The California Privacy Protection Agency (CPPA) is starting formal rulemaking (again) as they move beyond the pre-rulemaking drafts that were debated for a little over a year. During their November 8, 2024, board meeting, the CPPA voted to officially start the clock on (1) revising existing rules and (2) adding new rules on risk assessments, cybersecurity audits, and automated decisionmaking. We are awaiting the official text, but it appears the agency is moving ahead with its recent draft and associated initial statement of reasons explaining the changes.

Although most of the attention has been on the new topics (which we covered in a prior alert), the revisions to the existing regulations are notable and (arguably) under covered given the newsworthiness of the other topics. To put the significance of these regulations in context: The CPPA estimates the updates will cost businesses $369 million in new compliance costs during the first year. So this alert focuses just on where the CPPA proposes changes to the existing rules and leaves for another day the other topics. We dive into the proposed changes, identify what companies will need to do to comply once these rules are finalized, and explain what comes next.

What is the CPPA proposing?

The proposed revisions to existing regulations cover a lot. Notable changes (1) clarify sections that confounded practitioners; (2) harmonize requirements with other jurisdictions; and (3) mandate visual indicators for when a business is honoring requests around sales, sharing, and sensitive data. One of the largest themes, however, is transforming optional/recommended practices into mandatory actions—the CPPA spilled a lot of red ink crossing out “should” and writing “must.” 

Application

The CPPA cracked open the door to regulating nonprofits, and companies should assess whether they are still subject to the CCPA in light of the updated monetary threshold (coming in January).

• Assess application to nonprofits. Consider what makes a nonprofit outside the CCPA’s bounds. While the original regulations said nonprofits are not businesses, the proposed update removes the sweeping statement to clarify that “many” nonprofits are not businesses.
• Review business revenue. Check out the inflation-adjusted revenue threshold that the CPPA posts on its website in early January to determine whether the CCPA still applies. [The CPPA removed that figure from its current draft because the legislature just clarified that the process does not require rulemaking—the agency can just post the details online.]

Consent and Dark Patterns

The CPPA provided more clarity on what is needed for valid consent (including building out more examples of dark patterns) and imposed obligations on businesses to actually test their processes.

• Allow consumers to withdraw consent. Ensure consumers can withdraw their consent at any time, except in very limited situations (e.g., consent for selling yearbook with personal information).
• Reassess consent mechanisms. Review requests for consent to ensure the presentation does not constitute a dark pattern based on the new examples (such as “yes” or “opt-in” buttons that are larger or in a more eye-catching color than the alternative).
• Avoid double negatives. Eliminate double negatives in consent requests. This was previously just something businesses “should” not do.
• Test consent process. Evaluate whether methods for consenting or withdrawing consent are functional and do not undermine a consumer’s choice. Testing was previously just a recommendation. 

Privacy Policy

Businesses will need to tweak their privacy policies to address disclosures to contractors and service providers while assessing whether other changes are needed based on a few smaller revisions to the privacy policy requirements.

• Revisit vendor and third-party disclosures. Specify the categories of personal information disclosed for a business purpose to contractors and service providers as well as the purpose for such disclosures. This replaces the obligation to explain disclosures made to third parties for a business purpose. The original confounded counsel and businesses alike: How could a third party receive data for a business purpose? The CPPA answered: They can’t. The initial statement of reasons explains that third parties only get personal information via sales and sharing.
• Provide useful details. Describe the sources of personal information and third-party recipients in a manner that gives consumers a “meaningful understanding” of where their data is collected, who is buying it, and who it is shared with.
• Add policy to mobile applications. Link to the privacy policy somewhere in a mobile application. This was previously optional, although companies were required to provide a link on the platform or download page.
• Update non-discrimination language. Change the provision prohibiting “discriminatory treatment” against a consumer for exercising their rights to prohibiting “retaliation” for exercising such rights.

Sensitive Personal Information

The CPPA expanded the definition of sensitive personal information to cover minors’ data while boosting consumers’ ability to understand and control the uses of such information.

