This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

First CPRA Regulations Near Final

The new California privacy regulator (CPPA) has completed the first set of implementing rules to help businesses comply with the CPRA. The rules were due last summer, but delayed due to staffing shortages and other start-up issues with the new agency. The rules are expected to take effect in April, per the agency, which will begin enforcement of them in July. More rules will be issued later on additional topics; this is only the first set of regulations the agency will issue.  

Why It Matters

The regulations offer detailed updates to many elements of the CCPA/CPRA, including where to place links to privacy policies and what to call them, how not to word choices for opt-out links, linking to specific privacy disclosures in certain instances (rather than linking to a privacy policy generally and expecting consumers to scroll through it), and other technical matters. Some of these technical requirements updates may be frustrating for businesses that have, overall, complied with the CCPA but now must ensure that their websites and the download or landing pages of their mobile apps must contain certain specific language or links. Furthermore, businesses may now have to evaluate the wording choice they use for opt-out and similar consumer choice mechanisms, to avoid being charged with "dark patterns" that make it difficult for a consumer to exercise or understand the choices offered. 

We strongly recommend a review of website and app placement and wording of privacy links and of the specific disclosures in your privacy policy before the regulations take effect and the CPPA begins enforcement.  

The proposed final rules take on a range of regulatory topics the CPPA considered and sought extensive feedback on last year. Topics covered include data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns and consumer request handling.


data security and privacy, hill_mitzi