California Privacy Agency Issues Notice of Proposed CPRA Rule Changes | Alston and bird


On November 3, 2022, the California Privacy Protection Agency (“CPPA”) issued a to remark Amendments to the Proposed Rule Implementing the California Privacy Rights Act (“CPRA”). These proposed changes are in response to public comments and are intended to clarify previously published changes.

The amendments, which are largely based on the Amended Proposed Settlement published on October 17, but include changes made under the October 28-29 CAPP Board of Directors, affect thirty-three (33) sections of the proposed CPRA Bylaws. Here we highlight the notable proposed changes from October 17 and November 3 to Sections 7002 and 7050:

  1. CAPP amended Section 7002, which covers “Restrictions on Collection and Use of Personal Information,” changing its wording regarding the purposes for which consumers’ personal information may be collected, used or shared. The revised regulations specify that a company‘s collection and use of personal information “must be reasonably necessary and proportionate” to achieve either “the purpose for which the personal information was collected or otherwise processed” or another “compatible disclosed purpose.” with the context”. The proposed amendments also include two lists of considerations, no longer referred to as “factors”, in determining whether a business’s collection or use of personal information meets these requirements. Among other things, these lists ask whether the company’s actions are consistent with “reasonable expectations of the consumer(s).” Finally, CAPP has added to Section 7002 a list of considerations to help businesses determine when their use of consumers’ personal information is “reasonably necessary and proportionate” to achieve a purpose for which the business has obtained consent. consumers.
  2. Changes to Section 7050, which governs the relationship between businesses and service providers and contractors, include clarification of when a person becomes a “service provider” or a “contractor.” Part of the proposed new wording clarifies that a person “who does not have a contract that complies with the [the service provider/contractor requirements set out in] section 7051 … is not a service provider or contractor under the CCPA. The proposed updates also note that “whether an entity providing services to a non-business must comply with a consumer’s CCPA request depends on whether that entity is a ‘business,’ such as defined by article 1798.140, subdivision (d) of the Civil Code”. In other words, a business subject to the CCPA must comply with a consumer’s claim of rights even if the business provides services to an entity that is not subject to the CCPA.

Other notable proposed changes to the proposed CPRA Rules include the addition of new defined terms, such as “non-commercial” and “information practices”, updates to the rules regarding opt-out preference signals to Section 7025 and amendments to CAPP’s investigative procedures in Section 7301. The addition of Section 7301(b) is potentially significant because it allows CAPP to consider several factors, including efforts good faith compliance and the time between the issuance of the requirements and the alleged violation, when deciding whether or not to pursue an investigation. of alleged misconduct.

CAPP accepts written comments regarding the proposed changes until 8:00 a.m. PT on November 21, 2022. Any information provided is subject to public disclosure.

[View source.]


Comments are closed.