California customer privacy rules labeled a ‘historic milestone’

Rules give customers right to negotiate with businesses over use of personal information.

The first substantive rulemaking package to protect customer privacy in California has been approved in what the regulator says is a historic milestone.

The California Privacy Protection Agency (CPPA) has finalized the rules in order to further implement the California Consumer Privacy Act (CCPA), which protects customers and their rights. The rules, which have been approved by the California Office of Administrative Law (OAL), are effective immediately.

“Once again California is leading the way in protecting consumer’s privacy rights,” said Lisa Kim, the Agency’s Senior Privacy Counsel and Advisor. “We are excited to be the first in the nation to implement comprehensive regulations on data minimization and dark patterns. With these protections, consumers can interact with businesses with more confidence and security.”

Harmonizing

The approved regulations update the existing CCPA regulations to harmonize with amendments adopted pursuant to Proposition 24, the California Privacy Rights Act (CPRA) by:

  • Operationalizing new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and
  • Reorganizing and consolidating requirements set forth in the law to make the regulations easier to follow and understand.
    That includes not using double negatives, and toggles and buttons must clearly indicate a clear choice.

Customer data

The rulemaker package will place the consumer in a position where they can “knowingly and freely negotiate with a business over the business’s use of the consumer’s personal information”. With these rules, customers will have full rights to know what personal information the business has collected about the them, such as:

  • the categories of personal information;
  • the categories of sources from which the personal information is collected;
  • the business or commercial purpose for collecting, selling, or sharing personal information;
  • the categories of third parties to whom the business discloses personal information; and
  • the specific pieces of personal information the business has collected about the consumer.

“With the regulations in place, we can now redouble our efforts to promote public awareness of consumers’ rights and businesses’ responsibilities under the law to better ensure that these privacy rights are secured.”

Ashkan Soltani, Executive Director, CPPA

Jennifer Urban, Chairperson of the California Privacy Protection Agency Board, called it a major accomplishment, adding that it was a significant step forward for Californians’ consumer privacy.

“With the regulations in place, we can now redouble our efforts to promote public awareness of consumers’ rights and businesses’ responsibilities under the law to better ensure that these privacy rights are secured,” said Ashkan Soltani, the Agency’s Executive Director.“

The formal rulemaking process began on July 8, 2022, followed by extensive pre-rulemaking activities and sessions. The Agency Board voted on modifications for the rules on October 29, 2022, and the CPPA Board voted to adopt and approve the package on February 3, 2023, followed by the Agency filing the final rulemaking package with OAL on February 14.