On Monday, October 17, 2022, the California Privacy Protection Agency Board issued revised regulations to the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020). The revised regulations propose dozens of changes that were intended to address business concerns that some of the requirements were confusing and costly to implement.

While the proposed regulations are still in draft form and are likely to go through additional changes – the proposal itself identifies additional areas for the CPPA Board to consider, there are a few clear takeaways from the most recent draft:

  • Notice at Collection. Businesses will need to review and update notices at collection; a simple statement that personal information is being collected in accordance with a privacy policy will not be adequate. In particular, the proposed regulations emphasize that references to the collection and use of information in a notice at collection must be specific; the link should direct the reader to the specific provision, not just to the first page of the privacy policy.
  • Contract Requirements for Service Providers and Contractors. The proposed regulations carry over and emphasize the contractual requirements for Service Providers and Contractors. The importance of incorporating these provisions into vendor agreements, whether directly into an agreement or through an addendum is essential, as is implementing the guardrails described in the regulations. The recent settlement between Sephora and the California Attorney General is a direct result of the failure to address this issue.
  • Limits on Selling and Sharing Personal Information. Covered businesses will need to look carefully at how their vendor relationships could be construed as selling or sharing personal information and be ready to include a "Do Not Sell/Share" link, not just where data is collected, but also on the home page of the business' website.
  • B2B and Employee Data. Most companies should, by now, be aware that personal information gathered from business contacts and employees will be subject to the CCPA beginning January 1, 2023. For companies that have not had to comply with these requirements before, this will impose a significant burden to implement effective procedures and policies addressing these needs.
  • Regulators (and others) are Looking. Finally, companies should be aware that the CPPA and the California Attorney General (along with plaintiffs' counsel and even some consumers) are watching. Businesses that don't make a good faith effort to comply can expect to be called out, and often in public and expensive ways.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.