On Monday, October 17, 2022, the California Privacy Protection Agency Board issued revised regulations to the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020). The revised regulations propose dozens of changes that were intended to address business concerns that some of the requirements were confusing and costly to implement.
While the proposed regulations are still in draft form and are likely to go through additional changes – the proposal itself identifies additional areas for the CPPA Board to consider, there are a few clear takeaways from the most recent draft:
- Contract Requirements for Service Providers and Contractors. The proposed regulations carry over and emphasize the contractual requirements for Service Providers and Contractors. The importance of incorporating these provisions into vendor agreements, whether directly into an agreement or through an addendum is essential, as is implementing the guardrails described in the regulations. The recent settlement between Sephora and the California Attorney General is a direct result of the failure to address this issue.
- Limits on Selling and Sharing Personal Information. Covered businesses will need to look carefully at how their vendor relationships could be construed as selling or sharing personal information and be ready to include a “Do Not Sell/Share” link, not just where data is collected, but also on the home page of the business’ website.
- B2B and Employee Data. Most companies should, by now, be aware that personal information gathered from business contacts and employees will be subject to the CCPA beginning January 1, 2023. For companies that have not had to comply with these requirements before, this will impose a significant burden to implement effective procedures and policies addressing these needs.
- Regulators (and others) are Looking. Finally, companies should be aware that the CPPA and the California Attorney General (along with plaintiffs’ counsel and even some consumers) are watching. Businesses that don’t make a good faith effort to comply can expect to be called out, and often in public and expensive ways.