• Check for minors’ data. Evaluate whether the business collects personal information on individuals under 16 years old because such data may be sensitive data. It is only sensitive if the business had “actual knowledge” of, or “willfully disregarded,” the person’s age.
• Create opt-in validation process. Adopt a two-step process (request + confirmation) for consumers to opt into the use of their sensitive personal information after they previously requested to limit such use.
• Add means to confirm request. Create a method, such as a toggle switch, for the consumer to validate that the business processed a request to limit the use of their sensitive personal information. This was previously optional.
• Provide contextual notice. Ensure that the notice of the right to limit the use of sensitive personal information is displayed in the same manner that the business collects such information. 

Consumer Rights

Businesses will need to reassess how they respond to consumer requests, develop processes to ensure they do not undermine previously fulfilled requests, and ensure their data inventory tracks where data came from.

• Update presentation of right to know. Publicize that consumers have the ability to request information collected more than 12 months ago, if such data is kept. Although consumers have always had the right to obtain such information, businesses did not have to disclose the option.
• Avoid undoing honored requests. Ensure that personal information remains deleted and corrected information is not overwritten with inaccurate details following a consumer’s request. For example, businesses ingesting data from data brokers should consider how to prevent adding back personal information that was deleted per a consumer’s request.
• Explain right to complain. Update denial templates to (1) inform the consumer that they can file a complaint with the CPPA or the attorney general and (2) include a link to their respective complaint forms.
• Address disputed records. Revise denial template for correction requests to specify that the consumer can require that the business note internally, and inform any recipients (even service providers), that the consumer contests the information’s accuracy.
• Log data sources. Track sources of personal information because, after receiving a correction request concerning personal information not collected from the consumer, the business must tell the consumer where the data came from or inform the source that the data must be corrected. [Query: Does the business receiving such notice then have to update their records? Unclear.]
• Create process for validating accuracy. Add a process for a consumer to validate the accuracy of personal information that the business cannot disclose in response to a request to know (e.g., Social Security numbers, driver’s licenses, and financial accounts).
• Revisit agent validation. Ensure that consumers who rely on an agent to submit a request are not asked to personally resubmit the request. [Businesses can still ask the consumer to either verify their identity or confirm they authorized the agent to act.]
• Update consumer-verification process. Establish a process for verifying a consumer using information that is not subject to a correction request.
• Explain reimbursement process. Inform the consumer before they submit a notarized request (if the business requests that) how the business reimburses that cost.

Opt-Out Signals 

Legal teams will need to coordinate with web developers to ensure that websites provide a visible signal that a consumer’s opt-out signal is being honored. 

• Display opt-out status. Provide visual indicator showing whether the business is honoring the consumer’s opt-out signal directing the business to not sell or share the consumer’s personal information. This was previously optional. Unlike the confirmation of processing for right to limit, the CPPA suggests the opt-out display requires both a text banner and a toggle switch.

Contractors and Service Providers

Companies serving as contractors or service providers should reassess whether their use of data is consistent with data minimization principles.

• Practice data minimization. Ensure a contractor or service provider only uses, retains, or discloses personal information as reasonably necessary and proportionate for permitted purposes.

What comes next?

Formal rulemaking. What does that entail? Well, the California Office of Administrative Law (OAL) wrote a great primer on the process. But, the gist of it is: public comments, agency review, and publication. Let’s dig into each step.

With the CPPA’s recent vote, rulemaking will officially begin in a matter of days—just as soon as the agency posts a notice in the California Regulatory Notice Register. That will start a 45-day period (at least) for public comments, after which the CPPA will review and address any comments. If the CPPA decides to make significant changes in response to comments, the agency must provide another period for public comments—either 15 or 45 days (depending on how significant the changes are). Once the CPPA has a final draft, they will submit the rules for approval to the OAL, which will then provide them to the secretary of state for publication. 

The revised rules will take effect either upon publication (if the CPPA requests an expedited process and the OAL grants the request) or on one of four quarterly dates depending on when the rules are filed with the secretary of state.