In an unexpected move, the California Privacy Protection Agency (the “Agency”) issued draft regulations (“Regs”) mandated by the California Privacy Rights Act (“CPRA”), on Friday May 27 (a day before the Memorial Day weekend, and a day after a public stakeholder meeting in which it gave no indication that the Regs would be issued the next day). The Agency has placed consideration of the draft Regs on its Board’s June 8 meeting agenda. If approved, they will then be subject to public comments, which must be considered before the Regs can be finalized.

The Regs contain detailed guidance regarding many highly-anticipated topics, such as:

  • Global Privacy Control requirements—or the “Opt-Out Preference Signal” ( “OOPS”) under the Regs—but unfortunately no technical specifications with respect to implementation of the OOPS. The Agency interprets the CPRA to make the opt-out link optional if OOPS are “frictionlessly” implemented, but not to make honoring OOPs optional if an opt-out link is provided.
  • General principles regarding the handling of consumer requests.
  • Detailed requirements regarding implementation of the rights to access, delete, correction, limit (the use of my sensitive information), and do not sell / do not share.
  • Notices to consumers, including special notice requirements for job applicants, employees and contractors.
  • Financial incentive notice requirements are relaxed.
  • Service provider, contractor, and third party agreements and obligations.
  • Complaint and enforcement procedures.

While the Regs leave various hot-button issues for a later draft (like automated decision-making, profiling, cybersecurity audits, and risk assessments), they certainly provide detailed guidance on the issues addressed. Even so, implementation will present many challenges for businesses, service providers, contractors, and even third-parties. As a result, we can expect spirited debate and comment from industry and consumer protection groups alike before the draft Regs are finalized.

Click here to read an overview of some of the most notable features of the draft Regs.


The California Privacy Protection Agency (“CPPA”) will host its next public meeting on Thursday, May 26, 2022 at 11AM PT. Members of the public may attend in person or virtually by following these instructions. CPPA Director Ashkan Soltani will provide an update on the CPPA’s hiring, budget, and rulemaking activities.  Importantly, subcommittees will provide more information on the course of action for the upcoming rulemaking process as well as information regarding the anticipated rulemaking draft.

In February, the CPPA expressed its strategy to host informational preliminary hearings in order to ensure that the rules they adopt adequately address the most prevalent issues in consumer privacy, and anticipated that the rulemaking process, including formal period public hearings, would commence in the third quarter and continue into the fourth quarter of 2022. Earlier this month, the CPPA held a pre-rulemaking stakeholder session during which it heard public comments on automated decision-making, with most comments focusing on: (1) the type of automated decision-making activities that should be regulated; (2) consumer rights relating to the use of automated decision-making technology; (3) consumer opt-out rights relating to automated decision-making; and (4) alignment with the General Data Protection Regulation and other regulatory schemes.

Although final Regulations are not anticipated until sometime in early 2023, the California Privacy Rights Act amendments to the California Privacy Protection Act (“CCPA”) will go into effect in January 2023. Businesses should therefore monitor CPPA rulemaking activities to ensure they are aware of how the lead CCPA enforcement agency interprets the CCPA’s requirements, and to glean insight into the agency’s potential enforcement priorities

On Friday, Feb. 18, California Assemblymember Evan Low (D) introduced two bills (AB 2871 and AB 2891) that propose to extend the CCPA’s HR and B2B data exemptions, one through Dec. 31, 2026 and the other indefinitely. These proposed amendments were introduced just 10 months prior to the main provisions of the California Privacy Rights Act (“CPRA”) coming into effect, particularly the CPRA’s consequential provisions which cause HR and B2B data – specifically, personal information of HR data subjects (e.g., employees, applicants and independent contractors) and collected in certain B2B transactions and communications – to become subject to the full scope of California’s omnibus privacy law. It’s not yet clear whether either of these bills has widespread support. However, if either does pass, it is almost certain that the legislature’s authority to do so will be challenged by privacy advocates on a constitutional basis, as we analyze below. Organizations for now should therefore proceed as if the HR and B2B will be in full scope of the CPRA starting Jan. 1, 2023.

The California Constitution prescribes when the legislature can amend a statute that was passed through a ballot referendum (the CPRA was approved as a referendum by California voters on Election Day 2020). In particular, Article II, Section 10(c) of the California Constitution states that “The Legislature may amend or repeal an initiative statute by another statute that becomes effective only when approved by the electors unless the initiative statute permits amendment or repeal without the electors’ approval.” The initiative statute – here the CPRA – does permit amendment or repeal without elector approval,

provided that such amendments are consistent with and further the purpose and intent of this Act as set forth in Section 3, including amendments to the exemptions in Section 1798.145 if the laws upon which the exemptions are based are amended to enhance privacy and are consistent with and further the purposes and intent of this Act. CPRA, Section 25(a).

The purpose and intent of the CPRA as to the extension of the HR and B2B exemption is stated directly: “It is the purpose and intent of the Act to extend the exemptions in this title for employee and business to business communications until January 1, 2023.” It’s not clear whether further extending the exemption as these proposed bills would are consistent with this purpose and intent, or if doing so could arguably serve to enhance privacy, especially  in the absence of corresponding efforts to establish statutory privacy protections for these types of data subjects. Notably, the preamble of the CPRA additionally states, “The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses.” This additional proviso leaves open the door for legislation that treats at least HR data subjects somewhat differently than traditional consumers.

