The CPPA Speaks Again – Five Takeaways

On Monday, October 17, 2022, the California Privacy Protection Agency Board issued revised regulations to the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020). The revised regulations propose dozens of changes that were intended to address business concerns that some of the requirements were confusing and costly to implement.

While the proposed regulations are still in draft form and are likely to go through additional changes – the proposal itself identifies additional areas for the CPPA Board to consider, there are a few clear takeaways from the most recent draft:

  • Notice at Collection. Businesses will need to review and update notices at collection; a simple statement that personal information is being collected in accordance with a privacy policy will not be adequate. In particular, the proposed regulations emphasize that references to the collection and use of information in a notice at collection must be specific; the link should direct the reader to the specific provision, not just to the first page of the privacy policy.
  • Contract Requirements for Service Providers and Contractors. The proposed regulations carry over and emphasize the contractual requirements for Service Providers and Contractors. The importance of incorporating these provisions into vendor agreements, whether directly into an agreement or through an addendum is essential, as is implementing the guardrails described in the regulations. The recent settlement between Sephora and the California Attorney General is a direct result of the failure to address this issue.
  • Limits on Selling and Sharing Personal Information. Covered businesses will need to look carefully at how their vendor relationships could be construed as selling or sharing personal information and be ready to include a “Do Not Sell/Share” link, not just where data is collected, but also on the home page of the business’ website.
  • B2B and Employee Data. Most companies should, by now, be aware that personal information gathered from business contacts and employees will be subject to the CCPA beginning January 1, 2023. For companies that have not had to comply with these requirements before, this will impose a significant burden to implement effective procedures and policies addressing these needs.
  • Regulators (and others) are Looking. Finally, companies should be aware that the CPPA and the California Attorney General (along with plaintiffs’ counsel and even some consumers) are watching. Businesses that don’t make a good faith effort to comply can expect to be called out, and often in public and expensive ways.


Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.