Skip to content

Corruption Ledger

The Public Ledger of Corruption

  • Corruption
    • banks
    • corporate
    • environment
    • government
    • health
    • leaks
    • misinformation
    • protest & unrest
  • Crime
  • Sanctions
    • sanctions news
    • global sanctions feed
    • european sanctions feed
    • canadian sanctions feed
    • US sanctions feed
  • International Conflict
    • war
    • war machines
  • Business & Economy
  • Tech
  • Privacy
  • Regions
    • Africas
    • Asias
    • Europe
    • Oceania
    • Middle East
    • U.S.
    • World
  • News about Journalism
  • Toggle search form
  • US / SEC sues Coinbase and Binance, files motion to freeze Binance assets _enforcement
  • Document reveals why Canada arms Saudi Arabia – media Business & Economy
  • Ukraine, media falsely report that Jewish Babyn Yar memorial was bombed by Russia Corruption
  • Report: Russia formally charges Wall Street Journal reporter Censorship Free Speech
  • Kremlin comments on WSJ correspondent arrest Aerospace
  • Nord Stream attack: Leaked US intel. suggests pro-Ukrainian group behind sabotage + Corruption Ledger #RealityCheck corporate corruption
  • Kremlin critic Kara-Murza goes on trial for treason Censorship Free Speech
  • Wave of raids, arrests target government critics in Tunisia government corruption

Proposed CPRA regulations finalized; CPPA targets April effective date

Posted on February 6, 2023March 22, 2023 By CorruptionLedger No Comments on Proposed CPRA regulations finalized; CPPA targets April effective date

Covered entities under the California Consumer Privacy Act are on the cusp of long-awaited legal certainty regarding updated compliance efforts. The California Privacy Protection Agency Board voted 4-0 at its latest meeting to finalize its first set of proposed California Privacy Rights Act regulations.

The final rulemaking package, which consists of the proposed regulations and a draft final statement of reasons from the CPPA, will soon be sent to the California Office of Administrative Law for review and approval. Barring setbacks during the OAL’s 30-day review window or other unforeseen circumstances, the agency said in its FAQ it expects the final regulations to take effect sometime in April ahead of CPRA enforcement beginning July 1.

The proposed final rules take on a range of regulatory topics the CPPA considered and sought extensive feedback on last year. Topics covered include data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns and consumer request handling.

The rulemaking process on the first set of regulations was initially scheduled for completion July 1, 2022, but the CPPA announced the process would take longer due to limited staffing and resources as the new agency stood itself up.

“We might be perceived as being slow, but I very much doubt there is another agency out there in California that has put together the package we have put forward within the timeliness we have done it,” CPPA Board Member Lydia de la Torre, CIPP/US, said. “That really goes to highlight the professionalism and dedication of everybody on staff that has dedicated time to these.”

Within the proposed final regulations is a discretionary enforcement reprieve. The agency added a rule to allow itself to “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”

Orrick, Herrington & Sutcliffe Partner Shannon Yavorsky said companies were happy to see the proposed final regulations approaching the finish line despite “hoping for certainty of the final regulations a bit sooner.” Hogan Lovells Senior Associate Julian Flamant, CIPP/E, added the extended rulemaking process has been “frustrating for businesses seeking to comply in good faith” because implementation of most CPRA concepts “have only been made clear in the regulations.” 

In addition to finalizing the initial set of proposed regulations, the CPPA used its latest meeting to initiate pre-rulemaking activities on its next set of CPRA regulations covering cybersecurity audits, risk assessments and automated decision-making.

“The nature of rulemaking is to be responsive to the public and businesses’ needs and our statute explicitly orders us to do that,” CPPA Board Chair Jennifer Urban said. “We will be regularly considering items for potential rulemaking. … It’s important for us to keep that front of mind as we’re meeting.”