These amendments will almost certainly tee up a challenge. Even if one or both of the amendments gain steam, organizations should be reluctant to forego preparation for compliance with the CPRA as it relates to HR and B2B data because of the potential challenges these bills could face even if passed into law.

Updates: California Privacy Rights Act (“CPRA”)

Last month, we reported on the California Privacy Protection Agency’s (“CPPA”) engagement of an Executive Director and its proposal for a rulemaking framework. The CPPA’s efforts are assisted by provisions of Assembly Bill 694 (“AB 694”), which California Governor Gavin Newsom signed last month. AB694 includes changes to California’s consumer privacy law and clarifies the CPPA’s rulemaking process. You can find the changes here. Continue Reading CPRA Amended and Updates Regarding the CDPA

Registration is open for a series of upcoming not-to-be-missed webinars covering key areas for companies seeking to regulate the global compliance landscape.  Register below for insights from CPW’s Alan Friel, Marisol Mork, and others.

Webinar Series: Advertising, Media and Brands – Global Compliance Challenges

2021 has provided unique challenges for businesses operating across the advertising, media and brands industry. Aside from the impact of the pandemic, we are seeing a changing and challenging landscape due to increasing economic, consumer, regulatory and compliance pressures.

With increased exposure as a result of these pressures, Squire Patton Boggs and BDO will be hosting four webinars to support the advertising, media and brands industry in navigating these challenges:

  • November 11, 2021 – Global Data, Technology and Tax
  • November 30, 2021 – M&A Landscape, Post-COVID-19 Transaction Trends and Tips, and Top Five Due Diligence Risks
  • January 12, 2022 – Global Anti-counterfeiting and Brand Protection Trends, and Top Five AMB Hot Topics
  • February 2, 2022 – The Rise of ESG and Global Workplace Challenges

Hosted by Squire Patton Boggs and BDO

Click here to register.

Conference: ANA/BAA Marketing Law Conference (In-Person and Virtual)

Nov. 15-17, 2021: San Diego

Session: California Privacy: What Direction Next From CCPA and CRPA?

Alan Friel (Squire Patton Boggs) will review California’s privacy laws with representatives from the California Privacy Protection Agency and the OAG.

Session: State and Local Attorney General Enforcement updates by Marisol Mork (Squire Patton Boggs)

Hosted by ANA.

Click here to register.

As Ann LaFrance, Alan Friel, Elliot Golding, Kyle Fath, Glenn Brown, Kyle Dull, Niloufar Massachi, and Gicel Tomimbang explain in a comprehensive expert analysis, recent changes in US consumer privacy laws that will require most US businesses to make material changes to their privacy compliance and information governance programs by January 1, 2023 (July 1, 2023, in the case of Colorado), and include infographics that compare and contrast the applicable laws.  Besides discussing these changes, they make recommendations on what to do during the remainder of 2021 and throughout 2022 to ensure business readiness by 2023.

You can read their breakdown here or below.

CPRA/CDPA/CPA Unpacked: Develop a Preparedness Plan Now

Just this week Virginia joined California as being one of the few states where consumers have a “right to delete” under applicable state privacy laws.  This loosely follows the approach in the EU General Data Protection Regulation (“GDPR”) that also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.  State approaches to consumers’ “right to delete” are not uniform, however, which makes understanding the nuance in the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”) all the more important.

CPW’s Glenn Brown has prepared a detailed analysis that is a must-read in light of the VCDPA’s passage that compares the “right to delete” under the CCPA, CPRA and VCDPA.  As he explains, the CCPA, CPRA and VCDPA each provide that a consumer has the right to request that a business delete their personal information, but they differ in certain respects, including their scope. The CCPA provides that consumers “… have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”  (emphasis added).  Notably, the CPRA does not amend the wording of this right.  By comparison, the VCDPA provides that consumers “… have the right to delete personal data provided by or obtained about the consumer.”  (emphasis added).  The VCDPA’s deletion right is therefore broader than that provided by the CCPA and CPRA, in that it applies to personal information that a business has collected from a consumer or that the business has collected about a consumer from another source.

Glenn provides a fantastic breakdown discussing the relevant exceptions to the “right to delete” under each of these laws, including a chart describing the various uses of personal information that will allow a business to retain the relevant personal information subject to these laws, even when a consumer has requested the business to delete it.

*The CCPA and CPRA provide that the exception is available only if: (a) deletion of the information is likely to render impossible or seriously impair the ability to complete such research; and (b) the consumer has provided informed consent.

**The VCDPA requires that the research be approved, monitored, and governed by an institutional review board, or similar independent oversight entities, that determine whether: (i) the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; (ii) the expected benefits of the research outweigh the privacy risks; and (iii) the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

The CPRA also requires that such uses be compatible with the context in which the consumer provided the information in order to qualify for the exception.

Be sure to check out Glenn‘s complete analysis here.

In a recent blog post we reported that the advocacy group behind CPRA, Californians for Consumer Privacy, was going to court in an effort to prevent their plans to put the California Privacy Rights Act (“CPRA”) to a referendum vote in November from being derailed by a delay in the reporting of signature counts. A Writ of Mandate that was filed by the advocacy group led to a hearing before the Sacramento Superior Court, which took place on Friday, June 19, 2020. Continue Reading Court Order Means CPRA Likely to Make November Ballot