On March 29, 2023, California’s Office of Administrative Law (“OAL”) approved the final text of the first part of the regulations issued by the California Privacy Protection Agency (“CPPA”) , which will take effect immediately (“Regulations”). These final Regulations provide long awaited guidance on some new concepts contained in the California Privacy Rights Act (“CPRA”) which was approved by voters as Proposition 24 in the 2020 election. The CPRA included general requirements to data use policies, including the data minimization principles. The Regulations also provide wording to be included in consumer communications (e.g., privacy policy and notice at collection) and specify requirements for the opt-out and other consumer rights. We list some of the key consideration to take into account for privacy compliance this year.
New restriction on the Collection and Use of Personal Information. Drawing inspiration from the European GDPR, CPRA implemented the principle of data minimization, which translates into the obligation to collect and process personal information in a way reasonably necessary and proportionate to achieve: (i) the purposes for which the personal information was collected or processed (consistent with the reasonable expectations of the consumers), or (ii) another disclosed purpose that is compatible with the context in which the personal information was collected. If a business cannot meet both tests it must obtain the consumer’s consent before collecting or processing personal information for any additional purpose not originally disclosed in the notice of collection.
