7 Things You Need to Know About the Final CCPA Regulations

5 minute read | April.17.2023

Almost 9 months after the California Privacy Protection Agency (CPPA) began the formal rulemaking process, the initial set of regulations under the California Privacy Rights Act (CPRA) finally became effective on March 29, 2023. As expected, the final regulations (“Final Regulations”) clarify and expand on existing regulations under the California Consumer Privacy Act (CCPA) that were previously in force. In advance of the July 1 CPRA enforcement date, businesses should evaluate whether and to what extent the Final Regulations will impact their existing privacy program, processes and practices.

Here are seven key ways in which the Final Regulations may impact your business:

  1. Contracting requirements. The Final Regulations set out minimum terms that must be included in contracts with all entities to which a business discloses personal information, including service providers, third parties and a new category of entities called contractors. Article 4 highlights these specific requirements as well as the duties of a third party that receives personal information from a business subject to the law. Businesses should consider revisiting their existing data processing agreements and updating their templates to ensure they comply with applicable requirements.

  2. Targeted advertising. The Final Regulations clarify that companies that provide cross-contextual behavioral advertising are “third parties” under the CPRA and not service providers or contractors. The clarification effectively obligates businesses to provide consumers with the ability to opt out of the disclosure of their personal information for cross-contextual behavioral purposes when exercising their right to opt out of “sales” or “sharing” of personal information. Businesses that conduct cross-context behavioral advertising should consider adjusting their privacy notices and consumer rights processes going forward to the extent they have not already done so.

  3. New notice requirements. The Final Regulations modify the various notice requirements under the CCPA to align them with the CPRA. For example, the Final Regulations set out formatting and presentation requirements, clarifying that disclosures must be easy to read and understandable and conform to applicable industry standards for persons with disabilities. According to the Final Regulations, conspicuous links for websites should appear in a similar manner as other similarly posted links, and, for mobile applications, conspicuous links should be accessible in the business’s privacy policy.

  4. Dark patterns. The Final Regulations provide additional clarity regarding what types of “dark patterns” may invalidate a business’s efforts to obtain consent from its users. Under the Final Regulations, any practice that does not comply with specific guidelines for how a business must present consumers with the ability to exercise their rights and obtain valid consent may constitute a “dark pattern.” In addition, a user interface that has the “effect of substantially subverting or impairing user autonomy, decisionmaking, or choice, regardless of a business’s intent,” may be considered a dark pattern.

  5. Requests to correct. In addition to the individual rights to access, limit and delete personal information, the Final Regulations expand upon the CCPA’s rights requirements and requires businesses to provide consumers with the ability to correct their information maintained by the business. Article 3 discusses these specific requirements, including exceptions for requests for which the response would be impossible or involve disproportionate effort for the business. The Article also explains how certain concerns over the accuracy of personal information should be resolved.

  6. Opt-out preference signals. The Final Regulations provide further clarity about what businesses must do when they receive automated opt-out preference signals from consumers. Under the CPRA, businesses are expected to treat opt-out preference signals as valid requests to opt out of the sale or sharing of their personal information. The Final Regulations indicate that a business shall process any opt-out preference signal as a valid request to opt out of sale/sharing if (1) the signal is in a format commonly used and recognized by businesses (such as an HTTP header field); and (2) the platform, technology or mechanism that sends the opt-out signal makes clear to the consumer that the use of the signal is meant to have the opt-out effect (regardless of whether or not the signal is tailored to only California residents).

  7. Enforcement. The Final Regulations include a new section on enforcement actions by the CPPA. Specifically, this section includes information on how a person can make a sworn complaint to the agency, as well as how the agency can conduct probable cause hearings and audits and enter into stipulated orders.

While California’s approach to enforcing the Final Regulations is yet to be seen, what we do know is that enforcement, including budget allocation and increased hiring of enforcement personnel, is a top priority based on the most recent CPPA Board minutes. In addition, another rulemaking is forthcoming relating to automated decision-making, cybersecurity audits and risk assessments.

If you need help with assessing the Final Regulations or your CPRA-compliance roadmap, see our CPRA FAQ Guide or contact a member of Orrick’s Cyber, Privacy and Data Innovation Group. To receive updates on the CPRA, and other global privacy and cybersecurity developments, sign up here.