On April 2, the Enforcement Division of the California Privacy Protection Agency issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.” The Advisory highlights certain provisions of and regulations promulgated under the California Consumer Privacy Act (“CCPA”) that “reflect the concept of data minimization” and provides two examples that illustrate how businesses may apply data minimization principles in certain scenarios.Continue Reading California Privacy Protection Agency Issues Enforcement Advisory on Data Minimization
California Consumer Privacy Act (CCPA)
CPPA Executive Director Remarks on Policy and Enforcement Priorities
On April 3, at the International Association of Privacy Professionals’ global privacy conference, California Privacy Protection Agency (“CPPA”) Executive Director Ashkan Soltani gave remarks on his agency’s priorities with respect to rulemaking and administrative enforcement of the California Consumer Privacy Act (“CCPA”). Below we provide a few key takeaways:Continue Reading CPPA Executive Director Remarks on Policy and Enforcement Priorities
California Privacy Protection Agency Takes Next Step on New Automated Decision-Making Regulations and Privacy Risk Assessments
At its March 8, 2024 meeting, the Board of the California Privacy Protection Agency (“CPPA”) moved, by a 3-2 vote, to advance proposed regulations addressing automated decision-making technology (“ADMT”) and risk assessments for the processing of personal information. Notably, the Board’s vote only allows staff to begin paperwork preliminary to a rulemaking; it did not actually initiate the formal rulemaking process. At the meeting, the CPPA Staff clarified that the Board will need to re-review the draft rules for ADMT, privacy risk assessments, and cyber audits and vote again to initiate the rulemaking process. The CPPA’s General Counsel Philip Laird said he expects the Board will vote to begin the formal rulemaking process for all three topics in July 2024, at the earliest. Once formal rulemaking begins, the Board has one year to finalize the regulations, per California’s Administrative Procedure Act.Continue Reading California Privacy Protection Agency Takes Next Step on New Automated Decision-Making Regulations and Privacy Risk Assessments
California Attorney General Announces Second CCPA Settlement
The California Attorney General recently announced a settlement with DoorDash to resolve allegations that DoorDash violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). Continue Reading California Attorney General Announces Second CCPA Settlement
California Appeals Court Vacates Enforcement Delay of CPPA Regulations
On February 9, the Third Appellate District of California vacated a trial court’s decision that held that enforcement of the California Privacy Protection Agency’s (“CPPA”) regulations could not commence until one year after the finalized date of the regulations. As we previously explained, the Superior Court’s order prevented the…
Continue Reading California Appeals Court Vacates Enforcement Delay of CPPA RegulationsCalifornia Privacy Protection Agency Votes to Advance Legislation Requiring Certain Browsers to Support Opt-Out Preference Signals
At its December 8 board meeting, the California Privacy Protection Agency (“CPPA”) voted to advance a legislative proposal that would require vendors of web browsers to include a feature that would allow consumers to exercise data subject rights through opt-out preference signals. Regulations promulgated under the California Consumer Privacy Act…
Continue Reading California Privacy Protection Agency Votes to Advance Legislation Requiring Certain Browsers to Support Opt-Out Preference SignalsCPPA Releases Draft Automated Decisionmaking Technology Regulations
Ahead of its December 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft “automated decisionmaking technology” (ADMT) regulations. The CPPA has yet to initiate the formal rulemaking process and has stated that it expects to begin formal rulemaking next year. Accordingly, the draft ADMT regulations are subject to change. Below are the key takeaways:Continue Reading CPPA Releases Draft Automated Decisionmaking Technology Regulations
CPPA Releases Draft Rules on Cybersecurity Audits and Risk Assessments
Ahead of its September 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft regulations on cybersecurity audits and risk assessments. Public comments will be requested once the formal rulemaking process is kicked off. Accordingly, the draft regulations are subject to change. Below are the key takeaways:…
Continue Reading CPPA Releases Draft Rules on Cybersecurity Audits and Risk AssessmentsCalifornia Court Delays Enforcement of CPPA Regulations
On June 30, 2023, a Superior Court of California (County of Sacramento, case number 34-2023-80004106-CU-WM-GDS) held that enforcement of the California Privacy Protection Agency’s (“CPPA”) regulations cannot commence until one year after the finalized date of the regulations. However, the court declined to delay the CPPA’s ability to enforce violations…
Continue Reading California Court Delays Enforcement of CPPA RegulationsCalifornia Privacy Protection Agency Posts Final Draft Regulations
Last night, the California Privacy Protection Agency (CPPA) published agenda materials for its upcoming meeting on February 3, 2023. The materials include:
- Proposed final draft regulations implementing the California Privacy Rights Act (CPRA). These do not reflect further changes since the draft regulations that the CPPA put out for a