On October 17, the California Privacy Protection Agency (“CPPA”) published the first revisions to the CPRA regulations. This draft includes an extensive list of proposed changes in advance of the CPPA Board public hearing, scheduled to begin on October 21st. In addition to the newest draft regulations, the CPPA published a 16 page change log explaining its reasoning. Of note, the CPPA incorporates more of a purpose-driven approach, with restrictions on use based on the purpose of collection—an approach similar to the draft Colorado rules. The CPPA also eased a range of third party restrictions, including disclosure requirements, for the purpose of “simplifying implementation.” However, notably absent from the rules are privacy risk assessments (known as data protection impact assessments under the GDPR and data protection assessments under the Colorado Privacy Act) and profiling. Accordingly, this modified draft may not be the final version of the rules.
We will be following up with in-depth analysis in coming weeks, including on how these rules compare to the draft Colorado rules.