California Proposes New Regulations To Implement CCPA Rewrite (Free Version)

California Proposes New Regulations To Implement CCPA Rewrite (Free Version)
Photo by Addy Ire on Unsplash


California Privacy Protection Agency moves ahead with CPRA rulemaking that might be mooted by bipartisan agreement on U.S. data privacy legislation.


The California Privacy Protection Agency (Agency) keeps working on implementing the California Privacy Rights Act (Proposition 24) (see here for more detail and analysis) that voters elected to amend the California Consumer Privacy Act (CCPA) (AB 375). The Agency has proposed regulations the CPRA mandates that will amend the operative CCPA regulations through a significant tightening of requirements on businesses. As you might recall, this is but the latest rulemaking California has undertaken (see here and here.) Of course, there is always the risk that Congress passes the “American Data Privacy and Protection Act” (ADPPA) (see here for more detail and analysis) or something like it to preempt all state privacy laws and all this work is for naught.


In late May, rulemaking authority was transferred from the California Attorney General to the Agency per the CPRA. This followed the California Office of Administrative Law (OAL) “approving the transfer of the existing CCPA regulations to Title 11, Division 6, a new division of the California Code of Regulations that is under the jurisdiction of the Agency.” The Agency explained that it “began preliminary rulemaking last year, when it collected hundreds of pages of written pre-rulemaking comments from the public…[and] held two days of pre-rulemaking Informational Sessions.” In early May, the Agency “welcomed comments from the public over three days of pre-rulemaking Stakeholder Sessions.”

In the Initial Statement of Reasons, Agency noted the CPRA requires it “to adopt regulations to further the purposes of the Act, including promulgating regulations on 22 specific topics.” The agency asserted “[t]he proposed regulations operationalize the CPRA amendments to the CCPA and provide clarity and specificity to implement the law.” The Agency added that “[b]uilding off of the existing CCPA regulations, the proposed regulations provide comprehensive guidance to consumers, businesses, service providers, and third parties, on how to implement and operationalize new consumer privacy rights and other changes to the law introduced by the CPRA amendments to the CCPA.”

Subscribe to read the rest and all the other paywalled content.

And, here are developments and articles from last month. Being subscribed would mean getting these in a more timely fashion.

Other Developments

The United States (U.S.) Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) “issued a Notice of Probable Violation (NOPV) and Proposed Compliance Order to Colonial Pipeline Company, which includes multiple probable violations of Federal pipeline safety regulations (PSRs)…[with] proposed civil penalties amount to $986,400” per the agency’s press release.

The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport and Department for Business, Energy & Industrial Strategy issued the government’s response to “the consultation: A new pro-competition regime for digital markets…[that] sought views on the proposed design of a new pro-competition regime for digital markets which will actively boost competition and innovation by tackling the harmful effects and sources of substantial and entrenched market power.” The Departments stated “we are establishing a new pro-competition regime for digital markets…[that] will build on the work of the Digital Competition Expert Panel and the Digital Markets Taskforce, which recommended the creation of a Digital Markets Unit with the bespoke regulatory toolkit required to address the unique issues arising from digital markets.”

The United States (U.S.) National Institute of Standards and Technology (NIST) published “a Cybersecurity White Paper (CSWP), Planning for a Zero Trust Architecture: A Guide for Federal Administrators, which describes processes for migrating to a zero trust architecture using the NIST Risk Management Framework (RMF).”

New Zealand’s Office of the Privacy Commissioner published “Privacy Awareness and Engagement in Aotearoa New Zealand,” that “brings together highlights of the biennial survey and our own internal insights reporting to provide a fuller picture of what New Zealanders think about in relation to privacy in New Zealand, and how they utilise their privacy rights.”

The United Kingdom’s Competition and Markets Authority (CMA) published joint advice “with the Office of Communications (Ofcom) following a request from government which sets out how consumers and content providers, including newspapers, could benefit if the power of the biggest tech firms is properly managed…[that] sets out how a code of conduct, if introduced into law, would mean that big tech firms with significant bargaining power would have to agree fair and reasonable terms for the content they use on their platforms.”

Clearview AI settled a suit brought under the “Illinois Biometric Information Privacy Act” and is “permanently banned, nationwide, from making its faceprint database available to most businesses and other private entities.”

Germany’s Bundesamt für Sicherheit in der Informationstechnik (BSI) announced that “manufacturers of smart cameras, smart loudspeakers, smart cleaning and garden robots, smart toys and smart television products can apply to the BSI for the IT security label.”

The United States (U.S.) Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) published a report “Ransomware Trends in Q1 2022.”

The White House announced agreement with “20 leading internet providers—covering more than 80% of the U.S. population across urban, suburban, and rural areas—to either increase speeds or cut prices, making sure they all offer Affordable Connectivity Program (ACP)-eligible households high-speed, high-quality internet plans for no more than $30/month.”

The United States Federal Trade Commission (FTC) and the Los Angeles County and Riverside County District Attorneys’ offices announced a settlement with internet service provider Frontier Communications, which “will be prohibited from tricking consumers about its slow internet service and required to support its speed claims…[and] must also provide current customers with free and easy cancellations when it fails to deliver the promised speeds.”

The United Kingdom’s Department for Digital, Culture, Media & Sport published “Research detailing cyber security issues in internet-connected devices used by businesses and organisations,” Literature review on connected devices within enterprise networks and Enterprise connected devices: procurement, usage and management among UK businesses, because “[t]he government is developing policy to address these issues.”

Tweet of the Day

Further Reading

Federal Agencies Likely to Get New Cybersecurity Guidance ‘In Coming Weeks’” By Aaron Boyd — Nextgov

Illinois college, hit by ransomware attack, to shut down” By Kevin Collier — NBC News

Tribal leaders are building a better internet from the ground up” By Karl Bode — Protocol

Republicans Continue Ripping Homeland Security’s Disinformation Board” By Frank Konkel — Nextgov

Match Group is suing Google over Android’s in-app payment monopoly” By Emma Roth — The Verge

Europe's GDPR coincides with dramatic drop in Android apps” By Thomas Claburn — The Register

The party's ending: Silicon Valley braces for a new era of financial and political upheaval” By Rob Wile and David Ingram  — NBC News

India’s VPN crackdown demonstrates a growing focus on mass surveillance” By Qadri Inzamam — Rest of the World

The Upside of Getting Hacked” By Dorie Chevlen — Slate

'Sextortionists' are increasingly targeting young men for money. The outcome can be deadly.” By Corky Siemaszko — NBC News

Elon Musk may try to reprice $44bn Twitter bid, says US short-seller” By Dan Milmo — The Guardian

Defense Officials Push For Cyber Standards Compliance, Citing Warfighter Needs” By Alexandra Kelley — Nextgov

Ransomware plows through farm machinery giant AGCO” By Dan Robinson — The Register

Facebook is getting rid of some location-tracking features due to ‘low usage’” By Emma Roth — The Verge