March 19, 2021
With the California Privacy Rights and Enforcement Act (“CPRA”) almost two years out from its effective date of January 1, 2023, the California Consumer Privacy Act (“CCPA”) remains in effect—but remains a moving target for businesses seeking to comply. On March 15, 2021, the California Office of Administrative Law (“OAL”) approved additional regulations relating to the right to opt out of sale of personal information; these changes are effective immediately. Even as these changes to the CCPA took effect, California has begun preparing for enforcement of the CPRA: on March 17, 2021, California announced the appointment of the inaugural five-member board for the California Privacy Protection Agency (“CPPA”), which is empowered to draft regulations supporting to CPRA, and to enforce the CPRA after it becomes effective.
Highlights of the New CCPA Regulations
Among the notable provisions in the new CCPA regulations are the following:
Mechanisms to Submit Opt-Out Requests Clarified (§ 999.306(h)). This new regulation provides that methods to submit opt-out requests should be “easy to execute and shall require minimal steps.”[7] Businesses are explicitly prohibited from using a method “that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.” The regulations include the following examples:
California Privacy Protection Agency Members Announced
The CPRA established the CPPA, which is “vested with full administrative power, authority, and jurisdiction to implement and enforce [along with the Attorney General]” the CPRA (Section 1798.199.10(a)).[10] The Agency will consist of five members, appointed by the Governor (who appoints the Chair and one other member), the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly (each of whom appoints one member).
This week, Governor Gavin Newsom, Attorney General Xavier Becerra, Senate President pro Tempore Toni Atkins, and Assembly Speaker Anthony Rendon announced their choices for the members of the California Privacy Protection Agency. Their choices span across academia, private practice, and nonprofits. Newsom appointed Jennifer M. Urban, Clinical Professor of Law and Director of Policy Initiatives for the Samuelson Law, Technology, and Public Policy Clinic at the University of California, Berkeley School of Law, as Chair of the state agency. Newsom designated John Christopher Thompson, Senior Vice President of Government Relations at LA 2028. Becerra appointed Angela Sierra, who recently served as Chief Assistant Attorney General of the Public Rights Division. Atkins appointed Lydia de la Torre, professor at Santa Clara University Law School, where she has taught privacy law and co-directed the Santa Clara Law Privacy Certificate Program. Rendon appointed Vinhcent Le, Technology Equity attorney at the Greenlining Institute, focusing on consumer privacy, closing the digital divide, and preventing algorithmic bias.
These members are tasked with—among other things—drafting CPRA regulations by July 2022, and enforcing the CPRA when it takes effect in January 2023.
We will continue to monitor the development of the CCPA, the CPRA, and other notable state privacy laws and regulations.
_______________________
[1] Cal Civ. Code § 1798.140(t)(1).
[3] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.306(b)(3).
[4] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.306(b)(3)(a).
[6] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.306(b)(3)(b).
[7] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.306(h).
[8] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.306(h)(a).
[9] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.326(a)(1)-(2).
[10] For more information on the CPPA, please refer to our previous alert: https://www.gibsondunn.com/potential-impact-of-the-upcoming-voter-initiative-the-california-privacy-rights-act/.
This alert was prepared by Alexander Southwell, Ashlie Beringer, Ryan Bergsieker, Cassandra Gaedt-Sheckter, Jeremy Smith, and Lisa Zivkovic
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s Privacy, Cybersecurity and Data Innovation practice group:
United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, aberinger@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Ashley Rogers – Dallas (+1 214-698-3316, arogers@gibsondunn.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)
Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0) 20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0) 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, aguerrero@gibsondunn.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, vlukic@gibsondunn.com)
Sarah Wazen – London (+44 (0) 20 7071 4203, swazen@gibsondunn.com)
Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.