CPPA Advances New Privacy Rules for Businesses
The California Privacy Protection Agency (CPPA), at its board meeting on November 8, 2024, voted 4–1 to advance proposed regulations to a formal rulemaking. As currently drafted, these regulations would, among other things:
- Expand prohibitions on dark patterns, effectively turning the CPPA’s recent enforcement advisory into binding regulations;
- Expand the definition of “sensitive personal information” to include the personal information of minors younger than 16 years old, giving these individuals the right to direct a business to use their information only to provide a reasonably expected good or service and for the limited purposes prescribed by the California Consumer Privacy Act (CCPA);
- Require additional detail in privacy policies about when personal information is collected and the categories of third parties to which information is sold or with which information is shared;
- Require businesses to take steps to prevent the re-collection of a consumer’s information after processing that consumer’s deletion request;
- Require businesses to display a signal to consumers indicating whether their opt-out of the sale or sharing of information has been validly processed;
- Require businesses denying consumer rights requests to inform consumers of their ability to file a complaint with the attorney general or agency;
- Clarify that insurance companies must comply with the CCPA except when engaged in “insurance transactions” as defined in the California Insurance Code; and,
- Provide guidance regarding operationalizing newly required risk assessments, cybersecurity audits, and consumers’ rights relating to businesses’ use of “automated decision-making technology” (ADMT).
The board requested that the usual 45-day comment period be extended due to the holidays. Comments will be due in early 2025, with the specific date to be determined. After the comment period closes, the CPPA may issue a revised proposal, followed by a 15-day comment period, or may adopt the proposal as currently drafted. The regulations would become effective immediately upon adoption.
The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.