Last week, the California Privacy Protection Agency (CPPA) released updated California Privacy Rights Act (CPRA) draft regulations and a summary of the changes. The regulations remain in the proposal stage and it is unclear when to expect finalized rules, although it is likely that this version will include near final requirements and prohibitions.

While most of the changes from the previous incarnation are technical, the modified proposal also softens one of the more revolutionary requirements: universal opt-out signals. Previously, the regulations required all CPRA-subject businesses to treat browser-based opt-out settings as the consumer’s signaled consent. They also required companies to add a dynamic icon to their website to indicate whether they had responded to the signal. Under the modified rules, businesses will only need to respond to browser opt-out signals if they sell or share personal information and have the option to display the status icon, but no longer are required to.  Instead, companies can offer consumers choices about the cookies and other tracking technology used on their website, which offers greater transparency for the consumer.

The modified rules also throw businesses a bone on a few other issues. For example, the CPPA removed some statutory privacy and security requirements for business service providers because the CPRA already requires certain provisions in service contracts. The CPPA reworked other rules to “simplify implementation at this time,” so that companies would still be wise to prepare for eventual compliance without the rush of meeting the end-of-year deadline. Some of these delayed requirements include disclosing in their online privacy policies the identities of third-party data processors and controllers and technical requirements for implementing the ”Right to Limit” and financial incentive programs. 

The updated rules clarify that enforcement actions against companies that employ “dark patterns,” or interfaces that steer consumers toward opting in (or not opting out), do not require showing the business’s intent. The intent is still a “factor to be considered” at CPPA’s discretion, but offenses in this area pose strict liability against the companies using these technologies.  The Board of the CPPA will meet in public sessions on October 28 and 29. See the modified rules and explanations.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.