Search for:
Debevoise Data Blog
CCPA

CPPA Proposed Rulemaking Package Part 3 – Privacy Requirements

By: , , , and

In Part 1 of this series, we discussed the annual cybersecurity audit requirements in the California Privacy Protection Agency (the “CPPA”)’s proposed rulemaking package (the “Draft Regulations”). In Part 2, we discussed the Draft Regulations’ provisions on automated decision-making technology (“ADMT”).

In this Part 3, we discuss the Draft Regulations’ amendments to existing privacy-related requirements under the California Consumer Privacy Act (“CCPA”) and what these mean for businesses covered by the CCPA. The CPPA published revisions to its Draft Regulations in preparation for the May 1, 2025 CPPA Board meeting, which have been incorporated in this Part 3. Overall, the Draft Regulations add more specificity to what businesses must do to operationalize consumer privacy rights requests and extend transparency obligations to further existing protections against dark patterns. They do not, however, change the underlying rights that consumers are afforded, nor do they materially change businesses’ obligations under the CCPA.

Operationalizing Consumer Rights in Privacy Policies and Beyond

Under the CCPA, businesses must describe in their privacy policies the rights that consumers can exercise. This includes the rights to know, delete, limit, opt-out, access ADMT, not be retaliated against, and correct personal data. The Draft Regulations add additional requirements as to how businesses should effectuate these rights.

Right to Know

Under the CCPA, businesses are generally required to provide a consumer with a copy of their personal information that the business collected in the 12 months preceding the consumer’s request. Businesses must also provide information that they collected earlier than the 12-month period if (a) the consumer explicitly requests it, and (b) it is not impossible or does not require a disproportionate effort to provide it.

The Draft Regulations would require businesses to present consumers with an easy mechanism to request information collected prior to the 12-month period. For example, the Draft Regulations contemplate that businesses may provide the option for the consumer to select or input a date range for the request or an option to request all personal information collected by the business to meet the requirement. In effect, this shifts the burden from the consumer to the business to make the option readily available.

Right to Correct

The Draft Regulations propose three clarifications under the right to correct. First, when a consumer exercises their right to correct, businesses would be obliged to ensure that information corrected remains corrected and must require downstream vendors to do the same.

Second, when the business is not the source of the information that the consumer contends is incorrect, the Draft Regulations would provide the business with the option to inform the source of the information that it is incorrect, rather than provide consumers with the name of the source.

Third, the Draft Regulations would require businesses to provide a way for a consumer to confirm that the personal information maintained by the business is the same as what the consumer provided. This can be done through a toll-free number that consumers can call.

Right to Opt Out of Sales or Sharing

The Draft Regulations propose a new obligation and would provide new illustrative examples of the right to opt out.

Consumers currently have a right to opt out of the selling or sharing of their personal information. The CCPA previously stated that businesses may provide confirmation that an opt-out request was processed by the business. The Draft Regulations would make the confirmation of completion of the opt-out request mandatory.

The Draft Regulations also provide new illustrative examples for how to operationalize the obligation for businesses to notify third parties to whom the business has sold or shared the consumer’s personal information when a consumer exercises their opt-out right. For example, a business that uses programmatic advertising technology on its website that instantaneously sells and shares personal information through real-time bidding must instantaneously restrict the transfer of personal information when a customer opts out of selling or sharing their personal information.

Right to Limit Use or Disclosure of Sensitive Personal Information

The CCPA distinguishes between personal information and “sensitive personal information,” which includes social security numbers, genetic data, financial account information, and other information of a sensitive nature. Sensitive personal information is subject to heightened protection when used to infer characteristics about a consumer. Specifically, consumers have a right to limit the use or disclosure of sensitive personal information (“right to limit” or “request to limit”), subject to certain limited exceptions.

The Draft Regulations contain two clarifications under the right to limit. First, they provide additional examples to demonstrate how the exemptions apply in practice. For instance, a business is permitted to scan employee emails, which may contain sensitive personal information, in order to prevent a security incident, without offering a right to limit. It may also use biometric information for authentication purposes without offering a right to limit. This aligns with the CPPA’s focus on cybersecurity safeguards, as discussed in Part 1.

Second, the Draft Regulations would add a requirement that businesses must provide consumers with notice of the right to limit in the same manner it collects the sensitive personal information, and provides illustrative examples (e.g., a business that uses sensitive personal information that it collects over the phone must provide notice of the right to limit orally during the call when the information is collected).

