a previous action in which she brought a federal copyright claim against the defendant.

More From Privacy

Processing Sensitive Personal Information under U.S. State Privacy Laws

By Zachary S. Schapiro Greenberg Traurig May 23 , 2023

As of now, nine states (CA, CO, CT, IA, IN, MT, TN, UT, and VA) have passed comprehensive privacy laws that are in effect (CA and VA), or are about to go into effect sometime soon (CO, CT, IA, IN, MT, TN, and UT).

Labor Department Releases New Guidance on Agency Enforcement of PUMP for Nursing Mothers Act

By Patricia Anderson Pryor Jackson Lewis P.C. May 19 , 2023

The U.S. Department of Labor Wage and Hour Division (WHD) has published guidance for agency officials responsible for enforcing the “pump at work” provisions of the Fair Labor Standards Act (FLSA), including those enacted under the 2022 Providing Urgent Maternal Protections for Nursing Mothers Act (PUMP Act).

Finding the Delta: Understanding the Differences in How State Privacy Laws Define Corporate Affiliates

By David A. Zetoony Greenberg Traurig May 15 , 2023

All modern privacy statutes regulate when personal information can be shared with third parties, whether those third parties are service providers, vendors, contractors, or business partners.

Featured Stories