The California Privacy Protection Agency (CPPA) recently met to discuss automated decision-making technology, privacy risk assessments and cybersecurity audits under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). However, the CPPA also decided to step outside the anticipated agenda and discuss additional revisions to the existing regulations. Once again. changes are on the horizon. What kind of changes? Here are the key things that would change under the CCPA for your organization’s online privacy policy:

  • “Meaningful Understanding” of Sources and Sales/Sharing with Third Parties: the draft revisions would add a requirement for privacy policies to provide “meaningful understanding” of the sources that the business uses to collect personal information and the categories of third parties to which the business shares or sells personal information.
  • Clarifying Disclosures to Service Providers and Contractors: the draft revisions would remove an ambiguity related to the definition of a “third party” and require businesses to explicitly identify the categories of personal information disclosed to a service provider or contractor in the last 12 months.
  • Privacy Policy Links for Mobile Applications: the draft revisions would require mobile apps to include a link to their privacy policies in the settings menu of the app. This link would be in addition to the link on the website homepage and the app store download page.

After the CPPA finalizes the draft revisions, the proposed rule changes will be published for a 45-day public comment period. However, the CPPA did not provide an anticipated start date for that comment period yet.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.