Third, the Draft Regulations specify that if a consumer exercises a right to request to limit, but then initiates a transaction that requires the use or disclosure of sensitive personal information subject to the right to limit, the business may inform the consumer that disclosure of sensitive personal information is required for the transaction. It may then provide clear instructions on how to consent.

Additional Examples of Dark Patterns

The Draft Regulations add further clarification as to what the CPPA may consider to be dark patterns, consistent with the agency’s enforcement advisory on the same topic from September 2024, and its March 2025 enforcement action relating to a business’s failure to employ symmetry of choice to consumers in the use of its cookies banners. We discuss this further in a recent blog post on this topic here.

The Draft Regulations focus on symmetry of choice, clarity of language, and ease of execution. These aspects apply when businesses design and implement methods for consumers submitting CCPA rights requests and for seeking consent from consumers.

Symmetry of Choice

Symmetry of choice is an important factor in assessing whether a choice to opt in or opt out of the sale, sharing, or use of personal information constitutes a dark pattern. The Draft Regulations provide a few additional illustrative examples of what would and would not be considered symmetrical choice:

  • an opt out of sale/sharing that requires more steps than the process for opting in;
  • a choice between “yes” and “ask me later” if there is no option to decline;
  • a choice between “accept all” and “more information” or “accept all” and “preferences”;
  • a “yes” button that is more prominent than the “no” button; and
  • an option to participate in a financial incentive program is selected by default or is more prominent than the choice not to participate.

Clarity of Language

Under the CCPA, businesses must not use language or interactive elements that a consumer will find confusing. The Draft Regulations provide additional examples of elements that may be confusing to consumers, including that it is not consent if a consumer closes or navigates away from a pop-up window that requests consent without affirmatively selecting the equivalent of “I accept.” Another example is that it is misleading to provide a choice with a false sense of urgency such as a countdown clock displayed next to a consent choice.

Additional Proposed Requirements for Privacy Policies

The Draft Regulations further promote transparency and the provision of meaningful disclosure in privacy policies by requiring businesses to describe categories of sources from which personal information is collected “in a manner that provides consumers a meaningful understanding of where the information is collected.” Additionally, the categories of third parties to whom the information is sold or shared must be “described in a manner that provides consumers a meaningful understanding of the parties to whom the information is sold or shared.”

The Draft Regulations would require that businesses with mobile applications must include a conspicuous link to their privacy policies within the application itself. This is a change from the prior guidance that a business with a mobile application may include a conspicuous link to their privacy policies within the application. This is one of several examples of how the Draft Regulations would change a “may” to a “must”.

Practical Takeaways

In anticipation of the Draft Regulations taking effect, businesses should consider assessing their privacy practices by:

  • Checking privacy policies. Businesses should take this opportunity to review their privacy policies to see if they meet the requirements of the CCPA.
  • Reviewing internal processes for rights requests. Businesses should review their current protocols for rights requests to see if they meet the requirements outlined in the Draft Regulations.
  • Checking technical response capabilities. Businesses should check if they have transparent cookie banners and technical infrastructure capable of processing opt-out requests and requests to limit.
  • Service provider and contractor oversight. Businesses should determine if they have technical and organizational measures in place for overseeing service provider and contractor cooperation with businesses’ obligations under the CCPA and compliance with downstream consumer rights requests.

What’s Next?

The formal public comment period concluded on February 19, 2025, but at the April 4, 2025 and May 1, 2025 Board meetings, the CPPA Board appeared to be re-examining the long-term survivability of the regulations while considering the possibility of future litigation. In response, the CPPA staff have again proposed revised Draft Regulations, and the Board resolved to open a public comment period which will conclude on June 2, 2025. The Board will meet again on July 24, 2025 to review additional changes arising from new comments about the Draft Regulations. The CPPA will need to decide on whether to adopt the Draft Regulations and when the Regulations will take effect.

*****

To subscribe to the Data Blog, please click here.

The Debevoise Data Portal is an online suite of tools that help our clients quickly assess their federal, state, and international breach notification and substantive cybersecurity obligations. Please contact us at dataportal@debevoise.com for more information.

The cover art used in this blog post was generated by DALL-E. 

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

Author

Melyssa Eigen is an associate in the Litigation Department. She can be reached at meigen@debevoise.com.

Author

Katie Heath is an associate in the Litigation Department. She can be reached at klheath@debevoise.com.

Related Posts