California Consumer Privacy Regulations Go Into Force
March 31, 2023
New regulations implementing the California Consumer Privacy Act have officially gone into effect following approval by the state’s Office of Administrative Law. The rules reinforce a wide range of privacy safeguards for Californians, including data minimization requirements; transparency obligations; access, correction, and deletion rights; and the ability for consumers to opt out globally from the sale or transfer of their personal data.
EPIC provided extensive input on the rules in November 2021, May 2022, August 2022, and November 2022, arguing for the strongest possible construction of the CCPA to protect consumers from exploitative data practices. EPIC also published a detailed analysis of the California Privacy Rights Act—a ballot measure that made substantial improvements to the CCPA—before voters approved it in 2020.
Meanwhile, the California Privacy Protection Agency is moving forward with an additional round of regulations that will implement the cybersecurity audit, risk assessment, and automated decision-making provisions of the CCPA. EPIC provided detailed feedback to the agency this week, calling on the agency to take account of the full spectrum of data-driven harms; establish strong cybersecurity audit standards; require businesses to conduct and publish robust risk assessments; and ensure that consumers enjoy effective disclosures and opt-out rights with respect to automated decision-making systems.