The Agency unanimously approved submission of the current set of proposed regulations (available here), which provide clarity on opt-out preference signals, the right to limit the use of sensitive personal information, and new contractual provisions that businesses must include in contracts with service providers that process personal information of California consumers. As planned, the Agency submitted the proposed rules to the California Office of Administrative Law on February 14. The OAL has 30 business days to review and consider approval of the proposed regulations.

In its February 3 meeting, the Agency also unanimously voted to open a public comment period on proposed rulemaking in other areas, including cybersecurity audits, risk assessments, and automated decision-making. The Agency’s invitation for public input (available here) lists key questions for which the Agency is seeking information. Interested parties have until March 27 to submit comments. 

The CPRA’s amendments to the CCPA took effect January 1. While the Agency’s rulemaking process continues to unfold, businesses should not wait for final regulations to begin compliance efforts. This was reinforced by a press release issued on January 27 by the California Attorney General. The press release announced an “investigative sweep” of popular apps in the retail, travel, and food service industries that allegedly fail to comply with consumer opt-out requests or offer mechanisms for consumers to opt out of the sale of their data.  

The Constangy Cybersecurity & Data Privacy team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, contact us directly at breachresponse@constangy.com.