45-day comment period has begun for proposed CCPA regulations!

Published on


California voters passed Consumer Privacy Rights Act (“CPRA”) which amended the California Consumer Privacy Act of 2018 (“CCPA”) and created the California Privacy Protection Agency (“Agency”). The Agency enforces the CCPA and adopt regulations to further the purpose of the Act. As part of the process to adopt new regulations, the proposed regulations are made available to the public in order to allow a 45-day comment period.

On July 8, 2022, the Agency posted the proposed regulations which triggered the public comment period. While the regulations are not yet adopted, persons affected may want to review the regulations and provide comments to the Agency. 

According to the Agency, the proposed regulations were amended with three goals in mind: (1) update existing CCPA regulations to harmonize with CPRA amendments; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements by law and make the regulations easy to understand.

Some of the proposed regulations are minor, while some create or expand obligations for businesses. Some of the most noteworthy changes are summarized below:

Data collection notice

The CCPA already requires businesses to provide disclosure notices at the point of collection. The proposed regulations add an additional obligation for businesses to disclose and obtain consent when it collects, uses, retains, or shares personal information for purposes that are not consistent with a consumer’s reasonable expectations. The CCPA already mandates that businesses cannot collect data for purposes that have not been disclosed, but the “reasonable expectation” standard may introduce an additional disclosure. The regulations provide examples of a reasonable expectation, such as it is reasonable to expect an online retailer to share customers’ name, address and phone number to another company for shipping purposes, while it is unreasonable to expect the shipping company to use the provided information to market their products.

Obtaining consumer consent

The proposed regulations specify how businesses are able to obtain consent. The following is proposed: the choices to opt-in/opt-out must be the same; there is no confusing or manipulative language; and the method doesn’t constitute “dark pattern” (i.e. have the effect of substantially subverting or impairing user autonomy, decision-making, or choice, regardless of a business’s intent).

Businesses are also required to update their privacy program to comply with universal opt-out of sale/sharing preference signals. Additionally, if a business processes the opt-out signals in a frictionless manner (in accordance with other CCPA provisions and regulations), they can be exempt from the requirement to display a “Do not Sell or Share My Personal Information” link on their homepage.

Processing consumer requests

The proposed regulations impose obligations in responding to consumer requests. To begin, once a request is received, the business must forward the request to any third party to whom the business has sold or with whom it has shared private information, unless doing so is “impossible or would involve disproportionate effort.” Service providers and contractors are also obligated to honor requests to delete and continue passing down the request to any service provider, contractor or third party that received the information from them as well.

Responding to Requests

The proposed regulations also provide guidance on responding to requests to correct inaccurate information, which is a new consumer right provided by the CPRA. Businesses are given the right to deny requests if they determine the information is more likely accurate than not based on the “totality of circumstances”. If a business determines that it will deny a request to correct, the business must (1) explain its rationale to the consumer; and (2) inform the consumer that the business can, upon request, make an internal note that the information is contested and also share with whomever received the contested information. If the information is corrected, the business must also instruct its service providers and contractors to make the necessary corrections.

The scope of responsive material will now go beyond the 12 month period as prescribed by the CCPA. While the CCPA made it permissible for consumers to request information obtained beyond the 12 month period, the new regulation will now require businesses to provide all personal information collected/maintained about the consumer on or after January 1, 2022.

Obligations regarding service providers and contractors vs. third parties

The proposed regulations also offer insight on how general third parties are treated. The CCPA treats third parties differently depending on their classification. The regulations provide more obligations under the CCPA. To begin, although non-profits are exempt from the CCPA, service providers and contractors are subject to the CCPA. Further, the CCPA makes affirmative obligations for service providers and contractors. In addition to the requirements to respond to consumer requests, contractors and service providers cannot provide cross-context behavioral ads or they will be treated as third parties. Lastly, the proposed regulations give more details on what should be included in the contract between businesses and service providers/contractors.

Oversight of compliance with CCPA

The proposed regulations give the Agency more authority to enforce the CCPA. The Agency will have authority to initiate investigations without any complaint or referrals from government agencies or private organizations. The Agency can also conduct an audit, either announced or unannounced, to investigate possible CCPA violations.

Anyone interested in making written comments regarding the proposed regulations must do so by August 23, 2022 at 5:00 pm. Comments can be made via email, to with subject line “CPPA Public Comment”, or mail to the following address: California Privacy Protection Agency Attn: Brian Soublet 2101 Arena Blvd., Sacramento, CA 95834 (279) 895-6083

Please note that the proposed regulations discussed in this article have not been adopted and simply provide insight into the direction the Agency is going regarding enforcing the CCPA. If your business falls within the definition of a covered business under the CCPA, you should contact a qualified attorney or privacy professional to develop a compliance plan.