California Consumer Privacy Act (CCPA)

Ahead of its September 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft regulations on cybersecurity audits and risk assessments.  Public comments will be requested once the formal rulemaking process is kicked off.  Accordingly, the draft regulations are subject to change.  Below are the key takeaways:

Cybersecurity Audits

  • New cybersecurity audit

On June 30, 2023, a Superior Court of California (County of Sacramento, case number 34-2023-80004106-CU-WM-GDS) held that enforcement of the California Privacy Protection Agency’s (“CPPA”) regulations cannot commence until one year after the finalized date of the regulations.  However, the court declined to delay the CPPA’s ability to enforce violations of the underlying ballot initiative.

Last night, the California Privacy Protection Agency (CPPA) published agenda materials for its upcoming meeting on February 3, 2023.  The materials include:

  • Proposed final draft regulations implementing the California Privacy Rights Act (CPRA).  These do not reflect further changes since the draft regulations that the CPPA put out for a 15-day comment period on November

On August 24, 2022, the California Office of Attorney General (OAG) published a summary of 13 CCPA investigations, “illustrative” of situations in which notices of alleged noncompliance were sent and remedial measures were implemented.  Note that the CCPA’s mandatory notice-and-cure period will expire on January 1, 2023.  Following that, the California Privacy Protection Agency will have the discretion to grant cure periods.

Continue Reading California’s Office of the Attorney General Posts 13 New CCPA Investigations

Today, the California Attorney General announced the first settlement agreement under the California Consumer Privacy Act (“CCPA”).  The Attorney General alleged that online retailer Sephora, Inc. failed to disclose to consumers that it was selling their information and failed to process user requests to opt out of sale via user-enabled global privacy controls.  The Attorney General also alleged that Sephora did not cure these violations within the cure period. 

Continue Reading California Attorney General Announces First CCPA Settlement

During its June 8, 2022 board meeting, the California Privacy Protection Agency (CPPA) voted to initiate the formal California Privacy Rights Act (CPRA) rulemaking process.  The draft rules are expected to be very similar to those previously published in advance of the Board meeting, although Deputy Attorney General Lisa Kim noted during the meeting that minor errors may be updated prior to the formal submission of the draft rules.  The current draft rules and Initial Statement of Reasons (ISOR) continue to be accessible on the CPPA website.

Continue Reading California Privacy Protection Agency Votes To Initiate Formal Rulemaking Process

The California Privacy Protection Agency (“CPPA”) held two informational hearings on March 29, 2022 and March 30, 2022, in anticipation of its upcoming rulemaking later this year.  While the CPPA Board was present throughout the hearings, its members did not present any views as part of the program.  The speakers covered the following topics of note:
Continue Reading California Privacy Protection Agency Holds Informational Hearings

Earlier this month the California Privacy Protection Agency (CPPA) held its inaugural public meeting.  The CPPA was created under Proposition 24, the California Privacy Rights Act (CPRA), which was approved by California voters on November 3, 2020.
Continue Reading California Privacy Protection Agency Holds First Meeting, Preparing for Upcoming Rulemaking