The final package

CPPA General Counsel Phillip Laird and Senior Privacy Counsel Lisa Kim, CIPP/US, presented to the board a detailed outline of what comprises the package.

The proposed final regulations received no substantive changes from the  modifications discussed and adopted at the CPPA board’s October meetings. Laird said the agency received 50 comments during the final 15-day public comment period, but the further changes were viewed as unnecessary or capable of being addressed after rules were finalized.

Kim explained the draft final statement of reasons “explains the purpose or benefit of each regulation, including why the regulation is necessary.” The statement includes two appendices that provide the agency’s responses to all 1,500 pages of public comments and questions made throughout the rulemaking process. 

Meeting expectations

The agency’s tedious development of the first regulations provided privacy professionals with a view into the evolution of some regulations and omissions related to others.

Orrick’s Yavorsky said attempted harmonization between the CCPA and other comprehensive state privacy laws is reflected in the proposed final regulations, which carry a main focus to “clarify the law rather than create new obligations.” There’s also influence from recent CCPA and EU General Data Protection Regulation enforcement baked into the rules.

“Multiple amendments either directly mention — in the case of supporting (Global Privacy Control) for opt-out signal compliance — recent enforcement,” Yavorsky said. “Others indirectly — in the case of specificity of disclosures shaping consumer expectations — allude to recent enforcement decisions.”

Clarifications on proposed rules for the recognition of user consent were not as clear as anticipated, according to Hogan Lovells’ Flamant, who would like to see OAL “heavily” scrutinize the current language regarding a perceived choice between providing opt-out links or recognizing GPC signals.

“The CPPA stated in its initial and final statements of reasons that businesses’ view of having a choice misinterprets the CPRA requirement,” Flamant said. “While the CPRA does authorize the CPPA to establish technical specifications for the opt-out, it does not seem to follow that the regulations could contravene the statute.”

Flamant also alluded to disappointment with the certain topics going unaddressed in the proposed final regulations, including employee data and the distinction between service providers and contractors.

Related

https://iapp.org/news/a/proposed-cpra-regulations-finalized-cppa-targets-april-effective-date

Regulatory News, z-Exclude

Post navigation

Previous Post: GoodRx to Pay $1.5 Million in First Ever FTC Health Breach Notification Rule Enforcement Action
Next Post: Michael S. Flynn Sentenced to Fifteen Months in Prison and Ordered to Pay more than $1 Million to Victims of Bid Rigging and Fraud

You must log in to post a comment.

Wall of Shame

  • Ledger of Lies
  • Enforcement Actions
  • Misinformation & Censorship
  • In Court

Recent

  • US / SEC sues Coinbase and Binance, files motion to freeze Binance assets
  • Raging Canada Wildfires Threaten Critical Infrastructure, Force Evacuations
  • Disgruntled employer Fox News says Tucker Carlson breached his contract: Report
  • Saudi crown prince, US’ Blinken had ‘candid’ talks in Jeddah
  • Italian police search former defense exec’s home in corruption probe
  • Meta to let users refuse its cross-site tracking following German antitrust intervention
  • Ex-CIA advisor theorizes date when Dollar’s dominance may start to crumble
  • Treasury ‘sleeping at the wheel’ on PwC tax scandal
  • Biden Signs Bill to Raise US Debt Ceiling to Avoid Default
  • A federal judge rejects Tennessee’s anti-drag law as too broad and vague
About CL
  • A 2nd wave of layoffs at Meta; 10,000 jobs are cut Business & Economy
  • It’s rich for banks to complain about scams and finfluencers banks
  • US / SEC sues Coinbase and Binance, files motion to freeze Binance assets _enforcement
  • Abortion pill order latest ruling by Texas judge _enforcement
  • Hong Kong Court Freezes Assets of Former Morgan Stanley Manager banks
  • Air Moldova suspends all flights and applies for pre-insolvency procedure Aerospace
Rumble Video

Copyright © 2022 Corruption Ledger. This web site contains no ads.