Blog

California CPPA Issues Notice of Proposed Rulemaking

Julie Rubash, General Counsel and Chief Privacy Officer
November 25, 2024

USA

California CPPA Issues Notice of Proposed Rulemaking.

After over a year of informal information gathering and revisions, the California Privacy Protection Agency (CPPA) moved its draft regulations regarding CCPA updates, cybersecurity audits, risk assessments, automated decision-making technology and insurance requirements to a formal rulemaking process, with a written comment period running through January 14, 2025 and a public hearing January 14. 

TAKEAWAY

If adopted, some notable new requirements would include:

(a) mandatory display of whether a business has processed a consumer’s opt-out preference signal (it is currently optional);

(b) mandatory inclusion of a link to a privacy policy within the application’s settings menu (this is currently optional);

(c) for businesses using automated decision-making technology (ADMT), inclusion of a Pre-Use Notice containing a link to opt out of such technology and extension of a right to access certain information about the ADMT;

(d) for businesses that sell or share personal information collected through a connected device or augmented or virtual reality, provision of an opt out notice before the connected device begins collecting information and before the consumer enters the augmented or virtual reality environment;

(e) implementation of measures to ensure that information remains deleted, deidentified or aggregated after a deletion requires (with a note that failing to consider how deleted information may be re-collected by businesses that regularly receive information from data brokers factors into the decision of whether the business has adequately complied);

(f) compliance with a “Do Not Sell or Share” request immediately where feasibly possible, such as in the case of programmatic advertising that instantaneously sells or shares personal information of consumers visiting a website; and

(g) completion of cybersecurity audits and risks assessments by businesses whose processing of consumers’ personal information presents significant risk to consumers’ security or privacy, respectively, each as determined by specific thresholds and criteria set forth in the regulations (including, for a risk assessment, any sale or sharing of personal information). 


California Judge Moves VPPA Case to Arbitration Based on Terms of Use

A class action lawsuit alleging violation of the Video Privacy Protection Act by NFHS Network based on its sharing of consumer video viewing habits with Meta and other third parties has been ordered to arbitration.

The judge found that NFHS met its burden of showing that it provided “reasonably conspicuous notice” of its Terms of Use containing an arbitration clause as well as evidence that the plaintiff, when signing up for a free account, clicked a box stating “I Accept the Terms and Conditions” with a hyperlink to the terms.

TAKEAWAY

As class action privacy lawsuits become increasingly prevalent, this case demonstrates the importance of not only providing clear terms and consent processes (whether for consent to an arbitration clause or to the data processing activity itself) but also maintaining the ability to document and demonstrate historical terms and consent processes over time.     

To learn more about how Sourcepoint helps mitigate litigation risk under VPPA, watch our webinar on-demand.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

California CPPA Issues Notice of Proposed Rulemaking

November 25, 2024

News out of California this week. The CPPA moved...

Mitigating risk under the Video Privacy Protection Act (VPPA)

November 23, 2024

Because VPPA is just one of many tools being...

CPPA Settles With Unregistered Data Brokers

November 18, 2024

Following an investigative sweep of unregistered data brokers, the...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]